Trojan Horse dropper.agent.git

Discussion in 'Malware Help (A Specialist Will Reply)' started by vok, Jan 6, 2008.

  1. vok

    vok Private E-2

    I just encountered this malware problem this morning as I was surfing the net. I believe this is what caused random iexplorer windows to open. I tried following all the steps in the "Read me and Run" sticky in this forum but cannot seem to get rid of the problem. I believe I have attached the correct files, but please let me know if there is anything else that I need to do to get this right. I did not run into any error messages while I ran those programs.

    Thanks for any and all help.
     

    Attached Files:

    vok, Jan 6, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You have the new vundo infection ....let's see if we can get you clean. :)

    Please download and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now:

    Download and save to RenV.exe from following link to Desktop (must be on the Desktop)
    * Doubleclick RenV.exe
    o When finished, it will produce a new log named Log.txt on the Desktop.
    o Attach this log to your next reply.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Jan 7, 2008
    #2
  3. vok

    vok Private E-2

    Attached are the logs produced from following the previous post. When windows loaded, I got an error message that some file could not be loaded (though like a moron, did not copy down what it said). Please let me know what else I need to do. Thanks again for your help.
     

    Attached Files:

    vok, Jan 7, 2008
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    My bad....let's fix my goof and try to finish this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable afterwards):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now copy the below into notepad, save it to the desktop as Log.txt then drag and drop it onto the RenV.exe ...it will produce a new log...attach that when you return.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Jan 8, 2008
    #4
  5. vok

    vok Private E-2

    Did as instructed Tim. The error at boot up went away, so thank you for that. Alas, I forgot to mention in my last post(s) that Windows randomly tries to install Roxio 7 and is looking for the CD. Before my first post I inserted the CD, but have not done anything except hit cancel since I started the cleaning procedures. Yet, it still tries to install. Anyways, attached are the logs. REALLY appreciate all the help!!
     

    Attached Files:

    vok, Jan 8, 2008
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Empty the contents of this folder:
    C:\Documents and Settings\vok\Local Settings\Temp\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Jan 9, 2008
    #6
  7. vok

    vok Private E-2

    Thanks Tim,

    The computer has been running very well since we started this process. Pop-ups don't seem to be a problem now. The only thing is that Roxio 7 installation windows randomly wants to do (and tries to do every time at start up). I just hit cancel, because it looks for the CD, and I had put in the CD, but it wants to do that component re-install every time anyway (after i did the Read & Run malware step first). I think I may just uninstall and then re-install, but no before you give the okay. Please let me know if there is anything else that I need to do. Thanks for all your help.

    I've told everyone i know about this site, so if there's anything more I can do to pump it up, let me know. You guys rock!!
     

    Attached Files:

    vok, Jan 9, 2008
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We just need to get rid of that one stubborn Vundo item ....
    Now Copy the bold text below to notepad. Save it as Log.txt to your desktop.

    * Now using your mouse, drag Log.txt onto RenV.exe
    * When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
     
    TimW, Jan 10, 2008
    #8
  9. vok

    vok Private E-2

    Attached is the RenV log that you asked for. Are you just trying to delete that .exe? Is it possible to get rid of it manually, because windows search does find it? This may be stupid, but i noticed that the .exe file has 2 spaces between the "booster" and ".exe", and we've only been using one space for avenger. could this be why avenger isn't able to delete it?

    I'm not doing a restart on the computer unless you explicitly state that I should to avoid that roxio problem. Thanks again for putting up with all my crap (from my computer of course).
     

    Attached Files:

    vok, Jan 10, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is exactly what we are trying to delete ...did you drag the log.txt from notepad directly over the RenV.exe? It should have removed it...regardless of the number of spaces ...try again with two spaces then with three if it still doesn't come back with a clean log.
    If you can delete the file with two spaces...do so.

    Then try reinstalling Roxio to stop the popup and if you want to keep it, we should just run one more MGLOg.zip to double check things.
     
    TimW, Jan 11, 2008
    #10
  11. vok

    vok Private E-2

    I added a space to the file name in avenger and it seemed to have worked. Attached are the logs after running the new avenger script with the space, and I ran the GetLogs.bat file again. I will wait to reinstall roxio until later after we are sure it's clean. I didn't get the pop up after the last reboot, so maybe I'm okay. So, hopefully I'm clean. If there are any more steps, please let me know. Thanks again for your help.
     

    Attached Files:

    vok, Jan 11, 2008
    #11
  12. vok

    vok Private E-2

    Tim,

    I ran an avg scan for the hell of it and it picked up some other stuff. I still can not open the avg control center. Don't know where it's coming from. I haven't been downloading anything, just surfing the net. So I have no idea what's going on. AVG log attached.
     

    Attached Files:

    vok, Jan 11, 2008
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    And that was what AVG was finding ...temp internet files ...you need to be careful where you surf. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
    TimW, Jan 12, 2008
    #13
  14. vok

    vok Private E-2

    I do see that. Although it did find that trojan in the Java program files as well, does that mean anything? Either way, I will not try and reinstall all those programs that had the virus at some point. Thanks again for all your help. You guys ROCK!! Really appreciate. THANKS
     
    vok, Jan 12, 2008
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I believe the java was a false positive ..however, it underscores the need to keep your Java updated.


    You're welcome ....safe surfing. :)
     
    TimW, Jan 13, 2008
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds