Trojan/spyware

Please download and install:
Java Runtime 6

Please disable all anti-virus and anti-spyware programs while we do the following:

* Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
* On the page that opens, scroll down to Boonty Games
* then right click the entry, select Properties and press Stop Service.
* When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
* Click OK until you get back to Windows.

* Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste BOONTY into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run C:\MGtools\analyse.exe again by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

 

Tim,

Did you notice the MemSweep2 rootkit?

 

No I didn't ...thanks Chas.

Please download GMER and save it to your desktop:

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.
• Click the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
• Then click the Scan button. Wait for the scan to finish.
• Once done, click the Copy button.
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

 

It can be confusing ...try running the HJT again but instead of Boonty paste in:
Boonty Games

see if it works then....and is it still in the services.msc?

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Tell me how things are running.

 

Sweet ...Your logs look clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

Tim,

You never fix the registry keys from the Memsweep2 rootkit. Also you did not delete the related file at: C:\WINDOWS\system32\24.tmp

 

Removed the reg key in post $6 ...and the system32\24.tmp isn't in the logs.

 

That is not the registry key for MemSweep2. It is is a service and will have keys like you see for CmdService and similar. The file may not show in normal logs due to how it is hidden. It did show in ComboFix. Below is an example of what MemSweep2 could put in the registry:

 

Just so the search engines will finally have correct information about MEMSWEEP2 and going to post what I have found out doing some experimenting.

MEMSWEEP2 is not a malware rootkit. It is a bunch of registry keys that are added when Sophos AntiRootkit is run (you have to run it - just installing it does not add the keys). It is poor programming practices by Sophos for not cleaning this up after the tool is run. They also do not clean it up after uninstalling. They should know better than to do something like this that is going to get detected and questioned by everyone.

Now that being said, it still would not hurt anything to remove the registry keys since they are not required and it will prevent anything else from detecting it as a problem.