need help with trojan

Hi, I dled a file today that seemed benign. A bit afterwards though, my internet explorer (which i don't even use) started popping up with a bunch of ads. I ran adaware and restarted. Now on restart I get an error message that tells me that gebcbbb.dll cannot be found. I was still getting pop-ups. i ran spysweeper and it found something called trojan-downloader.matcash, which i suspect to be the problem. It also found two pieces of adware called target saver and command. After quarenteening, spysweeper started repeatedly displaying messages about run32 (i think that was it) trying to install a program. I kept hitting block installation and it kept popping up until i had to use task manager to close spy sweeper. Spy sweeper seems to be ok now, but I'm still getting the pop ups and the message about gebcbbb.dll on start up.

I've tried reading up about this online, but it really seems individually treated. I feel pretty lost and would love some help. i am new here, so sorry if i didn't post any prerequisite info. Hope to hear from someone.

 

Hi alphasixty,
Welcome to Major Geeks!

Based on what you've decribed, you have one of the forms of Vundo. There is no one tool which will completely remove this from your computer. We use a mixture of different tools and then manually remove any remaining files after you do the initial scans. Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs when you finish so we know what still needs to be removed. Be sure to set your computer into normal startup mode. If you're not familiar with this, it's described in the procedures. Even though there are a lot of steps, it's not a lengthy procedure.

abri

 

i'm having trouble dling malwarebytes. can i proceed without it? or should i keep trying. The page just keeps loading.

 

nvm i got it. now ill go through with the rest of it.

 

the read and run me fixed everything it seems. thanks

 

Hi alphsixty,

Please attach your logs so we can check them. Your computer may be clean, but if there are remnants from any of the malware, it can simply start up again.

Thanks.
abri

 

here are three.

 

heres another one. I don't know how to get the log from spybot. i dont think it popped up after the scan and i cant find it now either.

 

Hi alphasixty,

We don't need the Spybot log. There are a few things left to do and then I should be able to give you the final cleanup instructions.


1) Please delete the following folder. If you can't delete it, tell me.

C:\ProgramData\WildTangent


2) Next go to add/remove programs and uninstall the below:

Java(TM) 6 Update 2
Viewpoint Media Player
WeatherBug Gadget


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {AF0D68B9-0F68-48CD-85A6-8749142C6F86} - C:\Users\Mher\AppData\Local\Temp\vtsqq.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

(optionally fix the following line if you don't need Adobe Reader to load at startup.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

After you click fix, just close the window.


4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Reboot after uninstalling the above.

7) Install the current version of Sun Java from: Sun Java Runtime Environment


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


Let me know how things are running now?

abri

 

hi,

a couple things. weatherbug gadget wasn't in the unistall list. also, analyze.exe didn't yield O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" all else seems go have worked ok? i am attaching the mg log

 

Hi alphasixty,

There should be five logs in the MGlogs.zip but there is only one. I expect the scan didn't run to complettion. Please try rerunning C:\MGTools\GetLogs.bat by double-clicking on it and see if you can get the complete set of logs. When it's finished, it will give the message to hit any key If this doesn't work, let me know. As soon as I can check this set of logs, I'll post you the final cleanup instructions.

Thanks.
abri

 

i ran as administrator last time. this time i ust double clicked and there was an error and it couldnt run, then i repeatedly got messages from windows asking me if i wanted to allow a registry editor to run. might i need to disable/enable uac or something before i run this, because i reenabled it a while ago per the instructions of the read and run me first.

 

Yes, try running it again as administrator. Let me know if this works.

Thanks.
abri

 

see if this is ok.

 

Hi alphasixty,

Make sure you allow the scan to run to completion. Since you were able to run it correctly the first time, please go back to the Vista Cleaning Procedure and follow the instructions again for downloading and installing the MGTools. If it asks you if you want to install them over the one that's already there, say yes. Then complete the instructions and see if you get a full set of logs. You can check this yourself by opening the MGlogs.zip file under C:\ and seeing if at least 4 of the 5 logs is in there. If they are there, then attach them.

Thanks.
abri

 

i hope this worked. i see five of them

 

Hi alphasixty,

Most of the things I asked you to remove from your computer weren't removed. This leaves me with the question as to why? Did you follow the instructions to remove all the below entries, some with HijackThis, some with add/remove programs and the one that was to be deleted manually from Windows Explorer? Or do you have restrictions on your user name which is preventing you from removing programs and folders?

Please try this again:

The following entries can be removed from your startup list and it will make your computer work better. To fix them, go to the MGTools folder under C:\ and open it. Inside, find analyse.exe, double-click on it and click on Do a system scan only. When it finishes the scan, put a checkmark next to each of the following, close all your browser windows and then click on FIX. When you finish, just close the program.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

These entries (at least the Java entry) should be visible in add/remove programs. Please uninstall them. These are both entry points for malware. That's why we ask you to uninstall them. I checked WeatherBug and there is an uninstall entry listed for it, so please let me know if you still can't find it.

WeatherBug Gadget
Java(TM) 6 Update 4

This entry is a known harbor for malware and it can be deleted manually:

C:\ProgramData\WildTangent

Let me know how this goes and how your computer is doing? Have the popups stopped?

abri

 

Hi,

i fixed the three items from the hijackthis list. i still couldn't find the weatherbug gadget. There's this folder in my start menu called "my hp games" and i think it may be responsible for the wild tangent folder and might recreate that folder every time i run one of the games. is there any way i can just get rid of those games? i restarted my comp, and ran the hijackthis scan again, and again i got the sunjavaupdate item. i fixed it again. i ran mgtools to get the logs. and this is also another thing. i get this message from windows that says SteelWerX WhoAmI has stopped responding (or something like that) and would i like to close it. I usually check to close this, but i've noticed it come up i think everytime i run getlogs.bat. the computer is working ok for the most part, the internet explorer pop ups have stopped thank god. i was having this problem where my firefox was freezing frequently yesterday morning, but it stopped after I restarted, i dont know if that has anything to do with anything. ok let me know. sorry if im being hard to work with. i attached the logs from the scan i ran after i did all that

 

Hi alphasixty,

The Java updater seems to be gone from the startup items now. At least it didn't show up in your last log, unless you turned it off manually before you ran the new HijackThis in the MGlogs.

As for the HP games ... for Dell there's a tool called the Dell decrapifier. I'm not sure if there might not also be something like this for HP, but I would ask you to pursue this in the Software Forum, as you will get more feedback about it there.

I don't know why you're getting the message about SteelWerX not responding and I passed the information on. It is a part of the tools and it does seem to be responding, so I will leave that one for the tool maker.

I don't see anything further in your logs. WeatherBug Gadget is probably imbedded in something. If you're not having further malware issues, I would not worry about it. Please go through the final cleanup instructions which will remove the tools and logs we had you install on your computer. You'll also be asked to set a clean restore point.

abri