I've been infected. Please help me.

Please help. My computer has recently been infected with some terrible virus/trojan...

I keep getting IE pop ups about a trojan called "TrojanSPM/LX" and one other thing called "SpyWorm.Win32". I am very scared, because it seems to keep telling me the threat level of this thing is high... additionally, something called "W32.Myzor.FK@yf"...

God, I hate this... I already suffered from this sort of thing several years ago, now I have to go through it all over again. :cry

Please help me. Anyone. I'd really appreciate any information regarding removal of this ASAP, before itcan do any real harm. I am understandably very scared and frightened about what may happen if I let it stay... and I honestly don't know what to do or if all my spyware detecting programs and anti-virus protection will help me here...

Hell, may even have to call the Geek Squad to save my computer in the end.

But right now... if anyone can help me, please... do so! It'll mean so much to me. ._.;

 

Additionally I get info about another called Spyware.Cyberlog-X...

Also, sometimes when I close a window it takes all of Windows with it and forces me to restart and reboot.

Please help me, I'd really appreciate it.


Also, running Norton AntiVirus, the name also goes by "Trojan.Vundo" under the object name "cbxusts.dll", if that'll help anyone... it told me it's unable to do anything about the file. Would it be wise to delete it manually?

 

Hi Jay!
Welcome to Major Geeks!

Please go to READ & RUN ME FIRST and follow the instructions and links, paying close attention to those for your operating system. You may wish to start with Combofix, which you can find by going to the above link for your operating system which you can find at the bottom of the page.

If you do Combofix first, please then go back and follow the rest of the instructions at the above address. Then post the requested logs to us, so we can see how you are doing.

abri

 

Ummm... o-okay... but it will be a bit tough... my poor compy.

I'll put it up as soon as I get it, okay? ._. In another post... just so you'll know.

 

Re: Okay, here is the log...

Will... this help?

ComboFix 07-12-09.1 - Joe Monteil 2007-12-10 7:47:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -6:00]
Running from: C:\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Joe Monteil\Application Data\SCURIT~1
C:\Documents and Settings\Joe Monteil\Application Data\YMANTE~1
C:\Documents and Settings\Joe Monteil\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Joe Monteil\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Joe Monteil\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Joe Monteil\My Documents\WNSXS~1
C:\Program Files\asks~1
C:\Program Files\Common Files\{301AB~1
C:\Program Files\Common Files\{301AB~1\MyToolBar.dll
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\fnts~1
C:\Program Files\icroso~1.net
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\rlafroux.dll
C:\WINDOWS\system32\tkvgslwc.dllbox
C:\WINDOWS\system32\xuorfalr.ini
C:\WINDOWS\system32\yyfkyoiw.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-10 07:38 . 2007-12-10 07:37 1,596,353 --a------ C:\ComboFix.exe
2007-12-10 06:53 . 2007-12-10 06:53 <DIR> d-------- C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Symantec
2007-12-10 06:28 . 2007-12-10 06:36 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-12-10 06:28 . 2003-11-21 08:07 82,984 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-10 06:28 . 2003-11-21 08:07 82,136 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-10 06:27 . 2007-12-10 06:28 <DIR> d-------- C:\Program Files\Symantec
2007-12-10 06:27 . 2007-12-10 06:35 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-10 06:27 . 2007-12-10 06:27 <DIR> d-------- C:\Documents and Settings\Joe Monteil\Application Data\Symantec
2007-12-10 06:26 . 2007-12-10 06:34 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec
2007-12-10 05:16 . 2007-12-10 05:16 74,304 --a------ C:\WINDOWS\system32\ufyqkymk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 10:21 --------- d-----w C:\Program Files\mIRC
2007-11-29 05:48 --------- d-----w C:\Documents and Settings\Joe Monteil\Application Data\IMVU
2007-09-30 04:28 86,528 ----a-w C:\WINDOWS\bnetunin.exe
2007-09-30 04:28 61,440 ----a-w C:\WINDOWS\diabunin.exe
2007-03-11 03:11 8,192 -c--a-w C:\Documents and Settings\Joe Monteil\memcard.bin
2000-06-29 01:58 271 -csh--w C:\Program Files\desktop.ini
2000-06-29 01:58 23,357 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58807E9C-FB31-4505-B2A6-408A9A83D972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"AIM"="C:\PROGRA~1\AIM95\aim.exe" [1999-09-02 04:10]
"AWMON"="C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" [2005-05-25 12:12]
"AOL Fast Start"="C:\Program Files\America Online 9.0\AOL.exe" [2005-07-12 06:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-06-10 18:12 C:\WINDOWS\SOUNDMAN.EXE]
"RegistryMechanic"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"LXBRKsk"="C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 08:57]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 20:33]
"HostManager"="C:\Program Files\Common Files\AOL\1163628309\ee\AOLSoftware.exe" [2006-09-25 18:52]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 06:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxusts]
cbxusts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tkvgslwc]
tkvgslwc.dll

