Rogue Installer, MGTools won't run.

Hello MajorGeeks,

Hope that you all had a good Thanksgiving. Sorry to be back so quickly. I was looking for a song title (not even trying to download it, just wanted the name!) for a song my wife heard on TV. Googled it, and must've clicked on a bad link.

Instantly, a "fake" C:\ Windows Explorer window opens up stating that I have been infected with trojans and viruses, and that I had to accept the scan to prevent my computer from crashing. Had to give Firefox the 3-finger salute to close the windows. Re-opened FF and it appeared to re-direct back there. Didn't occur with IE.

So, ran the R&R.

CCleaner, SAS, MBAM, CF, and RR all ran fine.

MGtools downloaded to C:\, created MGTools folder, but it did not run. No MGlogs.zip to be found. A brief command box flashed and then nada. Downloaded it again, tried again, nothing. Waited around and nothing has run.

Computer is running fine (I think) and would've been content, but MGTools not running has now worried me.

Thanks in advance.

 

Try this please.

Start Malwarebytes and go to the More Tools tab. There you'll find a button named Run Tool to run FileASSISSIN.

Then browse to this file:c:\windows\Tasks\At1.job

Select that file and click OK, then Yes to remove it.



Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Now try running MGtools again. Let me know any errors you get.

Also, have you tried turning off McAfee before starting MGtools?

 

evilfantasy,

First off, thanks for helping me out. Really appreciate the work that all of you do.

I was able to use the FileASSASSIN function to delete that file. The only "glitch" was that it would not let me browse to the individual file, so I deleted the folder.

Updated MBAM and ran a complete scan. Log is attached.

Was then able to run MGTools.exe without having to disable McAfee AV. It "looked" like it ran to completion. Zip is attached.

Just for my own education, what was deleted by MBAM and that file that was in scheduled tasks? Did At1.job file prevent MGTools from running initially?

Again, thanks for taking the time to help me out.

 

At1.job is related to a Vundo infection and sometimes a few others. If you had any Scheduled Tasks then you deleted them all. Only delete what I ask and if there are problems let me know. That folder shouldn't be a problem but it could have been very bad if it were a more important folder.




Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Comment:

Files to delete:
C:\WINDOWS\Tasks\At1.job
 

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Save the Avenger log to attach the in your next post.




Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.



ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log



Also let me know how the computer is running now?

 

evilfantasy,

Thanks for the quick reply. Sorry about deleting the folder.

I think that McAfee interfered with the Avenger fix. Before the "reboot" option came up, McAfee quarantined C:\cleanup.exe as FP'd it as a Trojan of the ZapChast.gen flavor. When Windows restarted, I got an error message that "Windows cannot find 'C:\cleanup.exe'. Make sure that you typed the name..." I can see that it is quarantined.

Awaiting the next move while I fix the Java items.

Computer is working fine. I have not heard if my identity, accounts, or anything else has been stolen...yet.

Thanks again.

 

Look in your C: drive for the log. C:\avenger.txt If it isn't there don't worry about it for now. The ESET scan will hopefully find anything else that may be hiding. Besides that one file I didn't see anything else.

You might want to have a good look at the following link and information. Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, PayPal, forums etc,. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

 

Hi evilfantasy,

ESET ran, found nothing. Didn't see/find a log.

Updated Java and ran JavaRa to remove old versions.

Avenger log file was in C:\ and is attached.

Computer still appears to be running ok.

Thanks again for your help.

 

Looks okay as far as the malware is concerned.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Sweet!

All done with the final instructions. Just have 2 questions:

1. Should I delete that command that was quarantined by McAfee?

2. Do you have a PayPal account? I'd like to show my appreciation.

Thanks again for getting this squared away so quickly.

 

'C:\cleanup.exe'

I believe that was part of The Avenger. At least I have seen the same error another time after running it. You should be able to safely delete it from quarantine.

We don't accept personal donations but you can support the website if you choose by buying some swag at the online store from J!nx - MajorGeeks Clothing.

My pleasure. Let us know if anything else comes up.