trojan.win32.obfuscated.gx

My computer shows the following message:

"Critical System Error

Your computer was infected by Trojan.Win32.obfuscated.gx
It's dangerous for your system, some files can be ost and your browser can be slow!

Click OK to download the antispyware program to claen your computer! (Recommended)"

When I click "no" I get a new box asking me to download IEDefender.

I went through the Read and Run this First message and ran the spyware downloads. The logs from Combofix and MGtools are included. I neglected to generate reports from the AVG Antispeware.

PLease advise.

 

Hi Bopro54!
Welcome to the Malware Forum!

I'll take a look at your logs and get back to you. This takes time, so thanks in advance for your patience.

abri

 

Hi Bopro54,
Here are some further instructions:

1) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 10
- J2SE Runtime Environment 5.0 Update 11
- Java(TM) 6 Update 2
- Java(TM) SE Runtime Environment 6 Update 1

2) Did your AVG Antispyware find anything and fix it? It may have been blocked by Teatimer which needs to be disabled anyway before you continue, because it can block all of the fixes. Please disable Spybot's Teatimer as follows:

Disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot
• Reboot your machine for the changes to take effect.

3) Reboot now!

4) After rebooting, please install the current version of Sun Java from: Sun Java Runtime Environment


5) Run HijackThis (it's called analyse.exe under C:\MGTools) and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: IE plugin - {FF5137B5-C506-4D9B-8682-E0BE4675B899} - C:\WINDOWS\pmspl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

Optionally fix this if you don't use it:
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMremind.exe

Don't forget to close all browser windows before clicking on fix. After you click fix, just close hijackthis.

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


9) Please run C:\MGTools.exe again (located under C:\ ) and attach a fresh MGlogs.zip along with the Avenger log.


Let me know how things are running now?

abri

 

abri,

Thanks for your help. So far the machine appears to be running fine. Here are:

MGlogs.zip & Avenger log. Thanks again. If anything weird happens I will let you know.

Bo

 

Hi bopro!
Avenger didn't run and the following folder didn't get deleted although the others were taken care of by HijackThis. Please go into Windows Explorer and see if you can manually delete the whole folder.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint

Also, run ATF Cleaner or CCleaner again.

Your logs are otherwise clean. If you don't have further symptoms, please follow the final cleanup instructions below:

abri