Infostealer/Infostealer.Gampass Problem

Welcome to Major Geeks!

There is a good possibility that you do not have this infection. We have had multiple cases of Symantec detecting this and all have been false positives. You probably even posted here after doing a search and getting a hit for Major Geeks. None of the detections thus far by Symantec even match the their own description on their website. And the other part of the question is if they are detecting it, why aren't they fixing it. Is it being found in a System Restore folder. Please attach a log from Symantec that shows EXACTLY what Symantec is finding and where it is finding it.

Their website shows the below info:

http://www.symantec.com/security_response/writeup.jsp?docid=2006-111201-3853-99&tabid=2

Note your PC is not in normal startup mode as requested in step 1 of the READ & RUN ME. You have something modified with boot.ini.

Your Malwarebytes log shows that you did not did not fix what it found. Did you fix these but save the log before fixing?

 

You did not attach anything?

What is Clubbox?

No! You already ran it and it did not find any problems. You may not have any. However one file I saw in the ComboFix log is questionable. Do you know what the below recent addition is:

Code:

2008-05-31 19:21  2008-05-31 19:21 27,980 --a---- C:\WINDOWS\system32\gpr17.exe 

Is this a Chinese based Windows install or do you access Chinese type websites? Is this what Clubbox is related to?

 

We can only work on ONE PC in a thread. Please do not post anything else for additional PCs in this thread. It causes to much confusion. In fact, I'm not sure which PC my fix below even applies to now. I believe it may be your laptop if that is what you attached logs for in messages # 6 & 7.

Symantec thinks that the below are related to your infection. These are lines from your HijackThis log.

O21 - SSODL: midimaptl - {4F4F0064-71E0-4f0d-0017-708476C7815F} - C:\WINDOWS\system32\midimaptl.dll
O21 - SSODL: midimapcqsj - {4F4F0064-71E0-4f0d-0024-708476C7815F} - C:\WINDOWS\system32\midimapcqsj.dll
O21 - SSODL: midimapcq - {4F4F0064-71E0-4f0d-0023-708476C7815F} - C:\WINDOWS\system32\midimapcq.dll
O21 - SSODL: midimapwm - {4F4F0064-71E0-4f0d-0002-708476C7815F} - C:\WINDOWS\system32\midimapwm.dll
O21 - SSODL: midimapzx - {4F4F0064-71E0-4f0d-0005-708476C7815F} - C:\WINDOWS\system32\midimapzx.dll
O21 - SSODL: midimapmy - {4F4F0064-71E0-4f0d-0015-708476C7815F} - C:\WINDOWS\system32\midimapmy.dll

All of those files are supposedly Microsoft files but we never see them on English based PCs. I think that it is quite possible that everything being detected is related to these and the Clubbox software you installed. If you really want to see if we can get rid of these problems I suggest that you begin by uninstalling Clubbox and deleting anything related to it. Then continue with the below.

Uninstall the below software:
IBM 32-bit SDK for Java 2, v1.4.1
IBM 32-bit SDK for Java 2, v1.4.1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: ozfydbyt.dll - {4A069845-2036-6084-9054-6087502480A4} - C:\WINDOWS\system32\ozfydbyt.dll (file missing)
O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} - C:\WINDOWS\system32\zxmscwin.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O21 - SSODL: midimaptl - {4F4F0064-71E0-4f0d-0017-708476C7815F} - C:\WINDOWS\system32\midimaptl.dll
O21 - SSODL: midimapcqsj - {4F4F0064-71E0-4f0d-0024-708476C7815F} - C:\WINDOWS\system32\midimapcqsj.dll
O21 - SSODL: midimapcq - {4F4F0064-71E0-4f0d-0023-708476C7815F} - C:\WINDOWS\system32\midimapcq.dll
O21 - SSODL: midimapwm - {4F4F0064-71E0-4f0d-0002-708476C7815F} - C:\WINDOWS\system32\midimapwm.dll
O21 - SSODL: midimapzx - {4F4F0064-71E0-4f0d-0005-708476C7815F} - C:\WINDOWS\system32\midimapzx.dll
O21 - SSODL: midimapmy - {4F4F0064-71E0-4f0d-0015-708476C7815F} - C:\WINDOWS\system32\midimapmy.dll

After clicking Fix, exit HJT.




Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!


Then download and run the current version of MGtools.exe run it!


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

We are not finished with your laptop yet.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe,gpr4.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O16 - DPF: {F6E361B4-40F3-4C90-8A95-D95E0D8CBCD4} (MultiUpload Control) - http://www.clubbox.co.kr/neo.fld/MultiUpload.cab
O20 - AppInit_DLLs: woooooo.dll wendao.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Yes that's because for soe reason the fix did not work.

The below lines did not get fixed in HijackThis:
F2 - REG:system.ini: Shell=explorer.exe,gpr2.exe
O20 - AppInit_DLLs: woooooo.dll

And the below files did not get deleted:
C:\WINDOWS\system32\wooooook.exe
C:\WINDOWS\system32\woooooo.dll
C:\WINDOWS\system32\d32dx9.sys

Let's try again but this time we will use ComboFix. Make sure that you shutdown/disable Symantec before doing the below to avoid having Symantec get in the way of the removal. Also shutdown Spyware Doctor.

Is your copy of Spyware Doctor a paid version?

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=explorer.exe,gpr2.exe
O20 - AppInit_DLLs: woooooo.dll

After clicking Fix, exit HJT.


Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Fiona\Local Settings\temp\

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run this Running GMER to detect rootkits

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• The log from running GMER!
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

*** IMPORTANT *** : Disconnect ALL other PCs from your network other than this laptop that we are working on. Under no circumstances have more than one PC allowed to be connected to your network at anytime. This problem may be spreading thru your network and has gotten worse.

Also if you are still trying to use or do anything with any of this Clubbox software or websites, you must stop using/accessing them immediately. The same goes for GoGoBox, uninstall and stop using it. Also stop allowing these programs in your approved list in your firewall. You must block them.

Is your copy of Spyware Doctor a paid version??


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe,gprB.exe
O2 - BHO: swsxachu.dll - {13FD5987-65D2-C58D-D87E-987451F12531} - C:\WINDOWS\system32\swsxachu.dll (file missing)
O2 - BHO: opshbbty.dll - {22596546-2036-9451-6058-658402589722} - C:\WINDOWS\system32\opshbbty.dll (file missing)
O2 - BHO: oswxcttb.dll - {33512378-9874-5641-1025-985420368733} - C:\WINDOWS\system32\oswxcttb.dll (file missing)
O2 - BHO: apsgdjba.dll - {4FD45A54-9875-698F-E56E-65102358FDF4} - C:\WINDOWS\system32\apsgdjba.dll (file missing)
O2 - BHO: ptjhehlp.dll - {528DF602-9541-A985-210A-984A698C6F25} - C:\WINDOWS\system32\ptjhehlp.dll (file missing)
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll (file missing)
O2 - BHO: oohxdbyt.dll - {5B1AEF69-DDAE-FDAD-DCAB-698F026ABDB5} - C:\WINDOWS\system32\oohxdbyt.dll (file missing)
O2 - BHO: zxmscwin.dll - {6A041F13-A111-12A3-B0CF-F99818AA68A6} - C:\WINDOWS\system32\zxmscwin.dll (file missing)
O2 - BHO: mnmhgsrv.dll - {7C8D1401-A58D-A81C-CD24-A5915C4517C7} - C:\WINDOWS\system32\mnmhgsrv.dll (file missing)
O2 - BHO: ypdjfbmp.dll - {81954FAC-1023-154F-895A-1458258AD818} - C:\WINDOWS\system32\ypdjfbmp.dll (file missing)
O2 - BHO: yzztimsn.dll - {9490415F-65F8-B5C5-D8BA-9405FB120549} - C:\WINDOWS\system32\yzztimsn.dll (file missing)
O21 - SSODL: midimapmy - {4F4F0064-71E0-4f0d-0015-708476C7815F} - C:\WINDOWS\system32\midimapmy.dll (file missing)
O21 - SSODL: midimapzx - {4F4F0064-71E0-4f0d-0005-708476C7815F} - C:\WINDOWS\system32\midimapzx.dll (file missing)
O21 - SSODL: midimapqn3 - {4F4F0064-71E0-4f0d-0022-708476C7815F} - C:\WINDOWS\system32\midimapqn3.dll (file missing)
O21 - SSODL: midimapwl - {4F4F0064-71E0-4f0d-0004-708476C7815F} - C:\WINDOWS\system32\midimapwl.dll (file missing)

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

After attaching these logs, do not shutdown or reboot this PC. Wait for my next fix, otherwise things could change and my fix would not be correct.

 

Please uninstall the Spyware Doctor trial program immediately.

For a wired computer all you have to do is unplug the ethernet cable. For wireless you would have to either not turn on the wireless PCs or you would have to shutdown the wireless part of your router.

You should not be disabling System Restore. If you already did this then don't worry about it. It may get to the point where we will have to uninstall Symantec/Norton. Something is blocking full removal and certain files keep coming back or respawning new files.

Now run SUPERAntiSpyware and download any updates and run a full scan. Then attach a new log.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O20 - AppInit_DLLs: yzztimsn.dll

NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Each time you shutdown or reboot, the problems may spread and or mutate thus making a fix that was posted for symptoms before the reboot, not correct or complete. Run the fix anyway but from now on, try to not shutdown or reboot after posting logs. I understand if it hangs that you have no choice. If you leave your PC for any length of time, shut down the wireless interface while leaving it running.

 

The first sentence in my last fix requested that you uninstall Spyware Doctor. You did not do this. Please uninstall it now and always remember to complete instructions in the order written.

Now run a full scan with Symantec and attach a log if it finds anything.

 

Okay your clean other than what is in the ComboFix quarantine and in System Restore. The below will take care of those.

It is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
10. Go to add/remove programs and uninstall HijackThis.
11. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
12. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
13. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

After completing 100% of the above, you can rerun Symantec to verify that it comes up clean.

Then you can dwonload the current version of Malwarebytes to your other PC and run it and get a new log. Also download the current version of MGtools to your other PC and a attach a new MGlogs.zip file too. I assume this is a Desktop PC. Keep your Laptop disconnected or shutdown while using this Desktop to avoid reinfection.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe,pr14.exe,gpr14.exe
O2 - BHO: ozfyebyt.dll - {5A069845-2036-6084-9054-6087502480A5} - C:\WINDOWS\system32\ozfyebyt.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O20 - AppInit_DLLs: woooooo.dll wendao.dll
O21 - SSODL: midimapzx - {4F4F0064-71E0-4f0d-0005-708476C7815F} - C:\WINDOWS\system32\midimapzx.dll (file missing)
O21 - SSODL: midimapmy - {4F4F0064-71E0-4f0d-0015-708476C7815F} - C:\WINDOWS\system32\midimapmy.dll (file missing)

After clicking Fix, exit HJT.




Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!


Then download and run the current version of MGtools.exe



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Use the new version of ComboFix but instead of using cf.exe use combo-fix.exe

Let me know if that works.

 

Looks like this will take some iteration like last time. So let me repeat similar messages like I already stated for the other PC.

Also if you are still trying to use or do anything with any of this Clubbox software or websites, you must stop using/accessing them immediately. The same goes for GoGoBox, uninstall and stop using it. Also stop allowing these programs in your approved list in your firewall. You must block them. The below need to be removed from your approved list

I'm concerned about a couple of drivers that are changing with the date. The below files have me worried.
C:\WINDOWS\GPCIDrv.sys
C:\WINDOWS\system32\Drivers\GVTDrv.sys

I'm going to see if ComboFix can get more info on them but I will bet that there will not be any additional info to gather. Thus I'm also going to have ComboFix attempt to put copies of them into a ZIP file which will be named Submit[Date Time].zip which will be saved to your Desktop for uploading later. Date Time should be the date and time this was run.


Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip
• and the Submit[Date Time].zip file from your Desktop if it was created

Make sure you tell me how things are working now!

 

Your logs appear clean. I cannot get any real useful info about those two .sys files to prove whether they are valid or possibly related to your problems. They do seem to keep changing dates which would imply that something keeps reloading/creating them each time you boot. I found the below in the files:

e:\vtunner-ii_b05121601\gvtdrv32\driver\gvcpldrv.c
e:\VTunner-II_B05121601\GVTDrv32\DRIVER\objchk\i386\GVTDrv.pdb

Do those mean anything to you? Could it be related to the below?
http://www.vtuner.com/vtunerweb/static/staticTalk-Scanneroverall1.html

Those files turnup clean when scanned. If you are not having any other problems then perhaps we should ignore them.

 

Not related. This may be only showing now after the live update because it is a brand new detection by Symantec. See this:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-061015-4339-99

I'm not sure if the detection on your PC is valid or not. In your last logs, the two proper copies of explorer.exe showed proper sizes and expected dates. This does not conclusively prove the file is not infected, but is seems questionable and if it is, it could have been infected for a long time. I suggest that you run your c:\Windows\explorer.exe file thru the below online scanners to see if they find anything:

http://www.virustotal.com/de/

http://virusscan.jotti.org/

Tell me what the below scans find. Also where exactly is Symantec detecting this infection? Do you have a log? If it is really valid, they probably should be detecting it in both the Windows folder and the dllcache folder.

 

I'm not sure what problem you were having with scanning the files. Perhaps you are blocking the upload of the files in your firewall. You may want to try shutting down the firewall while attempting the scan. Obviously the upload size should not be 0 bytes.

It is rather strange that Symantec would only be complaining about the one in the Windows folder since there two other files of the same exact size and one even has the same date and time (see the one highlighted in bold). The below were in your last MGlogs.zip file in msg # 29.

Code:

[B]"C:\WINDOWS\explorer.exe" 1033216 2007-06-13 20:23 [/B]
[B]"C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe" 1033216 2007-06-13 21:26[/B] 
"C:\WINDOWS\$NtServicePackUninstall$\explorer.exe" 1000960 2001-08-23 22:00 
"C:\WINDOWS\$NtUninstallKB938828$\explorer.exe" 1032192 2004-08-04 00:56 
"C:\WINDOWS\ServicePackFiles\i386\explorer.exe" 1032192 2004-08-04 00:56 
[B]"C:\WINDOWS\system32\dllcache\explorer.exe" 1033216 2007-06-13 20:23[/B] 

Let's try the below. Make sure you read thru this before doing the steps. You must follow these instructions exactly. And you need to print them because a particular point you will have to shutdown all browsers and other windows you have open other than what I ask you to run.

• Click Start, Run, and enter cmd and click OK. This will open a comand prompt window which will show as a prompt the below string of characters.
  • C:\Documents and Settings\Fiona>
• Now press the following keys all together. CTRL+SHIFT+ESC this will open up Windows Task Manager. Select the Processes tab and then click the Image Name column header which will sort the process list.
• Now arrange the command prompt window and the Task Manager windows so you can see both of them properly. Task Manager like to stay on top of other windows. DO NOT minimize them just arrange positions and you can change the size of the Task Manager window so that you can see the command prompt window better.
• Now Close/Exit all other windows (browsers too inclucding this one) so that only the command prompt and Task Manager show.
• Now in the Task Manager window right click the explorer.exe process and select End Process Do not be alarmed! Your desktop icons, start bar,...etc will all disappear. This is normal.
• Now in the command prompt window enter the below commands each follow by the enter key. The bold black are the commands. Purple text is only comments to help you understand.
  • cd \windows There is a space after the cd and the prompt should change to C:\WINDOWS It the prompt does not change, you did something wrong. Try again.
  • ren explorer.exe explorer.old There is a space after ren and after explorer.exe
  • copy system32\dllcache\explorer.exe There is a space after copy. You should see a message saying 1 file(s) copied.
  • explorer.exe This should run explorer and bring your Desktop back.

Now I suggest that you reboot and run a full scan with Symantec to see what it finds. It is okay if it complains about the explorer.old file. Attach a log of what is found.

 

Had you replaced the copy of explorer.exe before doing your Symantec full scan?

 

Okay that means it overwrote it but it also means earlier commands I gave may not have been run or did not work. For example:

ren explorer.exe explorer.old

If this ran then the explorer.exe file in C:\Windows would not have existed anymore and would not need to be overwritten.

At anyrate, I assume you are all clean now since Symantec has no further detections.

If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
6. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
7. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
8. If we had you run Avenger, you can delete all files related to Avenger now.
9. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
10. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
11. Go to add/remove programs and uninstall HijackThis.
12. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
13. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
14. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!