Reply To Abri Re Malware - Avenger & Renv Logs - Original Thread Inaccessible

Hi Abri
The thread is longer on the forum for some reason so have had to reply with a new thread
Please find attached avenger & renv logs
Thanks
Daragh

*Hi snacs!Welcome to Major Geeks!* We do not take responsibility for sons, but advise they are worth keeping. You have a new form of vundo on the computer and AVG Antispyware removed a serious lot of stuff from a trojan dropper. It will take several steps to remove things and I ask that you not use or boot your computer more than necessary while we remove this.
*1)* Please begin by uninstalling the following from add/remove programs Also, if your version of Spyware Doctor is the trial version, please uninstall it as well as the below Java program: *- Java(TM) SE Runtime Environment 6 Update 1
**2) *If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run * Disable/Remove Windows Messenger* (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html)
*3)*Then go to start / run and type in *msconfig* and make sure *normal system start* is checked. Click on accept and okay.
*4)* Now download *The Avenger* (http://swandog46.geekstogo.com/avenger.zip) by Swandog46, and save it to your Desktop.
Extract avenger.exe from the Zip file and save it to your desktop* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.* Copy *everything* in the Quote box below, and paste it in the box that opens:
---Quote---
*Files to delete:
C:\-1541431751
C:\WINDOWS\system32\dxdss.sys
*---End Quote---
* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

*5) *Please download *ATF Cleaner* (http://www.majorgeeks.com/ATF_Cleaner_d4949.html) by Atribune. This program does not require an installation. The executable actually runs the program.
*NOTE:* This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: *Select All*
* Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
Click *Exit* on the Main ATF Cleaner menu to close the program.
*6)* After you've done the above, I would like for you to do the following:* Download and save to *RenV.exe* (http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe) to your Desktop (*must be on the Desktop*)
* Doubleclick RenV.exe* When finished, it will produce a new log named *Log.txt* on the Desktop.
* Attach this log to your next reply.
*7) * Please attach the *Avenger log *and the* RenV log.* Let me know how things are running now? abri

 

Hi snacs!

Too strange! Where did your thread go???? Anyway ... here are the next instructions:

Now Copy the bold text below to notepad. Save it as Log.txt to your desktop.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip (get these by running C:\MGTools\GetLogs.bat)

abri

 

Hi Abri
Many thanks for getting back to me. Dunno what happened previous thread - just wasn't there whenever I clicked the link. Anyways beginning to see a bit of light at the end of the previously dark tunnel now. Laptop seems to be a bit better - eg ad aware now runs - still sick though - eg still slow to boot up, unable to connect to wireless network, cccommon file seems to be missing.
Anyways have followed your instructions correctly I hope and attach the files
you wanted.
Again thanks for all your help for getting me to this stage.
Daragh

 

Hi snacs!

1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.

2) Please tell me if you recognize the following zip file? If not, please copy and paste it into the list just beneath "Files to delete" in the Avenger instructions below:
C:\Program Files\wpayback.zip

3) Please open the following folders and tell me what is in them. If they are empty, you can delete them in Windows Explorer.

C:\WINDOWS\kdx
C:\savwsa
C:\scscc20

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://www.shockwave.com/content/zenerchi/sis/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.pdbox.co.kr:8057/AFCStarter.cab
O16 - DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} (CPlayFirstSweetopiaControl Object) - http://www.shockwave.com/content/sweetopia/sis/Sweetopia.1.0.0.22.cab

After you click fix, just close hijackthis.

5) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi Abri (the malware god)
Have done as instructed - hopefully correctly. I've deleted whatever files/folders you told me to have a look at. I'll delete anything at this stage that I can subsequently download again if I need it.
I've attached the avenger file and Mglogs file as requested for you to make sense of.
Regarding how the computere is running, i'm hesitant to use it but I've opened some programs to se (eg excel,word,IE, outlook, and accounts package) and they seem to open up fine.
I'm not able to connect to the internet (I'm using a desktop I have to write this) as its unable to connect to any wireless network-even when I click "repair connection." No networks come up in a list as if the wireless adapter is disabled which brings me onto the fact that the only hotkey on my laptop that doesn't work is the one to enable/disable wireless connectivity!
I don't know whats happened to Norton AV - but it doesn't load at start up when it used to.
Also I've encountered some problems with a cccommon file missing or something when I've tried uninstalling/installing some programs during the course of this clean up

Again thanks for all your help and (as we say here) I owe you a pint!!
Daragh

 

Hi snacs!

