25 replies to this topic

[sja]

Hi,

for a couple of weeks I have had a problem of not being able to run C*leaner from Explorer or even type the word itself in IE or Firefox without the application closing. This is similar to the C*leaner Crash thread but I cannot read that thread at the moment as if I try to access the thread the browser ends.

Today I have run BitDefender, Ad-aware, Spybot, SuperAntispware, AVG as documneted in the SpywareRemoval Guide. These picked up a couple of minor things. I have also run the Prevx gromozon removal tool which said it did find the bug and removed it. I normally run the CA Security Suite with Pest Patrol and very rarely find anything doing a weekly Spybot & Ad-aware runs. I cannot download or type Hi*ackThis in the browsers as the same thing happens if I do. Can you suggest anything whcih may help please?
thanks very much,
Simon

[AndyManchesta]

Hi Simon, Welcome to the forum

We've been seeing quite abit of this trojan recently so it should be simple enough to clear up then we can check a HJT log for additional problems , first I need to confirm it is the same trojan so can you run the following reg export and post back the results

Goto Start Menu > Run > and copy and paste

cmd /c reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s>%systemdrive%\Result.txt && notepad %systemdrive%\Result.txt

Press OK and it will export some details from your Registry and write it to a text file named Result.txt which will save to C:\ drive and also open in notepad, please post the contents of that file back on here,

Can you also post the Gromozon log if you have used the prevx tool which will be saved as C:\Gromozon_removal.log

Thanks

Andy

[sja]

Hi Andy,

I have now run the export and also enclose the Gromozon log. Although I created this thread from the infected pc I could not subsequently access the thread from the same computer due to the previously mentioned problems, so this is coming over a remote terminal server.

cheers
Simon

Attached Files

•  Result.txt   25.42K   3 downloads
•  gromozon_removal.txt   40.01K   4 downloads

[AndyManchesta]

Hi Simon,

Ive edited your post to remove the names of the programs being targeted so hopefully you will be able to view it with the infected machine now,

Download LinkOptfix from Here and save it to your desktop

Copy and paste these instructions to notepad and save it to your C:\drive incase you need to access it without using the start menu later

To run the fix, double click LinkOptfix.exe and it will create a new folder on your desktop named LinkOptfix, open the newly created LinkOptfix folder and double click fix.bat, it will only take afew seconds to run, first it finds the trojan filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions then removes the trojan reg entry thats making it hook onto explorer and restarts explorer.exe, you should then be able to run HJT and post a log and also run C*leaner, if you can then ignore the rest of this post and reply so we can then check for remaining problems in a HJT log


If explorer.exe doesnt restart after running the tool then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again or protect the reg entry, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > Applications > New Task and click OK to open the registry editor,

Click the [+] next to HKEY_LOCAL_MACHINE
Click the [+] next to SOFTWARE
Click the [+] next to Microsoft
Click the [+] next to Windows NT
Click the [+] next to Current Version
Click the [+] next to Image File Execution Options

Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart

You should not need the manual instructions as the fixtool should remove it fine but its best to provide an alternative method just incase its needed,

Let me know if you have any problems or questions

Cheers

Andy

[sja]

Hi Andy,

your little program worked perfectly and I have now downloaded and run the latest cleaner and downloaded HJT which I will run later and then post the log.

Thankyou very much for the help though.
cheers
Simon

[AndyManchesta]

Thats good to hear

The tool has been used afew times on here without problems and has been used alot by myself when I was testing the trojan but we can never be sure if they will change it to start targeting the files I use in the script which could then cause it to fail, the trojan is a pain because it removes permissions on its file and reg entry so you cannot delete the file manually as you get access denied messages, if you reset the permissions on the reg entry and remove it then the trojan puts it straight back and removing the file without the reg entry will mean explorer.exe cannot run plus it targets tools like Unlocker to make things even more difficult. Nice to see we got it without any problems though

You can delete the LinkOptFix folder now as it contains a backup of the trojan file, also remove LinkOptFix.exe as its not needed now, there maybe another trojan hooking to the legit file userinit.exe as it's been present on the last few systems that had this infection but a HijackThis log will show if its there and if there's any remaining junk to remove,

Cheers

Andy

[sja]

Hi there Andy,

I have taken a HJT snapshot and enclosed it with this mail. I will be interested in your opinion.

cheers
Simon  hijackthis.txt   8.93K   9 downloads

[AndyManchesta]

Hi Simon,

That looks good, just afew entries to fix to clean up abit then its best to run a rootkit scan and an online malware scan to make sure there is no remaining trojans as you have had a nasty infection on your system

First you have Hijack This in the temp folders so it needs moving before we start, HijackThis creates backups of everything that is fixed and if it is left in the temporary folder you may lose the backups if you clear the temp files anytime. Its easier to goto Add/Remove screen (Start Menu > Control Panel > Add/Remove programs) and remove HijackThis from the system then download it again from Here,

http://www.merijn.or.../hijackthis.zip

Do not run it from the download link but first save it to your C:\Drive then its in a permanent folder.

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AC2B37E0-0C33-7560-247C-8DC0A4B9EADF} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - ht*p://software-dl.real.com/205856704b543f751c14/netzip/RdxIE601.cab

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Finally run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post back the blacklight log if it finds any hidden files, the Kaspersky log and a new HijackThis log

Cheers

Andy

[sja]

Hi Andy,

here I am again with the logs you requested.

I find it somewhat worrying that every almost every scan with a different utility finds new infections,
as I always run Pest Patrol, ZoneAlarm and CA Antivirus permanently. I usually also run Ad-aware and Spybot weekly.

I will have to read the forum recommendations after this examination is finished.

cheers
Simon

Attached Files

•  fsbl_20070416191033.txt   852bytes   1 downloads
•  kavscan.txt   15.7K   7 downloads
•  hijackthis.txt   8.55K   3 downloads

[AndyManchesta]

Cheers Simon,

I'll check them over and reply again, the formatting of the kaspersky log makes it very difficult to read so copying and pasting the results into the topic is probably better if we need any more, each line just continues into the next so I cannot see what has been found yet but I'll sort through it first then reply again.

Can you do this for now, goto Start > Control Panel > User Accounts and check how many accounts there is, if there is an account that you didnt create yourself please let me know

Thanks

[AndyManchesta]

I think you still have a gromozon infection based on the results,

Download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Please do this next part in safe mode as all the files are currently locked so we may not be able to get a copy of them in normal mode, copy these instructions to notepad and save it to your desktop so you can follow it in safe mode

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

Run SFP.exe

Please copy the following lines into the Step 1: Paste Text window:

C:\Program Files\Common Files\Microsoft Shared\aoE.exe
C:\Program Files\Common Files\Microsoft Shared\ebYKO.exe
C:\Program Files\Common Files\Microsoft Shared\foAA.exe
C:\Program Files\Common Files\Microsoft Shared\GXccbF.exe
C:\Program Files\Common Files\Microsoft Shared\hSTG.exe
C:\Program Files\Common Files\Microsoft Shared\JeL.exe
C:\Program Files\Common Files\Microsoft Shared\lSS.exe
C:\Program Files\Common Files\Microsoft Shared\MsZ.exe
C:\Program Files\Common Files\Microsoft Shared\pUPz.exe
C:\Program Files\Common Files\Microsoft Shared\pWjy.exe
C:\Program Files\Common Files\Microsoft Shared\udB.exe
C:\Program Files\Common Files\Microsoft Shared\uilPFc.exe
C:\Program Files\Common Files\Microsoft Shared\WePU.exe
C:\Program Files\Common Files\Microsoft Shared\wNu.exe
C:\Program Files\Common Files\Microsoft Shared\xHW.exe
C:\Program Files\Common Files\Microsoft Shared\xYra.exe
C:\Program Files\Common Files\Microsoft Shared\zIk.exe
C:\_cleaned.tmp


then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please check the accounts while your in safe mode and see if there is any that you didnt create (ignore the guest account and ASPNET if its there)

Then Reboot back to Normal Mode by restarting the PC, next please visit SpyKillers forum here

http://www.thespykil...x.php?board=1.0

Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'Files for AndyManchesta' , please then post a link to this thread and upload the requested files.cab archive from your desktop

Next delete the gromozon_removal log from C:\Drive as we will be using it again and I want to make sure the results given are the latest:

Download the Gromozon remover from here if you do not still have it installed

http://www.prevx.com/gromozon.asp

Run the tool and follow the prompts, click No if it prompts you to install prevx as its a trial version and isnt required here, when its finished please post the gromozon_removal.log into your next reply,

Please upload the requested files.cab so I can test them, let us know about the user accounts and post back the gromozon removal log to see ifs still finding an active infection

Cheers

Andy

[sja]

Ok Andy, I have done that.

There is only one account on my system and that is 'Simon'.
I have also uploaded the cab data as you requested to SpyKillers and will upload the gromozon_removal.log here.

Here is a copy of the kavscan.log should you need it.

cheers,
and probably goodnight as it's getting late here,
Simon

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 18, 2007 7:31:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/04/2007
Kaspersky Anti-Virus database records: 298921
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65128
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:45:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\fSyVRgK\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\fSyVRgK\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\fSyVRgK\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Simon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Temp\PXR3A.tmp Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Temp\PXR40.tmp Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Simon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Simon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Simon\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\aoE.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\ebYKO.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\foAA.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\GXccbF.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\hSTG.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\JeL.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\lSS.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\MsZ.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\pUPz.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\pWjy.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\udB.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\uilPFc.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\WePU.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\wNu.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\xHW.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\xYra.exe Object is locked skipped
C:\Program Files\Common Files\Microsoft Shared\zIk.exe Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP101\A0011345.exe/stream Infected: Trojan.Win32.DNSChanger.iv skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP101\A0011345.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP102\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\DJTP451J.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{41DE7732-A67A-47E7-BD23-C7AAF470069F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT052f1.TMP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_cleaned.tmp Object is locked skipped

Scan process completed.

Attached Files

•  gromozon_removal.txt   232bytes   3 downloads

[AndyManchesta]

Cheers Simon,

I'll take a look at these files first then it will be easier to comment, Kaspersky is showing an account named fSyVRgK on your system, can you see if you can view that folder

C:\Documents and Settings\fSyVRgK

I know Gromozon can create user accounts so Im not sure at the moment if this is a hidden account or a leftover folder from when the infection was active, the fact that its got files which are locked and there is also alot of random named files which are also locked its likely there is still some problems to deal with but I'll take a look at these files if it was able to pack them then reply again

Thanks

[sja]

Andy,

if I unclick 'Hide protected operating system files' then I can indeed see this account.

The files con tained therein are dated 10/06/2004 which is about 4 days before I recieved the laptop from Dell.

cheers agin,
Simon

[AndyManchesta]

Can you try upload the folder if it isnt too large, right click the C:\Documents and Settings\fSyVRgK folder and choose Send To > Compressed (zipped) Folder then upload the fSyVRgK.zip folder on your topic at Spykillers,

None of the files were packed so they maybe in use or you do not have permission to access them, lets try removing them as they are clearly not legit files,

1. Please download The Avenger by Swandog46 to your Desktop

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop

2. Copy all of the text contained in the code box below (making Files to delete: the top line) to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to Delete:
C:\Program Files\Common Files\Microsoft Shared\aoE.exe
C:\Program Files\Common Files\Microsoft Shared\ebYKO.exe
C:\Program Files\Common Files\Microsoft Shared\foAA.exe
C:\Program Files\Common Files\Microsoft Shared\GXccbF.exe
C:\Program Files\Common Files\Microsoft Shared\hSTG.exe
C:\Program Files\Common Files\Microsoft Shared\JeL.exe
C:\Program Files\Common Files\Microsoft Shared\lSS.exe
C:\Program Files\Common Files\Microsoft Shared\MsZ.exe
C:\Program Files\Common Files\Microsoft Shared\pUPz.exe
C:\Program Files\Common Files\Microsoft Shared\pWjy.exe
C:\Program Files\Common Files\Microsoft Shared\udB.exe 
C:\Program Files\Common Files\Microsoft Shared\uilPFc.exe
C:\Program Files\Common Files\Microsoft Shared\WePU.exe
C:\Program Files\Common Files\Microsoft Shared\wNu.exe 
C:\Program Files\Common Files\Microsoft Shared\xHW.exe 
C:\Program Files\Common Files\Microsoft Shared\xYra.exe
C:\Program Files\Common Files\Microsoft Shared\zIk.exe
C:\_cleaned.tmp

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Cheers

[sja]

Hi Andy,

I have created the fSyVRgK.zip but it's over 9M so I have not uploaded it.

The avenger.txt is enclosed. The /avenger/backup.zip was created ok.

cheers
Simon

Attached Files

•  avenger.txt   3.82K   2 downloads

[AndyManchesta]

Cheers Simon,

Id like to see this folder so I can determine if its malicious or not and also try get samples of the files avenger removed so I can test them,

Please upload the Avenger\backup.zip to your topic on spykillers and also upload the fSyVRgK.zip file if your able to, I think it will be fine to upload a 9MB folder on there although it may take a while to upload but let me know if you have problems

Can you also run the following to see if there is any more files in that Microsoft Shared folder

Goto Start > Run > and copy and paste

cmd /c dir /a-d "%commonprogramfiles%\Microsoft Shared\*">%systemdrive%\result.txt & start notepad %systemdrive%\result.txt

Then post back the Result.txt which will save to C:\ and also open in notepad

Thanks

[sja]

Ok Andy,

I have done that and uploaded both files to spykillers.

The results of your exec are here.

cheers
Simon

Attached Files

•  Result.txt   136bytes   5 downloads

[AndyManchesta]

Cheers,

Avenger wasnt able to create backups which is a shame but its great to see they were removed, the backup.zip folder from avenger just contained a text file showing it removed the files, I suspect the fSyVRgK is a hidden account setup by gromozon so it can deny access to its files which is possibly why avenger failed to create backups and why Kaspersky couldnt scan them, you can delete the fSyVRgK.zip folder you uploaded and the C:\Avenger folder.

I'd like to get afew more reg exports from your system then take it from there,

Goto Start > Run > copy and paste

cmd /c net user>%systemdrive%\user.txt & start notepad %systemdrive%\user.txt

Press OK and post the contents of the C:\user.txt file back on here

Goto Start > Run > copy and paste

cmd /c regedit.exe /a/e %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" & start notepad %systemdrive%\regresult.txt

Press OK and post the contents of the C:\regresult.txt back

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Finally download GetServices from HERE

Extract the zip file then open the getservice folder and double click getservice.bat, when it is completed a notepad will open with a lot of information. please attach that into your next post

Please copy/paste or attach the logs into your next reply,

Thanks

[sja]

Hi Andy,

the lastest logs are now attached.

cheers
Simon

Attached Files

•  user.txt   360bytes   2 downloads
•  regresult.txt   346bytes   2 downloads
•  ComboFix.txt   14.73K   2 downloads
•  getservice.txt   52.37K   1 downloads