Remove Infostealer.Gampass malware

Ok, thanks so much for your help over this week.

 

Hi
Please be patent, Blender is very busy at other forms also.

Lets run this and post the log. She may as well have this info also when she gets here.

Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

We have not forgotten about you
Geri

 

Hi Starylosophy,

Jeri pointed me to this thread.

Just dropping note here so I get notifications.
As you see this one will put up a bit of a fight to remove.
Carry on with Jeri's instructions please.
I'll be notified when you reply.

Thanks

Blender

 

Thanks for helping me.
I greatly appreciate the efforts!

Combofix log:
As the log is too long WindowsBBS didn't allow me to post it so I've uploaded the log here.

http://www.yousendit.com/transfer.php?action=download&ufid=1C3786C92562083F


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:37:22 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\WINDOWS\moonfees.exe
C:\WINDOWS\Syssj2\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Syswm3\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\Killer.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
O4 - HKLM\..\Run: [moonfee] C:\WINDOWS\moonfees.exe /i
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

Hi,

Thanks for the log. I was hoping Combofix would take out more than that. I will need more logs and a few file samples cus if we don't take it out all at once it will only re-load again.
Unfortunately some of these boogers load under some fairly well hidden keys.

File samples:

Reveal Hidden Files

1. 
   
   [*]Click Start.
   [*]Open My Computer.
   [*]SelectTools menu
   [*]Click Folder Options.
   [*]Select the View Tab.
   [*]Select Show hidden files and foldersin the Hidden files and folders section.
   [*]Uncheck Hide protected operating system files (recommended) option.
   [*]Uncheck the Hide file extensions for known file types option.
   [*]Click Yes.
   [*]Click OK.
   

Please download Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines:

C:\rising.exe
C:\WINDOWS\moonfees.exe
C:\WINDOWS\nortond.exe
C:\WINDOWS\system32\moonfees.dll
C:\WINDOWS\system32\muceess.dll
C:\WINDOWS\system32\mafinss.dll
C:\WINDOWS\system32\shualai.dll
C:\WINDOWS\system32\mooness.dll
C:\WINDOWS\system32\g11763611986.exe
C:\WINDOWS\system32\nortond.dll
C:\WINDOWS\system32\nortens.dll

and paste it in the box in SFP, then click "Continue ".

It will copy the files and zip em up to a cab file on your desktop.
Called something like "Requested files [time/date].cab "

Please upload the cab file to this site:

http://www.thespykiller.co.uk/index.php?board=1.0

Start yourself a new topic
Put in topic title "Request by Blender "
Put in body of messege the link to our thread here.
then press the browse button and then navigate to & select the cab file on desktop.
press Post to upload the file

It is normal you will not see the file you just posted cus only approved members can see em to download them.

Next...
Create a folder on desktop called "blender "
Copy these folders to Blender:

C:\WINDOWS\Syssj2
C:\WINDOWS\Syswm3
C:\WINDOWS\Syswm2
C:\WINDOWS\Syssj1

Right click Blender> send to> "compressed (zipped) folder.
Should now have Blender.zip.

Upload blender.zip to same site as above.

Delete Blender.zip and the folder when done.

Let me know here when you have posted.

----------------------------

Logs:

Download this file:
http://www.kztechs.com/sreng/sreng2.zip

Unzip it to its own folder.

Open folder and Double click SREng.exe
Click "smart scan "
Checkmark "verify digital signatures "
Click "scan "
Wait till scan is done.
once done click "save reports "
Save the log someplace.

You can upload it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Include link to this thread so I know who it belongs to.

Next:

Go to your hijackthis folder
Right click killer.exe and rename it back to hijackthis.exe
Open Hijackthis
Click "open misc tools section "
Checkmark the following options beside "generate startuplist log ":
"list also minor sections "
"list empty sections "

Hit "generate startuplist log" and OK.

Post results here or upload here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Next:

I need to see some registry stuff.

Click start> run> type cmd and hit enter.
A "dos" box pops up.
Copy this line:

Code:

regedit /a /e c:\reg.txt  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 "

Right click in open cmd window and hit "paste ".
Hit enter.

log will be created in C:\ called reg.txt

Upload that log here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Thanks

 

Hi.

I've posted the requested logs on the other forums.

Just to let you know that I wasn't able to see the Hidden files and folders after I clicked on the radio button. And when I checked back, it was chosen as "Do not show hidden files and folders" I'm not sure why I can't do it. I was able to do it before I reformatted.

So for the requested files below, I copied them by going through the Explore option (As they were hidden files, I couldn't see them):

C:\WINDOWS\Syssj2
C:\WINDOWS\Syswm3
C:\WINDOWS\Syswm2
C:\WINDOWS\Syssj1

For this folder C:\WINDOWS\Syswm2, It says that it couldn't copy Ghook. I've checked the properties of Blender folder and there were 3 folders and 4 files.

 

Hi,

Thanks for those files. One of them folders you copied has a copy of ghook so thats OK.
I did notify sUBs (the guy who created ComboFix) so he can add this stuff and be able to help others that get hit with this.
Its going to take me a bit to go through your logs you sent me.
I'll be back in a bit with something we can start with.

Drive C:\ is obviously your main hard drive. What is D:\ ?
Hard drive or CDRom?

 

Hi,

You can delete the cab file off your desktop you uploaded.

Can you go to SAFE mode and try sfp.exe again to get these files?
Some of them seem to be protecting themselves from being copied while in normal mode.

C:\WINDOWS\moonfees.exe
C:\Windows\winform.exe
c:\windows\mppds.exe
C:\WINDOWS\system32\moonfees.dll
C:\WINDOWS\system32\muceess.dll
C:\WINDOWS\system32\mafinss.dll
C:\WINDOWS\system32\shualai.dll
C:\WINDOWS\system32\mooness.dll
C:\WINDOWS\system32\nortond.dll
C:\WINDOWS\system32\nortens.dll
C:\WINDOWS\system32\F8748FE.DLL
C:\WINDOWS\system32\mppds.dll
C:\Windows\System32\F8748FE.exe


Upload the cab file to this thread when you get booted back up to normal mode.
http://www.thespykiller.co.uk/index.php?topic=4012.0

Thanks

 

D:\ Drive is a hard drive where I store my personal files.

I've posted the requested cab file in the thread.

 

Hi,

Thanks for the upload. Lots of files are protecting themselves from being copied.
Lets get rid of these things now. I think I got what we need to pull this off.

I have attached file called fix.zip to my post.
Download the file, save it to your desktop and unzip it.
You should have Fix.reg when done. Don't run it yet.

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually ".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script "
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload ", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

You will get some errors at bootup. This is OK. We'll fix that in a minuite.

Locate fix.reg on your desktop and double click it.
Answer yes when asked if you want to add contents to registry.
You should get success messege.
Reboot once more.

Let me know if you have trouble accessing your hard drives from "my computer "
Or if you get errors trying to open C:\ or D:\


Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Please also get me new export of this registry key:

Click start> run> type cmd and hit enter.
A "dos" box pops up.
Copy this line:

Code:

regedit /a /e c:\reg2.txt  "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 "

Upload C:\reg2.txt here:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

New SREng log as well please.

Please upload C:\Avenger\backup.zip to your thread at spykiller.

http://www.thespykiller.co.uk/index.php?topic=4012.new#new

Let me know how machine is running.

Thanks

 

Hi,

I've posted the requested log files.

When I open C:\ it will prompt me which program I would want to open it with and I will have to do a right-click and open it.

Just to let you know that these are the malware prompts from Symantec and AVG:

AVG:
C:\WINDOWS\system32\F8748FE.DLL
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\msccrt.exe

Symantec:
C:\Windows\system32\shualai.dll



SREngLOG:

http://www.yousendit.com/transfer.php?action=download&ufid=A69BBE187C5CB34F

HJT Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:17:30 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\shualai.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [shualai] C:\WINDOWS\shualai.exe /i
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

 

Hi,

Ok... I think we are getting somewhere. A bit slow but we are making progress.

Those AV alerts are since you ran Avenger?

Delete your current copy of ComboFix. I'm not sure if its been updated yet but just in case.

Download the new one and run it by following instructions from here:

http://www.windowsbbs.com/showpost.php?p=342985&postcount=22

Post or upload log for me please.

Grab me also a complete startuplist from Hijackthis.
Open Hijackthis> open misc tools> check both options beside "generate startuplist log" and OK.

Post or upload log results.

Also:

There has to be reference to "rising.exe" elsewhere I don't see in your logs. SREng pointed it but I don't see it in your reg export you did.

If there is still reference to it somewhere telling windows "rising.exe" is needed to open drives... that would be why you have trouble opening your drives properly.

Lets do a search for it:

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.
Or in your case right click C:\ to open it.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

rising.exe

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.
Post results.
You will need to close the notepad file before exiting RegSearch or program might hang.

You can delete "fix.reg" and the zip.
I'll attach a new reg fix if we need it.

Thanks

 

Hi,

Those AVG alerts always come up even before I ran Avenger whenever I start up my PC.

ComboFix Log:
http://download.yousendit.com/E0C5E8DC12B56527

Startuplist Log:
http://download.yousendit.com/3AA58E28714792AB

RegSearch Results:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.3.0

; Results at 4/21/2007 1:32:51 AM for strings:
; 'rising.exe
rising.exe
rising.exe'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

 

Hi,

These things are playing real "hard to get" aren't they.

Copy the following text inside the code box to notepad.
Be sure to include the "Files to delete:" part.

Code:

Drivers to unload:
f8748fe

Files to delete:
C:\WINDOWS\system32\F8748FE.EXE
C:\WINDOWS\shualai.exe
C:\WINDOWS\system32\g11763611986.exe
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\mppds.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Double click Avenger.exe to open it.
Click "input script manually" then click the magnafying glass.
Copy the entire contents of the code box by hilighting it and pressing ctrl + c
Right click in the open "view/edit" script window and choose "paste "
Click "done "
You can close the notepad window.
Click the green light
Answer Yes twice.

Computer will reboot 2x.
Last time you will see a brief "dos" box and Avenger should open log file of its actions.

Copy/paste log file here along with new hijackthis log.

Please upload new Complete startuplist log
Please upload new SREng log

Also please do this:

Make sure you can see hidden files/folders:

Reveal Hidden Files

1. 
   [*]Click Start.
   [*]Open My Computer.
   [*]SelectTools menu
   [*]Click Folder Options.
   [*]Select the View Tab.
   [*]Select Show hidden files and foldersin the Hidden files and folders section.
   [*]Uncheck Hide protected operating system files (recommended) option.
   [*]Uncheck the Hide file extensions for known file types option.
   [*]Click Yes.
   [*]Click OK.
   

Look in both C:\ drive and D:\ drive for files called autorun.inf
If present right click> choose "edit ".
They will open in notepad.
Copy/paste the contents here for both if present.

If they have this junk in them you can delete them:
This I think is why you have trouble to open your C:\ & D:\ drives normally.
They are pointing to now non existant file & windows is cornfuzzled.

open=rising.exe
shellexecute=rising.exe
shell\Auto\command=rising.exe

I want to see the contents here though before you delete just in case.

Thanks

 

SREng Log:
http://download.yousendit.com/FBFF106C6D0A8B75

Startuplist Log:
http://download.yousendit.com/682816587649551D

Avenger Log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\cthkuhbm

*******************

Script file located at: \??\C:\uockdnbs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver f8748fe unloaded successfully.
File C:\WINDOWS\system32\F8748FE.EXE deleted successfully.


File C:\WINDOWS\shualai.exe not found!
Deletion of file C:\WINDOWS\shualai.exe failed!

Could not process line:
C:\WINDOWS\shualai.exe
Status: 0xc0000034

File C:\WINDOWS\system32\g11763611986.exe deleted successfully.
File C:\WINDOWS\system32\mppds.dll deleted successfully.


File C:\WINDOWS\mppds.exe not found!
Deletion of file C:\WINDOWS\mppds.exe failed!

Could not process line:
C:\WINDOWS\mppds.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:19 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


autorun.inf:
[AutoRun]
open=rising.exe
shellexecute=rising.exe
shell\Auto\command=rising.exe


I've just had an alert from Symantec:
http://img261.imageshack.us/img261/54/killboxlu1.jpg

I'm wondering why is there a malware in Killbox folder.

There are also alot of alerts:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Infostealer.Gampass
File: C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP48\A0007521.exe
Location: C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP48
Computer: STARYLOS-64EF19
User: Starylosophy
Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
Date found: Sunday, April 22, 2007 3:48:07 AM

All these alerts came up after I scanned my PC through AVG.

 

Hi,

I'll be back shortly when I have had a look at your logs.
Your HJT log looks OK. I think we are nearly there.
How is the system acting now?

As for items found in System Volume Information folder...
Don't worry about them for now. It is your system restore and we will clean out system restore last when we have everything else working right.
Windows does not care what it backs up in restore. It sees something new it backs it up; bad files or good.
Nothing can hurt you from there at the moment.

That autorun.inf file you posted. That from both the C:\ and D:\ drive?
If so... delete them.
Once you do this you should be able to open your drives properly.
What that file is doing is telling windows that "rising.exe" has to be present to open those drives. Since we deleted "rising.exe" windows is confuzzled and does not know how to open C:\ or D:\
You may have same issue on any flash drives you plugged in at time you were infected.
The registry file you uploaded to me earlier tells me the bad autorun.inf might be on your flash drive as well.
They may also have an autorun.inf on the root of the drive pointing to rising.exe.
Since rising no longer exists...windows won't know how to open it.
Check your flash drives if you have any.
Look at the "autorun.inf" files. (open with notepad)
If they point to rising.exe..... delete them.
Drives should open OK once you do this.
If you don't have any flash drives... don't worry about it. We did clean up the registry pointers for them.


Bad files in Killbox folder...
Yes there will be. You were told earlier to delete several files using killbox and Killbox does create backups of files deleted in case good files were deleted.
You can delete the killbox folder then delete it from recycle bin.

Upload your new c:\Avenger\backup.zip to spykiller site please.

http://www.thespykiller.co.uk/index.php?topic=4012.new#new

You can add reply.

Once uploaded, you can delete c:\Avenger folder then delete it from recycle bin.

Be back shortly.

 

Back

Copy the following text inside code box to a new notepad file.
Save as file name fix2.reg
As file types: All files
Save it to your desktop but don't run it yet.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Start Hijackthis
Run system scan and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE


Close all open windows and hit "fix checked "

Exit Hijackthis

Locate "fix2.reg" and double click it. Allow the merge.

Reboot

Delete these folders if present:

C:\WINDOWS\Syswm6
C:\WINDOWS\Syssj4

Click start> run> type cleanmgr and hit enter.
Choose drive C:\ to clean.
Have checked:

Temporary files
Temporary internet files
Recycle bin

Click OK to clean.

Open Internet options in your control panel
Click "delete files" and check to "delete all offline content" then OK.
Once done reboot.

Next:

Update your AVG Antispyware.
Do a full system scan and let it quarentine what it finds.
Save the log and reboot if it cleaned anything.

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save report button.
• Call it Kaspersky.txt
• Expand the arrow beside "file types" and save as .txt file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

If the Kaspersky scan is too big to post then Upload it please.
Upload me a new SREng log and post a fresh hijackthis log here.
Either post or upload AVG log please.

Let me know how things are running.
let me know if you can accedd C:\ and D:\ drives properly.

Thanks

 

Hi,

I can open C:\ normally now, thanks!

I've attached the requested Avenger backup.zip in thespykiller site.

I'm unable to delete these two folders because Ghook.dll is there.

Kaspersky report:

http://download.yousendit.com/D4FDBFC61B2D538A



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:29 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\Syswm6\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\hijackthis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [EPSON Stylus CX3700 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACP.EXE /P26 "EPSON Stylus CX3700 Series" /O6 "USB001" /M "Stylus CX3700 "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab
O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


AVG Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:40:12 PM 4/22/2007

+ Scan result:



C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017102.DLL -> Downloader.Delf.bhu : No action taken.
C:\WINDOWS\system32\__delete_on_reboot__F_8_7_4_8_F_E_._D_L_L_ -> Downloader.Delf.bhu : No action taken.
[1004] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1040] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1100] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1160] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1184] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1296] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1468] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1492] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1632] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1948] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[1984] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[200] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[648] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[676] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[720] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[732] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[908] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
[928] C:\WINDOWS\system32\F8748FE.DLL -> Downloader.Delf.bhu : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@www.burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@as.casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@counter.hitslink[1].txt -> TrackingCookie.Hitslink : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@www.paypal[1].txt -> TrackingCookie.Paypal : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Starylosophy\Cookies\starylosophy@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\avenger\backup-Sun 04.22.2007- 1.05.28.18.zip/avenger/Syssj1/svchost.exe -> Trojan.Delf.ngv : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017070.exe -> Trojan.Delf.nhd : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017111.exe -> Trojan.Delf.nhd : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017112.exe -> Trojan.Delf.nhd : No action taken.
C:\avenger\backup-Sun 04.22.2007- 1.05.28.18.zip/avenger/Syswm3/svchost.exe -> Trojan.Delf.nhd : No action taken.
C:\Documents and Settings\Starylosophy\Local Settings\Temporary Internet Files\Content.IE5\0LK50PMN\wow0420[1].exe -> Trojan.OnLineGames.es : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017107.exe -> Trojan.OnLineGames.es : No action taken.
C:\avenger\backup-Sun 04.22.2007- 1.05.28.18.zip/avenger/nortins.exe -> Trojan.OnLineGames.es : No action taken.
C:\avenger\backup-Sun 04.22.2007- 1.05.28.18.zip/avenger/nortond.exe -> Trojan.OnLineGames.es : No action taken.
C:\Documents and Settings\Starylosophy\Local Settings\Temporary Internet Files\Content.IE5\589PVPDV\wm0411[1].exe -> Trojan.OnLineGames.hu : No action taken.
C:\avenger\backup.zip/avenger/g11763611986.exe -> Trojan.OnLineGames.hu : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017069.dll -> Trojan.OnLineGames.ls : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017113.dll -> Trojan.OnLineGames.ls : No action taken.
C:\WINDOWS\Syswm6\__delete_on_reboot__G_h_o_o_k_._d_l_l_ -> Trojan.OnLineGames.ls : No action taken.
[1068] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1120] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1168] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1364] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1688] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[168] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1712] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[1804] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[2420] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[2808] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[2960] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[2984] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[340] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[3848] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[496] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[780] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[796] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[884] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
[956] C:\WINDOWS\Syswm6\Ghook.dll -> Trojan.OnLineGames.ls : No action taken.
C:\avenger\backup-Sun 04.22.2007- 1.05.28.18.zip/avenger/Syssj1/Ghook.dll -> Trojan.OnLineGames.nn : No action taken.
C:\Documents and Settings\Starylosophy\Local Settings\Temporary Internet Files\Content.IE5\0LK50PMN\jh0417[1].exe -> Trojan.OnLineGames.oe : No action taken.
C:\Documents and Settings\Starylosophy\Local Settings\Temporary Internet Files\Content.IE5\I8UT7T0S\moyu0417[1].exe -> Trojan.OnLineGames.oe : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017108.exe -> Trojan.OnLineGames.oe : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017110.exe -> Trojan.OnLineGames.oe : No action taken.
C:\Documents and Settings\Starylosophy\Local Settings\Temporary Internet Files\Content.IE5\YMETTHGU\wl0412[1].exe -> Trojan.WOW.qa : No action taken.
C:\System Volume Information\_restore{88505C6F-4C7C-418B-80EA-6E5905A55E70}\RP54\A0017109.exe -> Trojan.WOW.qa : No action taken.