I regret that your original thread got lost, because the first post often contains the most valuable information and that unfortunately went under. I must ask you to tell me everything you remember from your original post. Did you have a connection to the internet at any point since you started posting here or is this the issue that brought you in here? If I told you to use your computer as little as possible, I can tell you now, that that particular infection is gone. You needn't worry about using your computer or rebooting.

I need some information and there are a few things left to do, some though only after you get your internet connection back.

Are the following two statements related to one another? CCcommon belongs to Norton.

Regarding Norton, if you can install it from a cd, then I would recommend one of two ways of proceeding. The antivirus softwares sometimes have a repair feature on the cd. By putting in the cd, you can call up the repair feature. See if this is possible. Alternatively, you can run the Norton Removal Tool (SymNRT), being sure you have the activation key before you remove it, and then reinstall it. You should wait till you have your internet connection again to do this.

It would also be a good idea to start a thread in the Networking Forum in parallel to this one, because you will be able to get more feedback there. For practical reasons, the malware forum is restricted so a lot of people who might be able to advise you about your connection problems can't post here.

1) If you already did this step, ("Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off.") simply go to Windows Explorer and look under C:\ for all the sqm files that are still in there. You can delete those. They're not harmful. They just take up space and aren't needed.

2) Don't do the following until your internet is back because you won't be able to download the newest Java.

You got caught up in the middle of a version change with Java. Since you started your thread, the version changed from update 3 to update 4.

When you get your internet connection back, please go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 3

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) What's in this?(Don't open any files) C:\Documents and Settings\Owner\Application Data\U3 I got wondering if it might be part of Ulead Photo?

abri

 

Hi Abri
This all started when my son downloaded some files. One was a program called torrent ot utorrent. Shortly after Norton messages started flahing up about emails and computer was being attacked. He said he immediately hit the hot key that disables the wireless connection. He deleted this torrent program and other some other files (some began with 64look). But it seems that every program he then tried to run became infected including the hotkey, ad aware, avg ,norton,etc.
I also remember that AVG instead of "healing" files - it deleted them and I remember seeing hotkey and launch manager in the list of files cos the names stood out.
Thats about as much as I can remember now.
I could always access the internet (I think) on my laptop by connecting it to the wireless modem by cable, but not by wireless
Regarding the comment about norton and cccommon - I didn't know it belonged to Norton. It just came up a good few times when I was trying to install various AV programs and I thought it might be to do with a "windows installer"?? program or something. If if the case I'll just uninstall Norton and have a root around for the original disk
If I can't find it would it be ok just to keep AVG, spybot and ad aware up to date
Regarding your instructions

1. I've already disbaled that thing in Windows live messenger - I just uninstalled the program!
2. Can't uninstall Java as its telling me "another installation is in progress"
Can I just install the current version adn then try and uninstall Update 3?
3 The folder u3 contains nothing but a file called cleanup.exe in a subfolder called temp. Its dated the night I was frantically trying to clean up this mess so its probably just some downloaded file

Also I noticed a folder called Qoobox on c: drive with files in a quarantine folder including hotkey -would this have anything to do with the hotkey not working?? or what does this folder relate to

Again thanks for all your help to this stage and I will try the networking forums
Daragh

 

snacs,
I would like to ask for more information and will get back to you about your questions.

There is a problem with your Windows Installer. See next comment.

This program may be related to why you're having trouble with the deinstallation and new installation of the Java programs. I may have to send you to the Software Forum to get help with this one. The error you're getting with Java has to do with the Windows Installer.

Qoobox is the quarantine for Combofix. It's there for the purpose of being able to recover things.
I see this reference to your hotkey:
R1 Hotkey;Hotkey;C:\WINDOWS\system32\drivers\Hotkey.sys [2003-04-28 10:27]

See if you can find out more about your hotkey before you remove everything. When you uninstall Norton, you need to use the Norton Removal Tool (SymNRT).

AVG Antivirus is a good program. You need to have a two-way firewall and our recommendations for which protection tools to use and how to combine them can be found in the thread: How to Protect Yourself from Malware

abri