trojandownloader.newmedia problems!!!

Hi...

Not sure if this exact problem has been touched before? I've had a quick trawl through the forum and can't seem to find my exact problem... So here goes...

Basically something got downloaded onto my PC which initially altered my desktop background to a 'Warning you have been infected (or something similar)' background and added a few bogus shortcuts to so-called anti-spyware websites. I was then bombarded with so-called system messages telling me that my PC was infected and did I want to fix it. I was also getting lots of Internet Explorer windows opening up.

Norton doesn't seem to pick anything up & Ad-Aware kept picking up win32.trojandownloader.newmedia amongst a whole load of other malware. I could delete the stuff with Ad-Aware, but it kept returning after a reboot. I've switched off my system restore & scanned and deleted in safe mode, but the problem still returned. I've since switched to Spyware Doctor but the problem still persists.

As I'm using Firefox I've deleted Internet Explorer, which makes life a little easier, but my task manager has been disabled which is a pain.

My HiJackThis log is as follows.......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:04:55, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Edit: Removed inline hijackthis log for guide below to be run

Any help would be GREATLY appreciated

 

Went through all your very thorough instructions yesterday & all now seems fine.

Thanks so much

 

Hi stevecoley,
You're welcome. It would be a good idea for you to attach the logs you got from running the scans as often malware will leave a copy of its instructions in places like your temporary files. If you'd like, we can check your logs to make sure they're clean.
abri

 

Yep no probs... I've attached 2, but I'm sure there was another one??? Need to read back on exactly which scans I did :confused

 

mbam-log + the date
MGlogs.zip (directly under C just above the superman icon)

 

Date was 14 - 04 - 08

Any better???

 

Hi stevecoley,

Your logs look pretty good. Based on your log, I would like for you to do the following.

1) Go to add/remove programs and uninstall the below:

Java DB 10.2.2.0
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Development Kit 6 Update 2

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O20 - Winlogon Notify: wvUmkkHb - wvUmkkHb.dll (file missing)

After you click fix, just close hijackthis.


6) Just curious about this one, because there's not much info on it. Please upload the following file(s) at either
jotti or VirusTotal and have it/them scanned. Attach the results of the scan. If nothing's found just report that with reference to the file name.

C:\ifexist.sed


7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Since your logs are old, I would appreciate being able to take a glance at a fresh set before I post the final cleanup instructions to you. Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


Let me know how things are running now?

abri

 

OK still working my way through all this...

Steps 1, 2, 3, 4, 5, 7 & 8 are all done... I was a little unsure of exactly what "files" you asked me to upload to the Jotti or VirusTotal sites???

And just to keep you updated, my PC has been working absolutely fine for about a week now

 

Hi stevecoley,

Just this one. C:\ifexist.sed I'm not sure it can be scanned by Jotti or VirusTotal because of the file ending it has, however, please submit it in case they can.

Good news that your computer's working better! There's one last file that HijackThis didn't get and your policy keys need to be set back to what they were. Let's see if we can get it out this way.

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) And finally please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip so I can check that one entry.

If that works, I'll post you the final set of cleanup instructions which includes removing all the tools and logs we put on your computer and resetting your restore points.

Thanks.
abri

 

OK back on the case with this after a few days break!!!

The C:\ifexist.sed file came back 100% clean on both jotti & Virus Total.

Registry has been backed up & a new fixME.reg has been saved to desktop and double clicked... all seemed fine.

CCleaner went ok

And hopefully Ive remembered to attach the new MGlogs :confused

Thanks for the help...

 

Hi stevecoley,

I only see this one folder left that I overlooked. Can you see if there's anything inside of it? (You can click on the folder, but don't click on any files.) If it's empty, please delete it. If there's anything in it, please tell me what's in there:

C:\Documents and Settings\All Users\Application Data\xefwxuhe

Other than that, I don't see anything further. I may still ask you to rename the ifexist.sed file, but for now, please go through the final cleanup instructions which will take all the tools and logs off your computer that we had you install:

abri