R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech Gaming HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-10 12:44:07 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Joe Monteil.job"
- C:\PROGRA~1\NORTON~1\Navw32.exep/task:
"2007-12-10 14:00:27 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 08:01:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-10 8:02:46 - machine was rebooted
.
--- E O F ---

 

Jay!
okay, that looks better.
Please continue now with the instructions in the READ & RUN ME, starting at the beginning and keep going until you can post the logs from the MGTools to us. Don't rerun Combofix.

abri

 

It terminated the application for some reason during the scan cause it said "it failed the initialize properly", so this is all I got. The error message was as it said, and there was nothing like that in the guide for it... so it must be a new problem? Or maybe I'm just stupid. ._.

Sorry about the note thing, I didn't know about it till now.

Will this do? If there's something wrong, please help...

 

Hi Jay,
While I'm working on your other logs, please go to the MGTools folder in your root drive (usually C:\ ) and look for the file analyse.exe

Double-click on it and have Do a System Scan and Save a Log File. Then attach the log here. The log will have the name hijackthis.log and I'm not sure where it will end up, but maybe in that same folder. You may have to do a search for it.

Thanks.
abri

 

O-okay.

Is this it?

 

Hi Jay,
We will probably have to do some things several times.

1)You need to uninstall the below:

- Viewpoint Media Player
- J2SE Runtime Environment 5.0 Update 9


2) Now Reboot

3) Once your computer has booted back up, install the current version of Sun Java from: Sun Java Runtime Environment You still have not done this.

4) Run HijackThis and select Do a system scan only. Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {58807E9C-FB31-4505-B2A6-408A9A83D972} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: cbxusts - cbxusts.dll (file missing)
O20 - Winlogon Notify: tkvgslwc - tkvgslwc.dll (file missing)

After clicking Fix, exit HJT.


5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Disconnect your computer from the internet (physically) and disable your antivirus before continuing. (Also, be sure Teatimer is not running if you have Spybot installed. If it is, please disable it. If you need instructions, tell me or refer to the READ & RUN ME)
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please run CCleaner

Now re-enable your antivirus program and reconnect your computer to the internet.

8) Please post a fresh MGlogs.zip and let me know how things are running now?

abri

 

Before I proceed with this, I just want to make sure about what you mean because I tend to have trouble differentiating between meanings half the time... ^^;

By browsers, how far do you mean? Let's say all I've got open is Firefox... that kind of browser, right? Just every window I've got with Firefox that is open?

 

Yes. If you're running Firefox, close all the tabs. If you're running Internet Explorer, close it. If you're running both at the same time, close them all. Those are the browsers.

 

Ummm, I may as well ask this too since you offered... where might I find Teatimer in Spybot and how might I disable it?

Also, I forgot to close all the browsers before I clicked fix... have I screwed up big time?

 

It takes some effort to screw up big time.

To disable teatimer, which you need to do before you fix all the different things, you can do it two different ways, depending on what version you have. If you just installed it, you should have a Spybot icon in the lower righthand corner of your desktop. I think it's blue and white. Right click on the icon and look for the place in the menu where it allows you to disable Teatimer.

Or, you can double click on the Spybot icon on the desktop to open the program. Then go to Mode at the top of the page and click Advanced. This will allow you to see the Tools button on the left hand side of the window towards the bottom. Click on Tools. There will be a Resident red and white shield on the left hand side of Spybot. Click on that and a window will open up. In the middle of that window, you'll see two places to check. Make sure that Teatimer is unchecked. Then I think you have to either say ok or you just have to close the program.

After you disable Teatimer, please do all the fixes. Then rerun the MGTools.exe file and attach the MGlogs.zip with your next post.

abri

 

Ah. I'm very incompetant... truth is, I hadn't downloaded CCleaner yet........ and I ALREADY did all the steps leading up to it. I also forgot to disable the antivirus...

I'm so stupid. -_-

I kind of feel this is supposed to be a flawless process and I'm not doing a very good job at following instructions to the letter.

Once again, it does the failure initialize thing, but I got the log zip. I hope this helps, because I feel like I keep screwing up everything. ._. It's not making me feel very confident.

 

Hi Jay,

Don't worry. We tend to give fairly lengthy instructions so people can get as much done as possible without needing to keep reporting in. It's just as much for them as for us. It's also possible for us to do some of the steps separately so they're not so complicated. A few steps need to be done together.

Your installation of the Java worked. However, Viewpoint Media Player is still there. Please go to add/remove programs and see if you can find it and if it's possible to uninstall it. If so, go ahead and uninstall it. Let me know if that gives you any trouble.

Then I would like for you to go to Windows Explorer and look for this Folder:
C:\Windows\E and tell me what's in it. Don't click on anything in it, if it's not stuff you recognize.

When you ran Avenger, it produced a log called Avenger.txt which I would like to look at. It should be directly under C:\avenger.txt

It's important to run CCleaner after you run Avenger, so that anything which tries to hide in the temporary files will be gotten rid of. However, your temp files look like they've already been emptied, because the only files in there are from today's date. Is it possible you ran CCleaner earlier when you first did the READ & RUN ME instructions? If so, then CCleaner will already be installed somewhere in your computer (the red C icon should be on your desktop) and you just need to double click on it to open it and run it. When you open it, it will be in the default setting with the Windows tab open. When you click on the button called Run Cleaner in the lower righthand corner, it will give you a warning that it is going to permanently delete files. Just confirm and after it finishes, close CCleaner again.

abri

 

Well... there was no Windows folder titled "E"... none that I could see. There is, however, a misc. file named "E"... is that what you're talking about?

Also, Viewpoint must have reinstalled itself, because I swear I removed it beforehand... hm.

Here is that Avenger log, too... I didn't have CCleaner until after I downloaded it some time ago, and it wasn't when I first read the instructions.

 

If it's a file, it'll have a file ending like .doc or .exe or .txt. Otherwise it should be a folder. You can right-click on it and then click on Properties and see if there is any information in there about what it is, what the dates are, if it's something recent or old. If it's a folder, you can open it and look to see if there's anything in it.

Try uninstalling it again. It may not have uninstalled correctly.

abri

 

Jay,
One last note for today. The legacy monitor in the REGEDIT4 registry patch seems to still be there. We have to tackle that tomorrow. Some things are fixed. A few are not. I need to sleep.
abri

 

I checked the properties, and all it says is that it's a file. It has no .doc/.exe/ect. to it. It's just "E".

Are you absolutely certain this is supposed to be a folder? I'm not sure I should be messing with it if it isn't...

Not sure if this helps, but it's been there since... June 11th and modified on Friday, December 07, 2007, 8:37:42 PM.

Ah... ._.; I hope this problem isn't going to get worse before then...... respond back when ready, then.

 

If it's a file, you can upload it to a website that will scan it with many different antivirus machines and report back. You do it like this:
Please scan the file at either jotti or VirusTotal When you get to either of these websites, you will see a small window with a Browse button next to it. Browse in your computer to the location of the file and click on it. Then hit the submit or scan button to allow these websites to look at that one file. If there's a waiting line at one of these websites, you may wish to switch to the other. The scan itself takes a few minutes and will produce results you can post back to us.

Do this first and in my next post I will then give you the instructions for how to proceed with the Legacy Network Monitor keys.

abri

 

Okay. Here are the results I got from Jotti on "E"... I dunno how to work this thing, so I'm sorry if this doesn't go well...

File: E
Status:
OK
MD5: c48e7e993cbe555902a826401479f233
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 11 Dec 2007 09:17:38 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

What about the statistics? Should I post info on those too?

Also, earlier, a friend directed me to Trend MICRO House Call and it found a couple malware and greyware/spyware devices, and I think it removed them. I thought I'd bring that up...

 

Hi Jay,
Under post number 10, step 6, I gave you instructions for downloading and running Avenger. Please follow these instructions again, (starting with run Avenger, since you already have installed it) only where it says copy everything in the quote box below, use the contents of this box rather than that one:

After you've run this, please run CCleaner again. Then attach the avenger.txt log to me so I can see if this worked.

abri

 

Well alrighty. It didn't pop up, but I assume it changed... so here's hoping.

Let me know if anything's up.

 

okay! That got one of them. Now I need to see new MGtools.exe logs. To do this, go to C:\MGTools.exe and double click on it to run it. It will produce MGlogs.zip which will be located in your MGTools folder under C. Please attach that.

abri

 

Alright. There we go...

 

Hi Jay,
There's a file that comes back which I can't identify. I would like to ask you to do the same thing with this file, sending it off to either Jotti or Virus Total as you did in post number 21. It's this file:

C:\WINDOWS\system32\drivers\fbcnkjcn.sys

Post your results back here. If you can't see the file, tell me that.

Thanks.
abri

 

I found it just fine and checked it out with Jotti. Much like the E results, every scanner turned up having found nothing unusual about it.


File: fbcnkjcn.sys
Status:
OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 4ad5d5229f85f42e873fda98190b2f19
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 11 Dec 2007 14:06:35 (GMT)

A-Squared - Found nothing
AntiVir - Found nothing
ArcaVir - Found nothing
Avast - Found nothing
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
CPsecure - Found nothing
Dr.Web - Found nothing
F-Prot Antivirus -Found nothing
F-Secure Anti-Virus - Found nothing
Fortinet - Found nothing
Ikarus - Found nothing
Kaspersky Anti-Virus - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found nothing
Panda Antivirus - Found nothing
Rising Antivirus - Found nothing
Sophos Antivirus - Found nothing
VirusBuster - Found nothing
VBA32 - Found nothing

 

Hi Jay,
I would like for you to run a scan that will look for a rootkit virus. Please run the following and post the results to me.

Running GMER to detect rootkits

Thanks.
abri

 

Alright. Here we go. I hope this will help get us closer to the problem so we can nip it in the bud.

 

Hi Jay,
Were you able to uninstall Viewpoint Media Player? Although it's a source of malware, it's not usually a problem to uninstall it.

Your Legacy entires are gone, which is good.

It's possible the driver that showed up could be in association with your antivirus program, but I'm not familiar with Norton doing that, that's why I'd like to make sure there isn't a rootkit in your system. Please continue as follows:

The Gmer scan came up clean. There are several additional rootkit scans at Alternate Scans

If you scroll about halfway down that page, you will see a set of rootkit scans. Please run several of them including the one by Sophos. Do one or two others as well. Then attach the logs to your next post. If they are clean as well, then I'll just have you delete that one file.

Thanks.
abri

 

Viewpoint Media Player won't go away no matter how many times I remove it. It keeps coming back some time later, folder and all, and it's been on my computer for months without me knowing it was a bad program. I'd appreciate any help regarding the removal of this program, if that is alright.

Also, I don't think Windows XP has a safe mode. None to my knowledge, anyway, unless there's a way I don't know of.

I decided to run all of the rootkit detectors, and most of them had found no rootkits whatsoever. Wasn't too sure how to work SysProt, but I'll include it's log too.

 

Not intending to bump this, just wanted to mention that I couldn't find it's log. >_>; Or at least, I don't know how to.

 

Hi Jay,

Try downloading and running this:

Viewpoint Killer

Next, go to post number 10 of this thread and run Avenger again only this time use the contents of this box:

After you run Avenger, please continue with ATF Cleaner in the same post (#10).

Post the Avenger log here and a fresh set of MGlogs.zip

Thanks.
abri

 

......A....TF... Cleaner?

I never saw that one... o_o I'm not familiar with it... where is that?

Sorry if I sound stupid, but this is the first time I have heard of that one, so I'm kind of confused here.

 

Sorry, on auto pilot.
CCleaner is fine. Run that one as you have before.

abri

 

Alright, I think that's it. Here's the logs.

 

Hi Jay!

Try this.
I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.
Quote:

Quote:

How are things working now?

 

Ah. Alright... I'll try to get started on it later on and I'll post the results later.

 

Okay... here's the first part like the instructions told me. >.> Wasn't sure how to go about putting them up, so I'll just attach both rapports in separate posts...

 

And the second part. I hope I did these right! >.>;

I think all the malware may have been eliminated now.

 

Hi Jay,
Almost. There are just a few things left that shouldn't be there. It will be helpful to get them all out to prevent your computer from being reinfected.


1) Run HijackThis (now called analyse.exe and located in the MGTools folder under C:\ ) and select Do a system scan only. (HijackThis has been renamed to analyse.exe and can be found under C:\MGTools) Select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

After you fix the above, just close the program.

2) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

3) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


5) Please post a fresh MGlogs.zip.

Let me know how things are running now? If everything is finished, I will then post you your final instructions to remove all the tools and logs we've been using. Thanks for your patience.

abri

 

Unngh. Well, okay. I hope this is it. ._.

But for some reason, I can no longer attach files to my post... the attach files button seems to be missing. is there some problem going on?

 

Ah, okay.

Well, here's the ZIP thing, then.

 

Hi Jay,
Your computer is getting better, but it's still coming up with new files and I'm worried it'll just become reinfected again if we stop without finishing. I'm not sure yet what's generating them. Please do the following:

Follow the instructions as you did in Post #42only use the following entries instead:

1) For HijackThis (analyse.exe in MGTools):

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


2) For Avenger use the contents of this box:

3) Follow this using ATF Cleaner again.

4) You may know what this file is, C:\WINDOWS\DC.ini but if not, please scan it at either
jotti or VirusTotal and let me know the results. It may be related to a gaming company out of Indonesia. If that rings any bells, you may be able to place it.

5) And now please post a fresh MGlogs.zip with the Avenger log one more time.

Sorry this is so lengthy. I'm having a second person look at your rootkit scans.

abri

 

No offense... if this is going to keep repeating itself, then we'll be here forever. ^^;

The scans found nothing unusual about the DC file, like all the others.

File: DC.ini
Status:
INCONCLUSIVE (scan still in progress)
MD5: af7af70e5fb3b5fd8f306c8304472f87
Packers detected:
Analyzing...
Bit9 reports: File not found
Scanner results
Scan taken on 15 Dec 2007 23:39:55 (GMT)
A-Squared - Found nothing
AntiVir - Found nothing
ArcaVir - Found nothing
Avast - Found nothing
AVG Antivirus - Found nothing
BitDefender - Found nothing
ClamAV - Found nothing
CPsecure - Found nothing
Dr.Web - Found nothing
F-Prot Antivirus - Found nothing
F-Secure Anti-Virus - Found nothing
Fortinet - Found nothing
Ikarus - Found nothing
Kaspersky Anti-Virus - Found nothing
NOD32 - Found nothing
Norman Virus Control - Found nothing
Panda Antivirus - Found nothing
Rising Antivirus - Found nothing
Sophos Antivirus - Found nothing
VirusBuster - Found nothing
VBA32 - Found nothing

 

I missed that avenger log part at the time. It skipped my mind.

And I'm just saying, this seems like it's going to be a continuing cycle, that's all... I'm not trying to cause trouble, no need to get mad. ^^;

 

Hi JayMonteil,
I've been hemming and hawing about the driver that keeps coming back. Since I don't know what's generating it, I don't know if the source is a legitimate program or malware. You've done a lot of scans and they've been clean. I think you should set a new restore point now and run CCleaner at the default setting everyday. I would like for you to leave the MGTools on your computer for about a week, and if you see anything questionable, post back a set of logs and let me see if the drivers are staying where they are or building up. The one you have today looks like this:

C:\WINDOWS\system32\drivers\kcgocdwm.sys

It's not unheard of for legitimate software to put a randomly generated file onto the computer, only you came in here with malware symptoms and whether they are related to the appearance of this driver or not, I can't say. It's quite possible the malware symptoms were related to the other things we resolved.

In any case, I would like for you to observe your computer for a bit and see if anything further develops. I'll post the final instructions here for you and recommend that you scroll down to the instructions for setting a clean restore point at this time. If your computer seems to be working fine for a week, then go ahead and follow the rest of the instructions to remove all the tools in a few days.

abri