Trojan Adload, I thought I had it licked, but atlas no (all logs included)

Discussion in 'Malware Help (A Specialist Will Reply)' started by arp180, Aug 24, 2010.

  1. arp180

    arp180 Private E-2

    This is a my work laptop running AVG. On Friday I clicked a tab on the internet directly above the tab i intended to click. AVG detected an attack, but a but was bombarded by pop-ups.I wasn't able to run any virus scans through AVG, when i tried opening avg got a pop-up saying that avg had been infected with a virus and was recommended to download fake software. Pop-ups were non-stop and there was a new anti-virus icon on my lower tab.I wasn't able to download anything, connect to the internet, or change anti-virus file names to remove any reference of the word virus, hoping I could run a scan.

    I booted in safe mode, downloaded malwarebytes and spybot s&d on a flash drive from my home-computer. I noticed when I rebooted that the fake anti-virus was the last to boot on start up and tried continually clicking on the avg icon during boot as I continually clicked on on the real thing it would open first and I could run scans. I ran all scans with the updated virus definitions by doing this(After running Malwarbytes the pop-ups quit), and eventually all scans came up clean. I ran an anti-rootkit, deleted temp internet files. Today I ran scans just to doublecheck, below is the avg log of the trojans, AVG was only able to heal 4 of the 8 infections.

    I turned off system restore ran all scans in safe mode and continually get the same results. Spybot's scan comes up clean as do Malwarebytes scans. I continually update the virus definitions and rerun, but only AVG catches anything and each trojan appears to have a duplicate, one avg can heal the other it cant. My computer is functioning well, not quite sluggish but a little odd on the rare occasion, No pop ups, no fake icons, there is the occasional rederict when surfing the web, but not on the home page. I have two users set up on this computer and I use both regularly if that accounts for anything. I've ran scans under both users, I have all hidden files/folders turned off. AVG Log, OTL, and ComboFIx logs are below. I really need help

    This is The AVG Report

    (attached inline log)

    Here is the OTL log

    (attached inline log)

    Here is my ComboFix log

    (attached inline log)
     

    Attached Files:

    Last edited by a moderator: Aug 24, 2010
    arp180, Aug 24, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • If you ran MalwareBytes I would like to see the log(s) showing what it removed.
    • Also I will need to see a log from running SUPERantispyware
    • RootRepeal (If you are able to run it)
    • Logs from running MGTools.exe <--- C:\Mglogs.zip

    You also need to check this out ;)
    HOW TO: Attach Items To Your Post
     
    Kestrel13!, Aug 24, 2010
    #2
  3. arp180

    arp180 Private E-2

    attached mbam logs
    running superantispyware now
    will update rest in a few minutes
     

    Attached Files:

    arp180, Aug 24, 2010
    #3
  4. arp180

    arp180 Private E-2

    Attached are the other logs you asked for.
    Thank you so much for your quick response

    What next?
     

    Attached Files:

    arp180, Aug 24, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
atypue.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some data on it
    • Right click on the screen and select > Select All
    • Press Control+C
    • Open a notepad and press Control+V
    • now please ATTACH that report to this thread
    • Ask Toolbar <--- Uninstall this!
    • Java(TM) 6 Update 17 <-- uninstall this outdated version of java

    If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\program files\gs

File::
C:\zrpt.xml

Folder::
c:\documents and settings\Aaron\Local Settings\Application Data\sjpkgiflo
c:\documents and settings\All Users\Application Data\Update
c:\documents and settings\Aaron\Application Data\AEA253D618337E7413E52BBC89783D21

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Also attach logs from both SystemLook and MBRCheck.exe!

    Let me know how things are running, please! :)
     
    Kestrel13!, Aug 24, 2010
    #5
  6. arp180

    arp180 Private E-2

    i will have this done first thing in the morning, what exactly are we dealing with? just curious. I can't explaing how much i appreciate the help.
     
    arp180, Aug 24, 2010
    #6
  7. arp180

    arp180 Private E-2

    Followed all directions successfully. Logs are attached. Everything seems on the up and up. Will run virus scans to check
     

    Attached Files:

    arp180, Aug 25, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well on it's last sweep, combofix addressed the below:

    Did you set this proxy yourself, I take it?

    Delete this using windows explorer.
    Delete this file too *if* found.
    Run CCleaner.

    And one more time...

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 25, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds