1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Another trojan help thread...

Discussion in 'Virus & Other Malware Removal' started by pepsi_max2k, Jul 5, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    Yes, it happened to me too. One .exe, numerous trojans and infinite scans later I'm hopefully over the worst, but am looking for advice to make sure the pc's clean.

    Basically, one of my pc's got infected with all sorts of stuff (we won't go into how, it's embarrassing, though not that kinda embarrassing...). and when i say the whole pc started moaning at me, i'm not talking figuratively either (n)

    So far I've run avg, twice (latest updates), spybot s&d (thrice, latest updates though an error about probs with "Trojans.sbi"), ad-aware, SUPERAntiSpyware, tried installing prevx (complained about no net connection, and i'm not connecting again until i have to, working from a laptop atm), a few specific trojan removers (vundo and virtumonde from symantec, vundofix from possibly round here) and anything else i could think of at the time but may have forgotten...

    spybot came up with stuff like
    TagASaurus
    Virtumonde
    Win32.Small.ddx
    Zedo
    Tradedoubler
    MediaPlex
    and about 10 others. most were all cookies but one (tagasaurus, win32 or virtumonde) had a load of .exes in c:/windows and system32.

    while avg said it removed
    xc36.exe
    xc60.exe

    and i manually stopped a few processes, mgrs.exe being one, winwin.exe, can't remember the others... also manually deleted mgrs.exe from C:/windows/ and msconfig's startup list. iexplorer was running a lot too, no window visible but complained about being offline too (i use ff fwiw). also have 6 svchost.exe's running... i think that's normal?

    I would post a hijackthis scan about now but i just ran it and got the very myspace-esque error of "an unexpected error has occured at proceduer: modMain_CheckOther1Item() Error #5 - Invalid procedure call or argument." oh... wait... it's done something... will paste in a sec... edit: hijackthis_v2 ran without problems. i've commented anything not blatently obvious, if it helps...

    What advice can anyone give me? Doesn't look like there's any problem processes running anymore, and it feels as responsive as ever, no scans are picking up anything anymore, but you lot seem to know more about this stuff than i do (last real virus i had was 4 years ago on a brand new install.... windows :p :rolleyes: ).


     
  2. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    *bump* no one see anything dodgy? :)
     
  3. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    edit to remove repeat of above
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    I've merged your threads together. Please do not start more than one for the same problem.

    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
     
  5. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    thanks. thought people were just ignoring the thing, then it dissapeared on to page 3... anyway, i'd already tried the vundofix, two different versions, symantec one saying no vundo files were found.

    having found the hijackthis analyzer on the prevx site ( http://www.prevx.com/hijackthis.asp ) it came back saying nothing bad was found. further scans with avg / spybot / adaware / superantispywear have found nothing, no weird looking processes and nothing else seems awry so hopefully i've got rid of everything :)
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    There are often other files lingering.

    Download ComboFix to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done properly a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it will produce a log for you. Post that log and a new HijackThis log in your next reply
    Note: Do not mouseclick combofix's window while it's running as that may cause it to stall
     
  7. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    only problem i see below is the mgrs.exe hkey entry for startup, as it's still listed in msconfig's startup files but i've got it unticked so it's not running. i guess i could just delete the key with regedit?

    also included contents of ComboFix-quarantined-files.txt at end cos, well, i dunno how important it is :p

    is it safe to delete all the files / qoobox folder now? thx.


    ComboFix-quarantined-files.txt


    EDIT: oops, forgot hjt...

     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O20 - Winlogon Notify: wingdm32 - wingdm32.dll (file missing)


    Then boot to safe mode:


    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\WINDOWS\system32\mgrs.exe

    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Boot back to Windows normally and post another HijackThis log please.
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    You can delete the Qoobox folder.
     
  10. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    couldn't see mgrs.exe in /system32, killbox said no file found either, and when i did have it it was in /windows and i manually deleted when i found it. but anyway... hjt below. and thanks for all the help, to think some people pay for this kinda stuff :rolleyes: :D

    oh anything about zone alarm stuff - i just manually uninstalled the thing after a failed install so i dont supose any of that file missing stuff is a problem. za's caused me enough problems in the past anyway... know a decent similar free firewall prog?

     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    Sorry, I assumed it was System32 as the path was not shown.

    Zone Alarm should be fine as there's a bug in HijackThis where files shows as missing when they really are not.


    How is everything now?
     
  12. pepsi_max2k

    pepsi_max2k Thread Starter

    Joined:
    Jul 5, 2007
    Messages:
    12
    >> How is everything now?

    well to be fair everything seemed fine before, but no problems at all so far :) (y) seems clean enough. just gotta get rid of all those new files in C: now :rolleyes: thanks again for all the help.
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,299
    First Name:
    Karen
    You're welcome. :)

    Here are some final instructions for you.

    Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

    To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

    In the System Restore wizard, select Create a restore point and click the Next button.

    Type a name for your new restore point then click on Create.


    I also recommend downloading SPYWAREBLASTER for added protection.

    Read here for info on how to tighten your security.



    Delete your temporary files:

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

    Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then hit Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK (this option does not exist in IE7). Click Apply then OK.

    Empty the recycle bin.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592018

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice