need help removing a trojan - like km7100

I ended up on your site by doing a google search for the names of the unwanted icons on my desktop. The google results linked to the thread of km7100 asking for help for the same problem I have: frequent and persistent internet explorer popups (while I use firefox, but I suppose haven't set it as my default) warning me that my computer is infected and asking me to download stuff to protect myself. The website url is often www.safetheinformation.com, www.securityonpage.com, and www.theprotectroom.com. The two icons on my desktop are "Live Safety Center" and "Online Security Update". Since I found the thread and assumed we had the same problem, I tried to follow the directions but I was unsuccessful as the file names seem to be computer specific. I downloaded Process Explorer, The Avenger, and HijackThis before I realized I couldn't do this on my own and logged in looking for help. Please tell me what to do.

 

Hi bethany!
Welcome to Major Geeks!
Please try to follow the instructions in the NEW READ & RUN ME FIRST WITH MG TOOLS. Pay attention to those which are specific to your operating system. Then post the requested logs to us. We need to see what's in your computer in order to know how to proceed.
abri

 

Ok! I followed all the instructions. Then ran CCleaner. Then ran SpyBot. It found 168 problems Spybot stopped about 2/3rds of the way through of fixing selected problems and was non repsonsive, so I did the whole scan over again only for the same thing to happen again this time resulting in 66 problems. So I proceeded to run the AVG thing. I applied the actions, but when I clicked on the reports it said "no reports available. Finally I ran the MGTools. And I am attaching the report. No change in the popups. Thank you for helping me. I couldn't find the other things to attach. Please let me know if you need them.

 

I reran SpyBot and this time it finished just fine and said everything was resolved. The computer is still very infected however. I still cannot locate C:\ComboFix.txt or the AVG Anti Spyware Log that your initial directions requested.

 

Nevermind. The computer is working fine now. Thank you very much for your time and attention.

 

Bethany,
Hi! Sorry it took some time to get back to you. According to the log files you posted with us, you still have some very bad infections. Spybot was able to remove many of them, but it is only a matter of time before your computer is infected again. I can set up a set of instructions for you which will include fixing some of the items with HijackThis and to delete some files using Avenger, but I would only work on this if you decide you want to complete the instructions. If you decide to continue, please run the MGTools.exe file again and post the MGTools.zip log for us to update our information.
Thanks!
abri

 

Well if you think I still need help, I will certainly follow any directions you can come up with. Thank you, I certainly wouldn't want that mess to happen again. I reran MGTools today so the log would be updated to the computer's current status, and I have the ComboFix log too. Please tell me if the computer still looks infected to you and if so what I can do about it. Thanks again.

 

Hi Bethany!
I will post a set of instructions to you shortly. Do you know what the below file is on your desktop? If it's not familiar to you, do not open it. It was put on the desktop on October 27th, which is also the same date when something was done with Adobe. Does that ring any bells? It might be an installation program for something?

tsr1013.zip

abri

 

Hi Bethany!
You still have one bad infection. I hope this will get rid of everything. Please do the following:


1) Please look in Add/Remove Programs for the following and uninstall them if found.

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) And now, please go to this link and follow the instructions! FixWareout by LonnieRJones


4) After you finish the FixWareout scan, please scan with HijackThis and check the boxes for the following entries. They may or may not be there. If they are, check them, make sure all your browser windows including this one are closed and then click on FIX:
( Make sure ALL browser windows are closed when you click FIX )

After clicking Fix, exit HJT.

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything inside the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

7) After you have completed ALL of the above in the correct order, please attach the following logs. You will need to rerunt he MGTools.exe to get a fresh log.

• FixWareout log (if there is one)
• Avenger Log
• mglogs.zip

abri

 

I followed your instructions.

Please tell me why I cannot find the manage attachments button. I clicked reply and beneath this box it says additional options and lists the file extensions it will accept for attachments but there is nothing to click. Let me know what I am missing so I can send you the reports.

...
I think the folder on the desktop you asked about is Mark's and not something accidental or dangerous. I will ask him when he gets home.

 

Hi Bethany!
It's quirky sometimes. After you push the post reply button and the additional options box appears, the manage attachments button should be the second box beneath that directly under the miscellaneous options box. If it's not there, please try going out of MajorGeeks and clearing your cache and coming back in. Or try another browser (Firefox or Opera if you normally use Internet Explorer). When you log on, please check the Remember Me button. Sometimes there are temporary problems with attachments, and I think that's what you've run into. Sorry for the inconvenience.
abri

 

Ah-ha! I logged in with a different browser and that did the trick. Here are the reports.

Tell me how it looks and if there is anything else I need to do.
Thanks.

 

Hi bethany!
I just gave your logs a once-over. You still have something which needs to be gotten out, but your logs look much much better. It will be helpful if you can use your computer as little as possible until I can post instructions to you. I would like to avoid anything that could cause your computer to become reinfected before we are finish.

For the time being, please scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

When you're finished, just exit HijackThis.

abri

 

Hi Bethany,

Once you've completed that one fix in post #13, please continue with our final instructions in the box below:

Please let me know how the removal procedures went.
Thanks.
abri

 

Everything looks fine. My Norton virus protection still has an X and says it is at risk, but the computer works fine.

 

Hi bethany!
Do you mean your Nortons is still not working? Please shut down your computer and unplug it from the internet. Then boot it back up and uninstall and reinstall Nortons. If this helps, please let me know.

If it still shows that it's not working, please go to this link Alternate Scans
and scroll about halfway down the page and pick out two of the rootkit scans to run. Try Sophos and Rootkit Revealer and post the results to me.

Thanks!
abri

 

Bethany,
I wanted to add a note to my previous post. It's possible that some of the Norton's files were damaged by the virus or by removing it. If you have the CD that goes with the Norton's antivirus, run it first to see if they offer a Repair Install. That would be easier.
abri

 

I never liked Norton anyway. After I deleted it I opted to download some replacements from your site. I downloaded Comodo Personal Firewall, AVG Free Edition AntiVirus, and Comodo BOClean AntiMalware. Do you think that is sufficient to keep me protected?

 

Hi bethany!
Sorry, I was sick.
Those are all good. It's useful to keep Spybot and use the immunize feature and update it and scan with it once in awhile. Also, SpywareBlaster is great. If you add anything to what you have, do it only one program at a time so you can see if any incompatibilities develop. If so, just remove it or just return to the previous restore point, which will also remove it.
Happy Surfing!
abri