Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HELP! Ultradefragger and trojan.Gen.2 removal [Closed]

Started by rdbadger , May 21 2012 04:00 PM

This topic is locked

#1
rdbadger

Posted 21 May 2012 - 04:00 PM

Member

Member
107 posts

My symantec corporate has detected Ultradefragger and Trojan.Gen.2. I have downloaded and run Malwarebytes, which has also detected a number of files - my issue is - i have been told that if you remove the files with the "remove selected" you may stuff up everything, as you may then not be able to find any deeper roots? The scan took 10 hours to complete. Advise on this would be incredibly helpful
issue no 2 at present
All my internet explorer sites are being re-directed - the site that it keeps directing me to is click.get-answers-fast.com - which means I have to operate on a different computer
the other sites in my internet history that have accessed my computer remotely is clients.bluecave.com is listed - which I haven't accessed and s-static.ak.facebook.com has also appeared in the history
thank you muchly in advance

#2
Render

Posted 21 May 2012 - 05:07 PM

Trusted Helper

Malware Removal
4,195 posts

Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:

Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
Please reply within 3 days to be fair to other people asking for help.
Please tell me if you have your original Windows CD/DVD available
When in doubt, please stop and ask first. There's no harm in asking questions!

Please do the folowing:

Please download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it.
When asked if you want to download Avast's virus definitions please select Yes.
Note: If avast! antivirus is already installed, just do the next step.
Click the Scan button to start scan.
On completion of the scan click Save log, save it to your desktop and post in your next reply.
Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply

#3
rdbadger

Posted 21 May 2012 - 11:56 PM

Member

Topic Starter
Member
107 posts

Yes please - before I do anything - which is what I have asked...please tell me what to do re: the maleware that has already be scanned??? do I just let it exit without "removing infected files" Once i know what to do with that i can move on to what you have requested - as i have said I have read through your removal instructions and some say remove and others say if you remove the files with the "remove selected" you may stuff up everything, as you may then not be able to find any deeper roots? Advise on this please - so i can start on the instructed steps!

#4
Render

Posted 22 May 2012 - 12:42 AM

Trusted Helper

Malware Removal
4,195 posts

Just exit MBAM without removing detected items please and proceed with aswMBR scan as instructed above.

#5
rdbadger

Posted 22 May 2012 - 12:57 AM

Member

Topic Starter
Member
107 posts

Excellent! Thank you for getting back to me! I didn't know if i was going to ruin something by removing them or by exiting waste the 10 hours of scanning! I will try and keep a log, but not remove and close it down and do exactly as you have requested!
thanks!

#6
rdbadger

Posted 22 May 2012 - 01:03 AM

Member

Topic Starter
Member
107 posts

oh...and as i have no access at the moment to the internet - should I download to a usb and trasfer over?
Ta

#7
Render

Posted 22 May 2012 - 02:52 AM

Trusted Helper

Malware Removal
4,195 posts

10 hours of scanning with MBAM is way too long. Scan should take a couple of minutes. It was quick or standard scan?

Yes, you can use some kind of portable USB memory media to transfer files between two PCs.

Before you proceed please install USB Vaccine on your healthy computer:

Please download Panda USB Vaccine here (you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
Install and run it.
Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

#8
rdbadger

Posted 23 May 2012 - 07:10 AM

Member

Topic Starter
Member
107 posts

...thanks render, unfortunately I've been unsuccessful so far, as the computer won't seem to let me run the aswMBR.exe ...very frustrating!!Yet when i go to take the usb out it says that something is still running argh!!! I'll keep trying!

#9
rdbadger

Posted 23 May 2012 - 07:12 AM

Member

Topic Starter
Member
107 posts

I did download the vaccine - would that have affected it?
ta

#10
Render

Posted 23 May 2012 - 07:37 AM

Trusted Helper

Malware Removal
4,195 posts

Have you copied aswMBR.exe to desktop of infected PC and ran it from there?

I did download the vaccine - would that have affected it?

No.

#11
rdbadger

Posted 23 May 2012 - 02:53 PM

Member

Topic Starter
Member
107 posts

1. I downloaded aswMBR.exe to usb, as I could not access the website because the internet kept re-directing
2. I copied aswMBR.exe to the desktop of infected computer
3. each time I double clicked the mouse arrow would go to timer for about 2 seconds then stop - I could not get the program to launch successfully
Should I try launching the program in "safe mode"
thanks

#12
rdbadger

Posted 23 May 2012 - 03:36 PM

Member

Topic Starter
Member
107 posts

the program wouldn't even launch in safe mode...but i took a screen shot of the task manager and there is something eating up a whole lot of usage called services.exe
241,809 k

#13
Render

Posted 24 May 2012 - 04:32 AM

Trusted Helper

Malware Removal
4,195 posts

Hi,

Please try with this (use your USB pen drive to transfer files between PCs):

Please download on the desktop RogueKiller (by tigzy).
Quit all programs.
Run RogueKiller.exe.
Wait until Prescan has finished ...
Click on Scan.
Wait for the end of the scan.
The report has been created on the desktop. We can also open it with the Report button.
Please copy content of report and post it in your next reply.

#14
rdbadger

Posted 26 May 2012 - 06:03 PM

Member

Topic Starter
Member
107 posts

Sorry I was away on a camp in charge of 70 students so could not get back to it until now!
I was able to run rouge in safe mode Report below
thanks again!
RogueKiller V7.5.0 [05/24/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User: Roanna [Admin rights]
Mode: Scan -- Date: 05/27/2012 10:10:43

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
ÿþ

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST380215A +++++
--- User ---
[MBR] a98db5155a9b72de4ff79074f785e7a3
[BSP] 96b55e2d1e6635603f4f865d4558d87d : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] e1d1fccdc0f7f1905a71fa2d92df567a
[BSP] 96b55e2d1e6635603f4f865d4558d87d : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76308 Mo
1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 156280320 | Size: 10 Mo

+++++ PhysicalDrive1: Imation ImationFlashDriv USB Device +++++
--- User ---
[MBR] 72cad65ae2ceb44a23591ce0f19acf0e
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7377 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

#15
Render

Posted 27 May 2012 - 12:55 PM

Trusted Helper

Malware Removal
4,195 posts

Are you able to boot into normal mode?

Please do the following scan in normal mode if possible:

Posted Image

OTL Custom Scan

Download OTL to your desktop.
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Stadard output is selected.
Select Scan all users
Under the Extra Registry section, check Use SafeList
Check the boxes beside LOP Check and Purity Check.

Under the Custom Scans/Fixes box copy and paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
userinit.exe
svchost.exe
consrv.dll
/md5stop
%systemroot%\*. /mp /s
%Temp%\smtmp\*.* /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic