kardphisher

Discussion in 'Malware Help (A Specialist Will Reply)' started by jgetman, Sep 5, 2007.

  1. jgetman

    jgetman Private E-2

    I have what is either the Trojan Kardphisher virus, or one that is almost an exact duplicate (described here: http://www.symantec.com/security_res...042705-0108-99)

    The problem is, all of the removal instructions refer to items in the Registry that aren't in my registry

    Any advice?
     
    jgetman, Sep 5, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    First let me ask how you know that you have this? What is reporting this to you?
    Where is it finding it (the file names and location)?

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Sep 5, 2007
    #2
  3. jgetman

    jgetman Private E-2

    Thank you very much for the reply. To answer you question, I figured out it was the Trojan.Kardphisher through some Google searches - I found the exact screenshots of the thing I was seeing on my end, but none of the prescribed solutions work - those solutions include removing specific items from the registry (those items are not present in my registry) and/or the entering of fake information into the malicious credit card form (the fake information given no longer works).

    I'm going through your steps now. However, I am unable to do certain things in Normal (as opposed to "Safe") mode - for instance, i cannot run HijackThis in normal mode, as this 'virus' (or whatever it is) takes over as soon as I boot and will not allow me to run HijackThis
     
    jgetman, Sep 5, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you may not have that infection. Please explain what your exact problems are.


    HijackThis is the last step. Did you run all of the other steps? If not, you should not be running HijackThis yet. Did you install and rename, HijackThis exactly as requested in step 7 of the READ ME?
     
    chaslang, Sep 5, 2007
    #4
  5. jgetman

    jgetman Private E-2

    Here is what happens - when I boot in normal mode, I immediately get a pop-up window in the middle of my desktop. It appears to be from Microsoft - it has the following text in it:

    "Your copy of Windows was activated by another user.
    To help reduce software piracy, please re-activate your copy of Windows now.
    WE WILL ASK YOU FOR YOUR BILLING DETAILS, BUT YOUR CREDIT CARD WILL NOT BE CHARGED"

    There's some more text, then two choices:

    YES, activate Windows over the internet now
    (if i choose this, it goes to a screen where I have to enter my credit card information)
    NO, I will do it later
    (if I choose this, Windows reboots and the whole process starts all over again)

    Here's a screenshot of what I see on my end:

    http://img72.imageshack.us/img72/1127/screen01oo6.jpg


    The solution may not be the same as "Trojan.Kardphisher," but the symptoms are the same

    As to your point about following the steps as you advise, I understand completely...I learned that HijackThis didn't work in Normal mode BEFORE I discovered your specific steps


     
    jgetman, Sep 5, 2007
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you need to try and complete the instructions already given as best as you can. If after installing and renaming HijackThis properly and it still will not run in normal boot mode then run it in safe boot mode.
     
    chaslang, Sep 5, 2007
    #6
  7. jgetman

    jgetman Private E-2

    Chaslang - I completed all of the steps (at least, whenever possible).

    Some notes:

    1) I've attached 3 logs: one for Ccleaner, AVG and HijackThis

    2) I was not able to complete all of the steps, either because I couldn't run/install the program, or because of crashes. I did run Bitdefender (took almost 2 hours and found no problems), but it crashed during the save report stage...I was unable to run panda (crashes during the installation section)

    3) In the latter stages, I ran both runkey and shownew as instructed. However, for both items, I got the following warning message:

    "The command prompt has been disabled by your administrator" - there was no log created for either. This is part of the virus, I assume - I can also no longer get into regedit or task manager (both say they've been "disabled by the administrator")

    Thank you very much for your help thusfar - I hope there's something in the attached logs that give you an idea about what I've got.

    Thanks again

    - for some reason, I'm unable to attach the logs....aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaargh
     
    Last edited: Sep 5, 2007
    jgetman, Sep 5, 2007
    #7
  8. jgetman

    jgetman Private E-2

    When I try to attach the logs, they never stop "processing" - they never actually attach. I'm not sure what to do....I'm sure this is a terrible breach of etiquette, but I'm at my wit's end - I'm pasting the contents of the HijackThis log here:

    Edit by chaslang: Inline log attached
     

    Attached Files:

    • hjt.txt
      File size:
      10.1 KB
      Views:
      1
    jgetman, Sep 5, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We don't ask for and don't need logs from CCleaner. I do however really need logs from GetRunKey and ShowNew so we need to figure out why you are getting that message. Are you logged into an account with administrator priviledges? Are you sure? Is this your own personal PC or does it belong to someone else or to a company?
     
    chaslang, Sep 5, 2007
    #9
  10. jgetman

    jgetman Private E-2

    It's my personal PC...I have all privileges (though I'd be lying if I told you I was an expert in using them). Something in this virus, as I have read, is affecting my ability to use command prompt or regedit

    I was able to go into regedit earlier today (right after the problems started) to look for the files that are typically affected, but now I can no longer get in there as well
     
    Last edited: Sep 5, 2007
    jgetman, Sep 5, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below something you installed and know what it is?

    O23 - Service: Fulco Update Service (FUpdateSvc) - Fulco, Inc. - C:\Program Files\Fulco\fausvc.exe



    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\cabs\D00243-001-001\GaiaLoot.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\system32\s1940.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
    O4 - HKCU\..\Run: [Windows Activation] C:\cabs\D00243-001-001\GaiaLoot.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O18 - Filter: text/html - (no CLSID) - (no file)

    After clicking Fix, exit HJT.

    Now reboot your PC

    After reboot run Ccleaner

    Now attach the a new HJT logs and see if you can start running other steps now.
     
    chaslang, Sep 5, 2007
    #11
  12. jgetman

    jgetman Private E-2

    YEEEEEEEEEEEEEEEESSSS!

    Okay...I'm going to take the other steps, but I wanted to let you know two things first:

    1) O23 - Service: Fulco Update Service (FUpdateSvc) - Fulco, Inc. - C:\Program Files\Fulco\fausvc.exe

    this is something that I know and use regularly (magazine circulation management software)

    2) when I killed "C:\cabs\D00243-001-001\GaiaLoot.exe" the malicious window from Hell went away!

    I'm going to close this browser and finish the scan as you've instructed but, so far, you're clearly on to something. I can't thank you enough!
     
    jgetman, Sep 5, 2007
    #12
  13. jgetman

    jgetman Private E-2

    I've rebooted (the virus did not 'load", I ran Ccleaner, re-ran HijackThis - log follows. I also checked to see if regedit worked (it did), command prompt worked (it did) and if task manager worked (it does)...here's the log...and thanks again, very very much:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:08:29 AM, on 9/6/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Fulco\fausvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
    C:\Program Files\HijackThis\analyse.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
    O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: *.stumbleupon.com
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Fulco Update Service (FUpdateSvc) - Fulco, Inc. - C:\Program Files\Fulco\fausvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
     
    jgetman, Sep 6, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay delete the below folder:
    C:\cabs\D00243-001-001

    Also tell me what else you see in the C:\cabs folder

    Also delete this file:
    C:\WINDOWS\system32\s1940.dll

    And then please complete all the steps in the READ & RUN ME now. I want to make sure no other malware is found. Also try to attach logs from now on.

    You should be attaching the below logs:
    • AVG Antispyware
    • BitDefender
    • Panda
    • GetRunKey
    • ShowNew
     
    chaslang, Sep 6, 2007
    #14
  15. jgetman

    jgetman Private E-2

    I deleted:

    C:\cabs\D00243-001-001

    (there is another folder in c:\cabs\ called "D00245-001-001"

    However, this file that you said I should delete was not present:

    C:\WINDOWS\system32\s1940.dll

    I will attempt all of the other steps and try to post the logs (probably won't be until tomorrow, though).

    Thanks again
     
    jgetman, Sep 6, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then delete the whole c:\cabs folder.


    This is a very good idea based on the infection you had. It never hurts just to be safe! ;)
     
    chaslang, Sep 6, 2007
    #16
  17. jgetman

    jgetman Private E-2

    I've run the new reports - looks like Panda (activescan) picked up something. I've attached the first three reports (AVG, Panda and BDScan) - next 3 will be in next reply.

    Thanks again for your help
     

    Attached Files:

    jgetman, Sep 6, 2007
    #17
  18. jgetman

    jgetman Private E-2

    Here are the last three reports (Getrunkey, shownew and a new Hijack log)
     

    Attached Files:

    jgetman, Sep 6, 2007
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run AVG Antispyware again and this time don't Ignore what it finds. You need to Quarantine or Delete what it finds.

    Then you need to delete the below files if found:
    C:\12.tmp
    C:\13.tmp
    C:\WINDOWS\smdat32m.sys


    Now uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2
    Java(TM) SE Runtime Environment 6 Update 1
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME


    Do you have any idea what all of the below new files are for?
    Code:
    "C:\Documents and Settings\Owner\Application Data\"
commar~1.fon  Sep  5 2007      209034  "com.markzware.FC5.FontDBWtSys"
fcplac~1.dll  Sep  6 2007       28160  "fcPlacard.DLL"
fcvis.ini     Sep  6 2007       29886  "FCVIS.INI"
ground~1.dll  Sep  6 2007       57344  "groundControl.DLL"
mkz1re~1.dll  Sep  6 2007     7320576  "Mkz1REALA.dll"
nobeve~1.dll  Sep  6 2007       65536  "noBevelButton.DLL"
plutil.dll    Sep  6 2007       33792  "PLUtil.DLL"
rbap550.dll   Sep  6 2007       88576  "rbap550.dll"

    How are things working?
     
    chaslang, Sep 6, 2007
    #19
  20. jgetman

    jgetman Private E-2

    I know the top one (Markzware) - I do not recognize the others

    Things have been running smoothly since my last round of scans. I'm going to delete and/uninstall the items you noted, after I run AVG again (and allow it to fix issues)
     
    jgetman, Sep 6, 2007
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They may all be related. If everything is working okay, don't worry about these files now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Sep 6, 2007
    #21
  22. jgetman

    jgetman Private E-2

    Done - thanks again for all of your help
     
    jgetman, Sep 7, 2007
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Sep 7, 2007
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds