Trojans and XML viruses

cassandraann1 · Mar 29, 2010

First of all – I want to say I am so grateful for your website! Keep up the great work!

March 24, my husband was online when he received a message that his computer was being attacked by Trojans. Afterwards, firefox, his antivirus program (The Shield), and his printer driver would not function. He tried to reinstall The Shield, but received the message “not a valid win32 application.” Also, he was unable to install three of five recent Windows updates.

In the following days, I was able to use my computer to download Avira and majorgeek’s recommended applications (in the read me first), and then install them onto his computer via USB. Using these tools, multiple trojans and other threats were removed.

Now, he can access the internet and his printer driver seems to be functioning, but he still cannot uninstall The Shield, “Installer has insufficient privileges to modify this file “C:\Program Files\ Common Files\BitDefender\BitDefender Arrakis Server\lib\TBD4A60.tmp.”" There are 15 of these tmp files.

Also, inside The Shield folder, there are 6 XML files created March 24 at 11 PM, which I believe may have been the time my husband experienced the trojan attacks. I once tried opening them, and Windows blocked them (Data Execution Prevention). They have names like bpfrr.xml, LaptopModeSetts.xml, mdsettings.xml, HManagement.xml, quar.xml, and exclude.xml.

Step 2: I cannot uninstall the antivirus program The Shield, but it does not seem to function, so the only functioning antivirus program is Avira.
Step 3: Complete
Step 4: Complete. 64 bit version of Windows Vista
Step 5: Avira full system scan resulted in quarantine of tr/dldr.wma.wimad.y and tr/dldr.wma.winmad.n and three html/spoofing.gen html script viruses
Step 6: Complete.

Thank you in advance for your help! =)
Cassie

chaslang · Mar 29, 2010

Welcome to Major Geeks!

Did your problems begin when SpeedBit Video Accelerator and SpeedBit Toolbar were installed on about March 25th?

You forgot to attach the log from Malwarebytes. Please attach the below two logs:
C:\Users\BNolen\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-03-27 (00-01-40).txt
C:\Users\BNolen\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-03-28 (13-57-17).txt

Uninstall the below software:
Java(TM) 6 Update 14
Viewpoint Media Player <-- should have been uninstalled in step 5 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: The Shield Deluxe 2009 Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - "C:\Program Files\PCSecurityShield\BitDefender 2009\Antispam32\IEToolbar.dll" (file missing)
O4 - HKLM\..\Run: [IObit Security 360] "C:\Program Files (x86)\IObit\IObit Security 360\IStray.exe"

After clicking Fix, exit HJT.

Now pPlease download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe and select Run as administrator to run it.

Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
Code:
:Processes
explorer.exe
 
:Services
[COLOR=#000000]Arrakis3[/COLOR]
[COLOR=#000000]LIVESRV[/COLOR]
[COLOR=#000000]VSSERV[/COLOR]
 
:Files
C:\ProgramData\BitDefender
[COLOR=#000000]C:\Program Files\Common Files\BitDefender[/COLOR]
C:\Program Files\PCSecurityShield
C:\Users\BNolen\AppData\Local\Temp\BIT23F4.tmp
C:\Users\BNolen\AppData\Local\Temp\BNolen.bmp
 
:Commands
[purity]
[createrestorepoint]
[EmptyTemp]
[start explorer]
[Reboot]
 
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.

If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Close OTM.

The log from OTM will be in the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

the OTM log

C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

Trojans and XML viruses

cassandraann1 Private E-2

Attached Files:

MGlogs.zip

hijackthis2.log

SUPERAntiSpyware Scan Log - 03-27-2010 - 20-22-10.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member