::Report end

 

HI,

Thanks for the files. Good to hear your drives open correctly now.

There gotta be something else loading these other persistant monsters.

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
There is a small chance the PC might crash so whatever "work" you have open save it.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, stay on the "rootkit" tab and click "scan ".
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

If log is too big you can upload it please.

Next:

Open RegSearch folder and run RegSearch.exe
On the first line paste:

Ghook.dll

Next line paste:

F8748FE.DLL

Click OK to search.
When done please post the results.
Preferrably upload the results so registry code info is "preserved ".

Thanks

We need to try & stop some of this junk from calling home for backups and undoing all our work.

For now lets put in place a Hosts file:

Info and how to install:

http://www.mvps.org/winhelp2002/hosts.htm

Many of the sites these guys try & contact will be inaccessable.

Then a firewall.
XP one is not going to stop nasty outgoing traffic. A 3rd party one can do much better.

Comodo:
http://www.personalfirewall.comodo.com/

It is free.
Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

When you get comodo installed do ensure you have the XP one off so you don't have conflicts.
Any of these nasty guys we been trying to kill wants out you can block em with your firewall.

 

When I've installed the Comodo firewall, it prompts me that msccrt.exe is in my IE so if I choose to deny, it wouldn't allow me to surf the net. So I have to allow it.

Also, AVG still alerts Ghook.dll and the other malware.

RegSearch log:
http://download.yousendit.com/599F033A08FBAE02


Gmer log:

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-23 22:43:25
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT E1ED5DA0 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[3340] kernel32.dll!SetUnhandledExceptionFilter 7C84479D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe
---- Processes - GMER 1.0.12 ----

Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\SavRoam.exe [156] 0x00A30000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\ati2evxx.exe [372] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\explorer.exe [488] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\csrss.exe [648] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [676] 0x01490000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [720] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [732] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [736] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccApp.exe [784] 0x017D0000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\RTHDCPL.exe [800] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [864] 0x01DB0000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\ati2evxx.exe [908] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [924] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Real\Update_OB\realsched.exe [944] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [952] 0x01550000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Winamp\winampa.exe [960] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIACP.EXE [984] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1004] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1044] 0x00ED0000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\QuickTime\qttask.exe [1064] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1100] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\SysSun1\svchost.exe [1124] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1196] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1216] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe [1248] 0x023A0000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1264] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [1432] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [1492] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1628] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe [1836] 0x10000000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [1972] 0x00820000
Library C:\WINDOWS\system32\F8748FE.DLL (*** hidden *** ) @ C:\Program Files\Symantec AntiVirus\DefWatch.exe [1992] 0x10000000

---- EOF - GMER 1.0.12 ----