BleepingComputer.com: infected - trojan

Hi:

Yesterday I got hit with a trojan. I am running windows XP SP3, using ZoneAlarm version:8.0.298.000 (free) and Symantec-Endpoint Protection AV. Also have SpywareDoctor (free version), WinPatrol (free), and AdAware. I cannot visit websites like windows update or Malwarebytes, and cannot update any anti-spyware. I can, however, get to most other website and I can download programs so long as they are provided on a third party website so that I can right-click save them. Using this method I downloaded Malwarebytes and Trens Micro's rootkitbuster beta. Also I can run the programs.

AdAware and WinPatrol saw the thing on the way in; Adaware removed some of it, WinPatrol blocked it from running (more than it already had), and malwarebytes removed a it more (see below). From WinPatrol history the troubles are most likely associated with Cwf, CWG and/or FJ5MWNZTHI

From Malwarebytes log (3 problems):
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00000244.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully

From AdAware:
Win32.Hoax.Renos process
Both quarantined but not removed

Obviously the thing is still in my machine, because I cannot update my security programs and cannot go to malwarebytes or windows update websites. Because of this, please do not suggest that I manually update my programs from malwarebytes website. Tried that. I can post HJT and/or DDS logs. Please Help??

DDS/HijackThis logs are not permitted in this forum. The HJT Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. Referrals are made to the HJT forum if we cannot assist you here and we need to use more powerful tools or you don't mind waiting.

If you do not mind waiting, then please follow the directions in the the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. Start a new topic, give it a relevant title and post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts.

If you want to try disinfection in this forum first, continue as follows.

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Check your Proxy settings in Internet Explorer to make sure malware did not alter them:

• Open Internet Explorer > click Tools > Internet Options > Connections tab.
  
• Click the LAN Settings... button and uncheck Use a proxy server for your LAN
  or change the settings to the proxy you normally use if you previously reconfigured it.
  
• Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.
  
• Click Ok and then click Ok again.
  
• Close Internet Explorer and restart the computer.
  
• An example of how to do this with screenshots are shown in steps 3-6 under the Automated Removal Instructions here.

Check your Proxy settings in Firefox to make sure malware did not alter them:

• Open Firefox, click Tools > Options > Advanced and click the Network Tab.
  
• Under the Connection section click on the Settings... button.
  
• Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.
  
• Click Ok and then click OK again.
  
• Close Firefox and restart the computer.

For other browsers, please refer to How to configure browser proxy settings.

Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  
• In the Main Menu, click the Preferences... button.
  
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
  
  
• Click the "Close" button to leave the control center screen and exit the program.
  
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes" and reboot normally.
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
  
  
• Click Close to exit the program.

-- If you cannot boot into safe mode or complete a scan, then perform your scan in normal mode.

-- If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Hello quietman7 - I think you are helping me with this issue on theeldergeek.com. I will not reply to this post until/unless we cannot resolve the issue with your suggestions there. If this makes sense? Thanks for your help!

Yes...I didn't notice it was you posting for help here too.

We will finish up over there so I am going to close this thread.