What Now?

Discussion in 'Malware Help (A Specialist Will Reply)' started by sobeit, Nov 17, 2006.

  1. sobeit

    sobeit Master Sergeant

    Ok all, I have done ( I think ) as instructed, apart from Panda as, try as I may, it will not scan.
    It keeps telling me there is a problem and it could be this or that.
    I have installed the active x but still no good.
    I followed instructions to uninstall Panda.
    I look in programmes and there is no mention of any Panda software.
    But here is the rest.
    Hijavk this to follow.
    Hope i've done this right so far. :)
    I see trojans and may need instructions on sorting them out.
    Thanks
     

    Attached Files:

    sobeit, Nov 17, 2006
    #1
  2. sobeit

    sobeit Master Sergeant

    Hijack this, I hope.
     

    Attached Files:

    sobeit, Nov 17, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment Standard Edition v1.3.1_04
    Morpheus Ultra 5.1 (remove only) <-- consider uninstalling! Known to contain malware.

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [TQ566808] "D:\Setup.exe"
    O4 - HKLM\..\Run: [Windows] system.exe
    O4 - HKLM\..\RunServices: [Windows] system.exe
    O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\Program Files\PartyGaming\PartyGammon\RunBackGammon.exe (file missing)
    O9 - Extra button: (no name) - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file)
    O20 - Winlogon Notify: docent0 - docent0.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\unistl63.exe
    C:\WINDOWS\system.exe
    C:\WINDOWS\system32\system.exe

    Now run Ccleaner.

    Now reboot in normal mode
    Now Copy the bold text below to notepad. Save it as fixWLK.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    If you still have problems, you will need to explain them since you gave no explanation of any problems in your first messages.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Nov 17, 2006
    #3
  4. sobeit

    sobeit Master Sergeant

    Hi chaslang, thanks for the direction thus far.
    Deleted all except Morpheus, what sort of grief can it give me?

    Fixed all in HJT.

    Deleted the first file, the other two were not found after several searches in safe mode, show hidden files etc all checked.

    Ran CCcleaner

    Did the registry fix.

    New logs attached.

    I have no grief as such, I posted a few days ago about problems with a router and wireless connections and you told me to do a malware flush first, the problem was sorted when I discovered a ip address clash, but I thought I would do it anyway to see if I had any nasties after I noticed explorer.exe in task manager, which is still there by the way, it says on a google search that this is a trojan?? Is it??
    How are my scans looking now?
    Cheers so far.
     

    Attached Files:

    sobeit, Nov 18, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Anything/everything! Things like you already had! I would say that more than 60% of the people coming here with problems picked them up via some form of P2P downloading or from an infected P2P program like Morpheus. It's your PC!

    It does not look like it. I see files from Nov 10th in your Temp folder (see the newfiles.txt log).

    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Nov 18, 2006
    #5
  6. sobeit

    sobeit Master Sergeant

    I ran cccleaner but you say there are still tiff's from days back.
    Have I missed something here?
    Am I supposed to do all steps seperately on all accounts?
    I have re read the READ & RUN ME FIRST post but am still unclear :confused:
    If this is the case it may be an idea to make it 100% clear in bold or something.
    I'm not picking, just giving my view from a laymans position.
    Looks like I may be starting over :)
     
    sobeit, Nov 19, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

     
    chaslang, Nov 19, 2006
    #7
  8. sobeit

    sobeit Master Sergeant

    Hmm, i'll have to learn to read!

    Are you saying that all of these entries should have been wiped? I ran cccleaner on that account on the 17th and 18th. How come things are still there from the 10th?
    Is there a bug that can stop cc from working properly?
    Other than that, if i'm clean shall I just go on to the next step, turning off restore point etc?
    Thanks
     
    sobeit, Nov 21, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes they should have been removed. No there is no bug in Ccleaner. Check to make sure you did not change any options. Under the System checkbox make sure the Temporary Files is checked (actually all check boxes under System should be checker).
     
    chaslang, Nov 21, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds