Possible Malware - Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by KM1, Apr 17, 2010.

  1. KM1

    KM1 Private First Class

    Yesterday my Mcafee virus center notified me of this Trojan: Artemis!CE3822C0F624. It said it had found it and removed it. However, everytime I clicked OK on that Mcafee notification, it would come up again stating that it had removed it. It did this repeatedly. I located the file on my C drive (according to the location given by Mcafee) and saw it there. I backed out of the C drive and this time after allowing Mcafee to clean it I restarted my computer. It restarted as usual. I went back to the C drive at the same location where the file was and the .dll file was gone.

    No more alerts. However, I thought it best I run a Malwarebytes full scan, after updating, a SuperAntiSpyware scan after updating, and a Mcafee full scan. The Mcafee scan came back clean but the Malwarebytes came back with 6 items, trojans I think, one of which was in the regestry and was called a Trojan droper (low risk level). I promptly had it fix all those, which it did. The SuperAntiSpyware scan came back with 9 bad cookies, fixed those too, and nothing else.

    I then came to MajorGeeks just as a precaution and went through all the Readme steps and then the proper procedures for Windows XP. Even removed my Malwarebytes and SuperAntiSpyware and redownloaded them again so I could follow your instructions explicitly. I had only one problem, that was with Combofix. I could not download it so I went through everything else.

    Upon rescaning, per your guidelines, Malwarebytes found nothing this time, neither did SuperAtntiSpyware. I ran them this time exactly per your instructions. I also ran all other scans, except the Combofix because of the above issue. I will attach the Malwarebytes log, the rootrepeal log, and the MGtools.zip.

    I did try turning off my Mcafee and then reldownloading Combofix - which now did download. However, when I read the instructions it said to only run this if someone is actually helping, and that serious complications can occur to the computer if it fixes the inappropriate thing, so I thought it best to wait to see what you guys say first. Also, once I turned Mcafee back on, it promptly deleted this program as a Trojan.

    My question is, do you think I should still run Combofix based on the logs I have here. Basically, am I clean of any malware or virus, or is there something else I should do.

    Thanks

    Kirk
     

    Attached Files:

    KM1, Apr 17, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am only seeing one thing that bothers me. So let's do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows\mspdb45.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 17, 2010
    #2
  3. KM1

    KM1 Private First Class

    Ok Tim, I think I did OK.

    Two things though. First, I did not have system restore enabled since I was using all those other tools before to clean things up so when Combofix stopped to tell me I did not have this and if I wanted to download it I said no. Hope that was OK. Dangerous though running this program without it enabled, did not realize that.

    Second, I let it finish all the way through its 50 some odd stages, maybe more, it got all the way to the end where it reboots your computer for you and after it started again the blue Combofix was still on the screen stating that it was generating a log and then not to run anything until it had finished. I waited a good 10 minute and it did nothing, just had the cursor flasihing on the Combofix blue box. I eventually just hit the exit and did a search for the log it created. I have it attached with the other MGlogs.zip log - which I think it updated from the first time I ran it but not sure. There were not two MGlogs.zip logs in my C drive so I figure it just updated the current one.

    Anyway, I hope I did it right. Let me know, the logs are attached. I cannot tell you that anything has changed as of yet, however, I do have a new IE icon on my desktop that was not there before. So now I have the old shortcut and a new icon that I think is actually IE - it does not say shortcut.

    Let me know if I need to do anything else, thanks.

    KM!
     

    Attached Files:

    KM1, Apr 17, 2010
    #3
  4. KM1

    KM1 Private First Class

    Oh, one other thing. I deleted combofix by just droping it from the desktop into the recycle bin and deleting it from there (Mcafee kept coming up with an unwanted program (PUP) on my computer). However, upon some internet research I discovered you should really go to run and type in combofix /u and click OK. When I do that now it just states that the program does not exist or somthing like that. What should I do here?

    Lastly, I did watch a youtube video on how combofix shoud work and finish and noticed that it did create a log on screen pretty quickly after it finishes. Mine did not do that, per previous note. I am a little concerned whether I did everything correctly??? Should I download and run combofix again? I waited a good 8 to 10 minutes and it never gave me that log on screen.
     
    KM1, Apr 18, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I see Combo is still on your desktop...did you restore it out of the recycle bin or download a new copy?

    I am not seeing any malware in your logs. I would suggest that you use a start up manager:

    Startup_CPL

    Copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Tell me what issues you are having.
     
    TimW, Apr 18, 2010
    #5
  6. KM1

    KM1 Private First Class

    Hi Tim, Thanks.

    No, Combofix was put in my recycle bin and since I run ccleaner all the time and have it set to empty that recycle bin it is gone. This must have happened after the logs you read. My question is, is it really gone or do I need to delete it another way? When I run combofix /u in the run comand it says that the program does not exist or something like that. Anyway, is it necessary for me to do anything else with combofix.

    The addition of the code you gave me in bold was succesful. Your instructions where explicit and it went in with no problem based on the message I got stating it was successful. Anything else with this need to be done? What did this do for my system?

    Based on your comment about malware on my system I am now clean, correct?

    Lastly, I have downloaded that Startup CPL and will run it after I finish this note back to you. I have never used one of these, anything special I need to know?

    As far as problems with my computer, I know my start up time is really slow (maybe 4 minutes for full use) but not any slower than what it has been since I added that new HP printer about 6 months ago. That slowed down everything, even when I open microsoft Word. Don't think that it is a malware issue though, more of a software issue I think. I have no random popups or anything like that.

    I do notice that over the 5 year period I have had my XPS dell computer, especially in this last year, IE has slowed down considerably from when the computer was new. Isn't this just part of the fact that my computer is getting old and the operating system is outdated for use with the growing internet and all the graphics now on most of the sites we frequent?

    Well, thanks, and any further information on the above would be great. Plus, if there is anything else you think I need to do malware wise, or with removing combofix, let me know.

    Best

    Kirk
     
    KM1, Apr 18, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, but you can find the C:\ComboFix.txt and delete it if it still exists.
    Just removing two items that slow your startup and are not necessary.
    Correct! :)
    If you want specific info on what to stop, please post in the software forum.
    That may be one of the things you need to stop running at startup! :)
    Not necessarily. IE is slower than FireFox.
    You are most welcome..here are the final cleanup steps:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 18, 2010
    #7
  8. KM1

    KM1 Private First Class

    Tim,

    Last couple of things. When I run "%userprofile%\Desktop\combofix" /uninstall through the run command I get an error from Windows stating that it cannot find 'C:\Documents and Settings\Kirk Mango\Desktop\combofix' Should I download it again to the desktop and then run the uninstall command, per your instructions, in the run command or am I OK with this as is.

    Oh, I ran that Startup CPL program but nothing happened. No new icon, now new program. I think I can figure out some basic things to stop, like Kodak Easyshare, HP stuff, and SuperAntispyware icon, but have no idea where the panel is located. What happened?

    Ok thanks again, you where awesome to work with. Very specific and detailed instructions helped alot. I suppose that is why it says Malware Expert next to your name :)

    Best

    Kirk
     
    KM1, Apr 18, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is no need to re-download ComboFix. And you will find your startup manager in the control panel. So the things you can stop would be:
    CTSysVol
    CTDVDDET
    Adobe Reader Speed Launcher
    DVDLauncher
    Adobe ARM
    SunJavaUpdateSched
    UpdateManager
    RealTray
    iTunesHelper
    HP Software Update
    HostManager
    DellMCM
    Dell Photo AIO Printer 942

    And you are most welcome. Do avail yourself of the software forum if you have additional questions. :)
     
    TimW, Apr 19, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds