Tracks of My Tears

Last week when I joined the forum I had the symptoms of Firefox being able to access internet but no address would appear in the bar and no history was recorded for web sites visited. The history had Yahoo icons and symbols, but they could not be erased, nor did they change.

Found you guys after reading and dinking around at other fix-it sites. I followed all the steps prescribed by Major and didn't get any change in Firefox.

During my gyrations, I don't know when, I had an accounting program disappear out of the C: Program Files directory without any action of my own. Last January I had Trojans and this had happened. Back then I ended up using Smitfraudfix with good results.

So last week downloaded and used that bad-boy. First time after I used it Firefox was better including a functional address bar, but there had appeared a desktop with missing icons and something else hinkey I can't remember.

Seemed fishy, so used Smitfraud a second time and the regular desktop was back to usual and Firefox was mo' betta.

But then after a day or so I couldn't sign onto Yahoo email using Firefox, but was able to sign on with IE. I had been monkeying around with cookies in my malware paranoia and set the Firefox to refuse cookies. When I couldn't sign on to email I changed the setting back to allow cookies without asking for permission, but there still was no Yahoo sign on.

This has continued through yesterday and today (Tues.) Today I am smelling stink and I reran Smitfraud in safe mode and SuperAntiSpwar and Malwarebytes in regular mode. The last two found no infection. There is no change in access of Yahoo email using Firefox.

As an experiment I attempt to do the seal-security sign up for Yahoo--nothing doing. I went to Yahoo on IE and completed the security seal sign up process and exited IE, and went to Yahoo in Firefox and, viola, NO SEAL.

There is a fungus amongus. What now?

 

second message for uploads

Forgot to mention, I never could get recovery console installed in Combofix. It appeared to be related to the Windows SP3 and my inability to find the patch required.

I ran Combofix two or three times in safe mode and couldn't tell it did any good.

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif


Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Many thanks for anaylsis and help. The process didn't go quite as planned. Does it ever?

1. I didn't get an option to select "Do system Scan Only" with MGtools\analyse.exe. It ran, then I ran Hijack as well as it was installed. From HJ scan I selected and clicked fix for the two O4 files listed in instructions. When running MGtools a request to connectointernet box popped up per COMODO firewall. I don't remember what the name was. I ignored it and it went away.

2. I copied, pasted and saved to desktop the KILLALL script. Exited all browsers, suspended PC Tools Threatfire and stopped all Avast Antivirus process.

3. Drug and dropped CFscript into Combofix. Followed instructions. Another internet connection request popped up for something identified as Ping Command. I ignored this as well and the box went away.

4. Combofix is running, finishes, initiates reboot...and a series of usual internet connection requests for alg, and svc, etc., but damn me, I ended up clicking on that Ping Command by mistake as it popped up again.

5. Now Threatfire pops up a malware warning for five or six baddies it identifies (including MGtool), but especially a Combofix identifier. There is no way to cancel out of Threatfire and I wonder if its possible that the bug has connected to internet and now has installed a defense to combo. Threatfire finishes its operation and I don't see log accessibility on the face of the app.

6. The CFscript folder icon is gone from the desktop. There is a file folder on desktop labeled "backups" with two entires from today that was not there before. The Avast sys tray icon is gone. The program appears to still be on hard drive however.

7. I decide to try do-over. Go back to your script to drag to combo but it won't save to desktop, wont save to anywhere. I try to go back to the mGeeks page with your instructions and that won't load, MGeeks home won't load and in a bit there is no internet connection on IE or Firefox. I try repair the network connection without success. Ah so deska.

8. Reboot into safe mode. Run combo as is. Run Smitfraud just for bloody hell of it. Get internet back. Finish instructions on security settings for IE7 and Firefox. Run CCleaner (an ad lib I realize). Run AFT as instructed. Firefx files are not removed by ATF. The worm is still in charge?

Logs attached.

What worries me is that ComboFix removed my Helper/Data app which is the accounting program I mentioned in first post in this thread. I had reinstalled the app. and restored Data from a saved file on CD. Given that the trojan in January seemed to have been involved with this file the ut-oh is if my data is virulent and I cannot use it (insert Carlin's 7 words not for television here).

I neglected to say in first post that when all of this first started the three trojans found by Avast were Win32: Trojan-gen (other), Win 32: Trojan-gen (ot...) and Win32: Crypt-CZN [Trj].

Combofix3 is too large. Will send next post.

Break

 

Re: Tracks of My Tears.4

logs and the backups file attached

 

Re: Tracks of My Tears.5

file too large, advise on 3 and backups.

 

Why so many ComboFix logs?

Second, run C:\MGtools\GetLogs.bat and attach the new file to your next post.

 

Q. - Why all the combofix logs?

A. - Overfunctioning secondary to frustration and inexperience.

Thanks for you help.

Break

 

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Once you complete the above, attach the log from Avenger (C:\avenger.txt) and let me know how things are running.

 

Done.

 

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Also, how are things running?

 

I have internet with Firefox but I am still not able to sign in to yahoo email. I used ATF cleaner just now and it ran for Firefox where before it would not. Computer is running mostly normal. Somewhere along the line my (tray) clock will only read military 24 hour time.

Avast and Threatfire scans show no infections, but the trouble began in Firefox and seems to remain.

The attach files option is not available on this reply. Do I send you the MGtools log?

 

For the Firefox issue, click Start > Run > type in appwiz.cpl and when the list loads, select Mozilla Firefox and uninstall. Once uninstalled, reboot and then download the most recent version and see if this problem remains.

Mozilla Firefox 3 3.0.4

 

Per instructions uninstalled Firefox; re-installed the 3.3.0.4--it took three attempts; no change in ability to sign into mail; went into Firefox help and followed instructions about setting for mail retriever; re-set Yahoo; still not able to sign into Yahoo mail; have run Avast periodically, the original infections are gone and no other found, but there are always files listed in the report that could not be scanned.

Determination waxes and wanes, new hard drive under consideration, although giving up not in tool box--stubborn is as stubborn does.

 

See my post #11, I would like to look at some new logs.

 

Sorry for the down time. Schedule has been relentless. Attached is file requested. Still having Firefox symptoms.

Can't get the bat file to upload. Will try another reply.

 

Ah so, run the .bat file and send zip log. Ran it just now. See attached. When all else fails, rtfi.