Win32 myzor, virus trigger, etc.

[emperialx]

Hey guys,

I've been through countless FAQs on how to get rid of this stuff and it is unbelievably frustrating. I accidently streamed an adware/spyware file, it loaded some thing called virus trigger and I searched through my registry to try and get rid of it all. Now I get pop up system alerts in my tray about win32.myzor and malware threats among other things. In addition: my homepage has been hijacked. It's set to some site syshomepage.com/security/xp or something like that. The pop ups also say other kinds of "fake" adware and whatnot. I have scanned with malwarebytes and tried a little with smitfraud, but it seems like it keeps lingering. If somebody could give me a pretty detailed process on what to do I'd be glad to cooperate. Thanks for your time!

 

[rf6647]

Some infections are designed to block programs by their usual name. Modify the names of the executable file that launches the application.

Example: mbam.exe --> mwb.exe.

If using desktop shortcuts, the target needs to change. On the off chance that the infection is programmed to recognize this, as well, also rename the shortcut.

In the following link, the file designated 'zip' is really type 'exe'. Rename it. Run it.

Part of the package includes modified shortcuts with renamed targets. With a copy of MBAM on the computer, this should get a scan.

Other executables in the package seek to delete files associated with know infections causing this. This merely hobbles the infection. Professional programs are needed to remove infections.

mflynn scripts to zap bugs screwing download/update

 

[emperialx]

Okay so download fixit.zip, save it on desktop and rename it fixit.exe? I tried to open it but it says the compressed (zipped) folder is invalid or corrupted. Any ideas?

Edit: Ahh I think I see what you're saying as far as renaming MBAM to MWB.exe, I think I did that correctly haha. Now as for the fix it error, how exactly am I supposed to make that work?

ps. thanks for taking the time to help me

 

[rf6647]

My computer shares the same malady as yours - unable to uncompress a zip file.

Please note - the objective is to use MBAM (followed by SAS) to scan the computer for infections

Files moved from another computer.

Attempting to use attachments of individual files. Challenge is to remain under proscribe limits.

Shortcuts not included - you can create your own.

extentions changed due to limitations
D/L --->> rename
log ---->> bat
txt ---->> exe
dmp --->> bfu
bmp --->> cmd

fixit.cmd

@echo off
cmd /c cleenup.bat

cmd /c av20089.bat

copy "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" "C:\Program Files\Malwarebytes' Anti-Malware\runmbam.exe"
copy "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" "C:\Program Files\SUPERAntiSpyware\sas.exe"
copy *.lnk "%USERPROFILE%"\Desktop

bfu mwthor.bfu
exit

[extra]
Once the ability to D/L has been regained, uninstall, then reinstall MBAM & SAS.
It may be necessary to try this from safe mode with networking.
Another choice may be Normal mode after msconfig & restart.
> msconfig > selective startup > untick 'load startup items'
[/extra]

 

[emperialx]

Alright, I have ran MBAM and renamed it like you said but it still has not completely removed everything. I still get random pop-ups, this symantec page (on the tech details tab) shows pretty much what I have goin on: symantec.com/security_response/writeup.jsp?docid=2007-050812-3659-99&tabid=2 . The only problems I still have are that my homepage is still hijacked and will have a pop-up about win32.myzor, and I also have a system tray icon that talks about a networm-i.virus@fp, and finally I get the pop ups as shown on the symantec site. I have run the attached files, but cannot figure out how to work fixit or what to do with that code. I'm sorry I know my ignorance can be frustrating.

 

[rf6647]

Please, no apologies. We share a common goal - nail this booger. After all is said & done, we both walk away with something extra. I tend to complicate things - so we will work to meet in the middle. Other volunteers know how to measure out things. Too much information, too soon is not helpful.

Mflynn designed this tool to run from a folder placed on the desktop.
On the Desktop, Create Folder name = fixes
Contents of 'fixit' { rename files}
av20089.bat
BFU.exe
cleenup.bat
MWThor.bfu
fixit.cmd ------> see code box

{create fixit.cmd}

Open notepad

From the code box, copy the contents; paste into notepad.

