Removing wri.exe Trojan?

Welcome to Major Geeks!

Potentially yes!

Since you could have more problems than you know about and also since we need more visibility into what malware may or may not be on the PC, the best course of action is for you to do the below.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Re: OK next step? Help Please

Please remember to remain in one thread!!!

This post & the fact that you also started a new thread instead of remaining in your original thread, cost you more than 24 hours of additional waiting time. Did you read this sticky thread? Don't Bump! It Only Hurts You!!!

I merged you back to your first thread!

You ignored the part of step 0 (and repeated in step 7) where we said you must not use MSconfig and that you must be in normal startup mode. Please run MSconfig now and select Normal Startup mode. Then reboot.

After reboot, run this ChodeFix - How download and run

Then attach new logs from

• GetRunKey
• ShowNew
• HJT

 

Uninstall the CounterSpy trial since we are finished with it now
Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: (no name) - {EF56413F-9398-4DF5-BC88-6FC3B227D5C5} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [csrss] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

What do you see in this folder? C:\Avenger

If you see this file: tcpip.sys

Copy it back to C:\WINDOWS\system32\drivers

Then tell me if you can connect.

 

Inside this ZIP file you should see tcpip.sys. Take a look and see. If you find it, extract it to the C:\WINDOWS\system32\drivers folder

Normal!

 

Is AVG protecting your hosts file? Avenger was not able to delete the backup (which may have infected info) at:

C:\WINDOWS\system32\drivers\etchosts.20070614-200305.backup


How are things working now? Your logs are clean other than the above backup hosts file.

 

If your only problems are with AVG and also I assume you mean the Windows firewall, then do the below and do it in the order given:

1. make sure you have the current version of AVG downloaded: AVG Free Edition
2. make sure you have curren updates for AVG downloaded: AVG Anti-Virus Updates
3. download this firewall because the Windows firewall is totally inadequate and often gets disabled by malware: Comodo Personal Firewall
4. now disconnect your cable to the internet to make sure no external connection can be made. You will need to print the below or save locally for reference while offline
5. uninstall AVG Antivirus
6. reboot (DO NOT SKIP)
7. delete the C:\WINDOWS\system32\drivers\etchosts.20070614-200305.backup file
8. re-install AVG from the new download
9. install AVG updates from what was just downloaded
10. install Comodo Firewall
11. reconnect to the internet

Come back and tell me what malware problems still remain.

 

I think most if not all of your questions should be addressed by my final steps and the link given in it. But as to Spybot, you only run it to do a scan or to install updates and reimmunize after updating. This is also covered in the below. Also, ALL firewalls will have an impact on performance. Not having a firewall (especially a true bidirectional firewall which the Windows firewall is not) is going to lead to an infected PC which is even slower and could result in worse problems. The below steps also give a few other free firewalls you could experiment with but don't install a second until the first is uninstalled.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome!

Yes that would be very helpful thanks!