Need Help with Trojan GAMADRIL20071203

I kept getting this virus show up in McAfee Virus Scan saying "gamadril20071203" could not be moved,cleaned or deleted. I looked at the Malware removal guide and followed all the steps with the CCleaner, Spybot, AVG, MGTools etc.. I just want to know if I did everything right and If I got rid of the virus. Can anyone help me? Do you need to see the logs? Just let me know. Thanks

 

Hi mcchpt!
Welcome to Major Geeks!

Yes, we need to see the logs. There will be either two or three of them depending on whether one was produced when you ran AVG Antispyware. There should be logs for Combofix and the MGlogs.zip, both located under C or the drive where your operating system is located. Please attach them with your next post.

abri

 

Here are the logs. Thank you.

 

Hi mcchpt!


1) Please go to add/remove programs and uninstall the below:

- Viewpoint Media Player
- WeatherBug
- Wild Tangent

2) Go to Windows Explorer and find the following driver: C:\WINDOWS\system32\4C617DB0D5.sys Rename it to:
4C617DB0D5.sys.zzz

3) Please disable your Guest account if it hasn't already been done.

3a) Next run CCleaner at the default setting with the Windows tab as the one on top.

4) Now please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SymWMI Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, go to the MGTools folder under C:\ and find analyse.exe (which is HijackThis with a different name). Double-click on analyse.exe to run it, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste SymWSC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: C:\WINDOWS\lbbho.dll - {4EB2C811-D2E1-4931-92D4-97AC1AC69F3A} - C:\WINDOWS\lbbho.dll (file missing)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bljwm] C:\Program Files\Fjkce\Tarhgdy.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O20 - Winlogon Notify: mljgghf - mljgghf.dll (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O4 - HKLM\..\Run: [PersonalWeb] "C:\Program Files\Claria\PersonalWeb\PersonalWeb.exe"
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab

After you click fix, just close hijackthis.


6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Download and install Erunt. Use it to create a backup of your registry.

8) Next copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

9) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

10) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


11) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, please let me know if you get a success message regarding the REGEDIT4.


Let me know how things are running now?

abri

 

Alright, There are a few things that did not work.
I could not do the following:
# Select Delete an NT Service
# Copy/paste SymWSC into the box that opens, and press OK

My computer would not let me delete it, and I did not get an option to ignore.

Also,

In HiJackThis

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Did not show up, therefore I could not fix it.

Those are the only things that did not work. I did get a success message regarding the REGEDIT4. I'm not quite sure yet if things are running better so I'll have to wait and see. Thank you so much for your help.
Here are my logs.

 

Hi mcchpt!
Your logs are clean. If you feel that there could still be malware issues, I would point you at the thread called Alternate Scans where I recommend running through the BitDefender online scan. You have to use Internet Explorer for this particular scan. It's lengthy, but it picks up things other scans miss.

Below are our final cleanup instructions which include erasing all previous restore points and setting a new clean one. At the end of the instructions, there's a link to How to protect yourself from Malware and it's a good idea to download and install Spyware Blaster. Take a look at that thread.

 

Everything seems to be working fine now. It's not quite as fast as before all the viruses started to show up, but that's probably because of the spyblaster, the new firewall and AVG anti-spyware thats now installed on my computer. I'm happy as long as it keeps this baby safe. Thank you so much for your time and your help, I'm glad I found this site.

 

Hi mcchpt!

You don't need to keep AVG Antispyware unless you are planning to purchase it. Spybot is not quite as bulky. Also, after you reset a clean restore point, it would probably be a good idea to defrag your computer if it hasn't been done for awhile.

Good luck with everything and come back if you find you are still having issues.

abri