Multiple Java trojans

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Open up the Program go onto the Prefernces tab then onto the statistics/logs > view log and attach it.

Also take a look at the below.

HOW TO: Attach Items To Your Post

Then ensure you attach the remaining logs from running the procedures.

 

Hello, Sabbath351

You still need to attach (See: HOW TO: Attach Items To Your Post ) these remaining logs created while running the requested scans.

• RRlog.txt (from RootRepeal)
• ComboFix.txt (normally C:\ComboFix.txt)
• MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

 

But what about the logs from ComboFix and MGtools?

 

No! You have one more to attach. We need the requested MGlogs.zip file from MGtools.

 

Try this:

Please do this, click Start, type in cmd and open up cmd.exe. This will open a command prompt window. In the command prompt window, enter the below commands each followed by the enter key. Note there is a space after the cd

Now do you have a C:\MGlogs.zip?

If not run the below instead.

Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

 

c:\downloads\ComboFix.exe <--- Combofix needs to be moved to your desktop before we continue.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:

Code:

KILLALL::

DirLook::
C:\Users\George\AppData\Roaming\6F6EEA7B177C9B72A515B23CB0699F33
File::
c:\users\George\AppData\Local\Hduhivafec.bin
C:\Windows\System32\WinService.exe
C:\Users\George\AppData\Local\975398336
C:\Users\George\AppData\Roaming\64D0.868
C:\ProgramData\~42852104
C:\ProgramData\~42852104r
C:\ProgramData\42852104
C:\Windows\77035867.exe
C:\Windows\77035867.dat
C:\Users\George\AppData\Local\ikemocinexilah.dll
C:\Users\George\AppData\Local\exasucef.dll
C:\Users\George\AppData\Local\ogecetuw.dll
C:\Users\George\AppData\Local\axonireyiluyi.dll
C:\Users\George\AppData\Local\Hduhivafec.bin
C:\Users\George\AppData\Local\Pqunogavimovum.dat

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
  
  
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now try and run the C:\MGTools.exe and attach a C:\MGlogs.zip.

Run OTL again and attach the log it creates.

 

Now go to this MGTools and download the new version of MGtools.exe. Overwrite your previous MGtools.exe file with this one.

Now run the new C:\MGTools.exe and attach the new C:\MGlogs.zip into your next reply.

Tell me how things are running for you.

 

I had asked you to leave a description of how things were running.

 

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
• Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
• Click Start scan
• It will run rather quickly and will notify you of whether anything is found or not.
• Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

 

Does TDSSKiller get to 80% progress and then give up?

 

Do you have your Vista install disc? If not:

Vista and Win7 Recovery disc


For fixing the boot issues:
To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe, and then press ENTER.

Then you can do this:

Bootrec.exe /fixmbr

 

Well let me know how you get on!

 

Newer version is out:

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run

 

Damn it. Will it run in safe mode?

 

Seeking advice. Hang in there. In the mean time can you do this:

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Are you actually still being redirected after following the instructions in my post # 23?

 

I am not saying you did not follow instructions, but we are going to have to repeat a step that I asked you to run earlier because it's apparent that it did not work.

For fixing the boot issues:
To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type Bootrec.exe and then press ENTER.

Then you can do this:

Bootrec.exe /fixmbr

Now if the above was done correctly, then you should now be able to run TDSSKiller. Please attach the log.