Save file as 'fixit.cmd' <---- remember to choose 'all types' for the 'save as type'

Location of file 'desktop\fixit'

With this setup, follow the instructions in the link.

Basically, double-click 'fixit.cmd'
The user must answer any challenge coming from firewall or AV programs.
When complete, the program restarts the computer.

If no restart, then the user should take that action.

Follow the remainder of the instructions.

Post logs.

Present logs that detected infections are help to understand the blend of threats found - not that I can understand it. It's handy when things take unexpected turns.

 

[mflynn]

No! I just tested again!

Because the Attachment can not be an .exe file I have changed the extension from .exe to allow Attachment. So it must be renamed back to Fixit.exe.

Clear all that and even re download the fixit,zip to desktop.

Once it is on the desktop rt click it and chose properties and the name listed will be Fixit.zip change it to Fixit.exe and click ok. It will warn about changing extension but do it anyway.

That produces the Fixit Folder, enter that folder and run only Fixit.cmd

Mike

 

[rf6647]

Mike, see message #4.
All files are attached to this post.
fixit.cmd was put into a text box.

His computer & my computer cannot unzip files.
The exe file must link to 'unzip', because that fails, as well.
Therefore it is not a problem with source files.

Are the files in the zip updated from Monday?

 

[mflynn]

Nope it will not work that way. The logs he has listed are not logs at all but actual program code.

The Fixit.zip is actually Fixit.exe (you can not attache an ".exe file") so I renamed it Fixit.zip to allow it to be attached!! Fixit.zip just has to be renamed back to Fixit.exe

You both need to clear all that and start over.

That is the reason I made it a self extractor ,in case someone had turned off the windows compression and had no other default extractor.

All you have to do is d/l the attachment - rt click properties- rename the Fixit.zip to Fixit.exe and click OK accept the warning about changing the file extension.

Mike

 

[rf6647]

The Patient Lives

I practiced taking the treatment on myself.
I came through it - still whole.

Yep, brought back files from this thread, Renamed according to the table. And pasted to file, saved it with notepad.

Perhaps I cannot clearly write instructions.

Attached bfu.log

 

[mflynn]

10-4 there you go.

Now help emperialx get cleaned up and get his correct logs.

Mike

 

[emperialx]

Alright I tried to do what you told me to rf6647, yet the fixit seems to not want to work. I saved all the files and put them in a folder with everything named accordingly. MBAM and other scans do not appear to be picking anything up but I still have the errors. Am I doing something wrong? I'm still gettin popups about the networm and antivirus 2008 as well as the homepage is still messed up with w32.myzor. In addition, what logs would you like me to post?

 

[mflynn]

Hi emperialx

As I can not tell what you have relating to Fixit and this is what is going to help you, I want you to delete all pertaining to Fixit from you desktop even the attachment. All as it sounds like a mess.

I wrote and posted Fixit.

Here is all you have to do:

1. Download the attachment to your Desktop.

2. Rt click the Fixit.zip then left click Properties

3. At the top you will see the file name Fixit.zip just edit it to say Fixit.exe then apply OK

4. On your desktop now is the file Fixit.exe

5. Double click it to run the self extractor window will open click ok to extract.

6. it will put a new folder on your Desktop called Fixes

7. Double click this folder to enter it.

8 There are several files in this folder but you only run 1 of them.

9. So double click fixit and let it run.

Mike

 

[emperialx]

When I rename it to .exe and run it, a cmd prompt window opens for a couple seconds then closes and that's all the happens. Any ideas?

 

[mflynn]

Do properties again on Fixit and see it matches below

Size on disk 168 KB (172032 bytes)

Size 165 KB (169084 bytes)

If it matches then the file is OK downloaded ok

So boot to plain Safe Mode (not networking) and run it.

If it makes the Folder then enter the folder and double click Fixit.

If it runs it will do its job and reboot

Catch it on the way up and go into Safe Mode Networking and back into the folder and run Fixit again.

It will do its job abd reboot to normal mode.

If this works the sas and runmbam should now update and run.

Otherwise the Virus/malware its self is blocking even fixit.

Mike

 

[emperialx]

Alright I ran SAS and suddenly everything is fixed, does this sound accurate? It was very suprising haha.