WiredWX Hobby Weather ToolsLog in

 


descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyTrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
The first instance of a file with this on it was August 12th, but it has shown up since then in multiple files, and I find it safe to believe it is the source of my problem of opening .exes and them being unable to run, and subsequently removed. It has been shown as the virus on 13 quarantines

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
Welcome to the forums. Smile...

Download Farbar Recovery Scan Tool and save it to a flash drive.


Depending on your type of system, you will have to select 32-bit or 64-bit accordingly. How do I tell?

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

      Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt


  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button. It will do its scan and save a log on your flash drive.
  • Close out of the message after that, then type in the text services.exe in to the "Search:" text box. Then, press the Search file(s) button, just as below:
    TrojWare.Win32.GameThief.Magania.~YB@225330048 Frst2
    When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
  • Type exit in the Command Prompt window and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive and also the search.txt logfile, please copy and paste the logs in your reply.

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
Hi! Are you still with us? Update us on the situation, please so we can help best.

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
I'm sorry, I've been busy lately. I just need to get a flashdrive. Would a disk work?

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
If you want to do something alternate, please do the following...

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

  • Save it to your Desktop.
  • Double click the RKill desktop icon.
  • It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  • Please post its log in your next reply.
  • After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.


  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRScan


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.

TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRDelete


  • The report has been created on the desktop.


  • Next click on the ShortcutsFix

    TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRShortcutsFix
  • The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
Rkill 2.3.15 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/15/2012 11:39:39 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\Dell\Desktop\rkill\rkill-09-15-2012-11-40-22.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* C:\Windows\System32\user32.dll [NoSig]
+-> C:\Windows\SysWOW64\user32.dll : 833,024 : 04/03/2012 01:44 PM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
+-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/20/2010 09:24 PM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
+-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/20/2010 09:24 PM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]

Program finished at: 09/15/2012 11:40:53 PM
Execution time: 0 hours(s), 1 minute(s), and 13 seconds(s)

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dell [Admin rights]
Mode : Scan -- Date : 09/15/2012 23:52:04

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OEM13Mon.exe -- C:\Windows\OEM13Mon.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : OEM13Mon.exe (C:\Windows\OEM13Mon.exe) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : HotSync ("C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{40E4B79D-1676-4AE2-BDF8-CCD6D35F0A1B} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{926AB51B-BB5C-416A-BD0D-1B57B7DA971C} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{40E4B79D-1676-4AE2-BDF8-CCD6D35F0A1B} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{926AB51B-BB5C-416A-BD0D-1B57B7DA971C} : NameServer (8.26.56.26,156.154.70.22) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: INTEL SSDSA2M080G2GC ATA Device +++++
--- User ---
[MBR] 4309120b43d25fd248bc6ad29956d0df
[BSP] 5fade2d99765f47f94e3f4b363b2588c : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 73683 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Flashdrive 501B USB Device +++++
--- User ---
[MBR] 0a1e94cdb76d678969989e92bca1cb94
[BSP] 10493e7a8e99953eb32f5c42ee82aa79 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 32 | Size: 120 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt


descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dell [Admin rights]
Mode : Remove -- Date : 09/15/2012 23:52:19

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OEM13Mon.exe -- C:\Windows\OEM13Mon.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : OEM13Mon.exe (C:\Windows\OEM13Mon.exe) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Wow6432Node\Run : HotSync ("C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers) -> DELETED
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{40E4B79D-1676-4AE2-BDF8-CCD6D35F0A1B} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet001\Services\Interfaces\{926AB51B-BB5C-416A-BD0D-1B57B7DA971C} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{40E4B79D-1676-4AE2-BDF8-CCD6D35F0A1B} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[DNS] HKLM\[...]\ControlSet002\Services\Interfaces\{926AB51B-BB5C-416A-BD0D-1B57B7DA971C} : NameServer (8.26.56.26,156.154.70.22) -> NOT REMOVED, USE DNSFIX
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 3dns.adobe.com 3dns-1.adobe.com 3dns-2.adobe.com 3dns-3.adobe.com 3dns-4.adobe.com activate.adobe.com activate-sea.adobe.com activate-sjc0.adobe.com activate.wip.adobe.com
127.0.0.1 activate.wip1.adobe.com activate.wip2.adobe.com activate.wip3.adobe.com activate.wip4.adobe.com adobe-dns.adobe.com adobe-dns-1.adobe.com adobe-dns-2.adobe.com adobe-dns-3.adobe.com adobe-dns-4.adobe.com
127.0.0.1 adobeereg.com practivate.adobe practivate.adobe.com practivate.adobe.newoa practivate.adobe.ntp practivate.adobe.ipp ereg.adobe.com ereg.wip.adobe.com ereg.wip1.adobe.com
127.0.0.1 ereg.wip2.adobe.com ereg.wip3.adobe.com ereg.wip4.adobe.com hl2rcv.adobe.com wip.adobe.com wip1.adobe.com wip2.adobe.com wip3.adobe.com wip4.adobe.com
127.0.0.1 www.adobeereg.com wwis-dubc1-vip60.adobe.com www.wip.adobe.com www.wip1.adobe.com
127.0.0.1 www.wip2.adobe.com www.wip3.adobe.com www.wip4.adobe.com wwis-dubc1-vip60.adobe.com crl.verisign.net CRL.VERISIGN.NET ood.opsource.net


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: INTEL SSDSA2M080G2GC ATA Device +++++
--- User ---
[MBR] 4309120b43d25fd248bc6ad29956d0df
[BSP] 5fade2d99765f47f94e3f4b363b2588c : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 73683 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Flashdrive 501B USB Device +++++
--- User ---
[MBR] 0a1e94cdb76d678969989e92bca1cb94
[BSP] 10493e7a8e99953eb32f5c42ee82aa79 : MBR Code unknown
Partition table:
0 - [ACTIVE] FAT16-LBA (0x0e) [VISIBLE] Offset (sectors): 32 | Size: 120 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Dell [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/15/2012 23:53:15

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] OEM13Mon.exe -- C:\Windows\OEM13Mon.exe -> KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 279 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 143 / Fail 0
My documents: Success 1 / Fail 1
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 31 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 113 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped
[E:] \Device\HarddiskVolume2 -- 0x2 --> Restored

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
ComboFix

Please download ComboFixTrojWare.Win32.GameThief.Magania.~YB@225330048 Combofix by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:

  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:

  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:


  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
This came up:
"'c.bat' is not recognized as an internal or external command,
operable program or batch file.

C:\svchost.exe " in a command prompt after the software finished doing it's thing

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz

  • Download RogueKiller and save it on your desktop.
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan

TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRScan


  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.

TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRDelete


  • The report has been created on the desktop.


  • Next click on the ShortcutsFix

    TrojWare.Win32.GameThief.Magania.~YB@225330048 RGKRShortcutsFix
  • The report has been created on the desktop.

Please post:

All RKreport.txt text files located on your desktop.

Then try ComboFix again.

descriptionTrojWare.Win32.GameThief.Magania.~YB@225330048 EmptyRe: TrojWare.Win32.GameThief.Magania.~YB@225330048

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum