GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Malware that infected my wingate32.dll and explorer

View previous topic View next topic Go down

Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 10:09 pm

I'm not really sure, but since my pc was infected, I can't play my favorite game anymore. It corrupts the gameguard which is why I can't play.

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 10:09 pm

I hope this helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:30 AM, on 12/29/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\runwin32.exe
C:\WINDOWS\System32\system07.exe
C:\WINDOWS\System32\kloa.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqcphf.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxmrj.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [antike] wingate32.exe
O4 - HKLM\..\Run: [Internet Security Service] expllorer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Update] C:\Program Files\Common Files\System\klass.exe
O4 - HKLM\..\Run: [7389A2] C:\WINDOWS\System32\E00893\7389A2.EXE
O4 - HKLM\..\Run: [41C855] C:\WINDOWS\System32\2D32E6\41C855.EXE
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Windosupdate manager] runwin32.exe
O4 - HKLM\..\Run: [Microsoft system07 Service] system07.exe
O4 - HKLM\..\Run: [Windows nt ] kloa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [antike] wingate32.exe
O4 - HKLM\..\RunServices: [Internet Security Service] expllorer.exe
O4 - HKLM\..\RunServices: [Windosupdate manager] runwin32.exe
O4 - HKLM\..\RunServices: [Microsoft system07 Service] system07.exe
O4 - HKLM\..\RunServices: [Windows nt ] kloa.exe
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [antike] wingate32.exe
O4 - HKCU\..\Run: [Windows nt ] kloa.exe
O4 - HKCU\..\Run: [Internet Security Service] expllorer.exe
O4 - HKUS\S-1-5-18\..\Run: [antike] wingate32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service] expllorer.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [antike] wingate32.exe (User 'Default user')
O4 - Startup: 7389A2.lnk = C:\WINDOWS\system32\E00893\7389A2.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\System32\GameMon.des.exe (file missing)

--
End of file - 5564 bytes

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 10:16 pm

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.
Actually, this doesn't suprise me, since you still have SP1 installed.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 10:27 pm

Is there any other way for me to remove the malware besides formatting?? It would be of great help..

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 10:29 pm

We can try, but like I said, the malware you've collected can cause a lot of damage and fixing the damage isn't always possible.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 10:33 pm

Where do I start?

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 10:38 pm

It would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 10:48 pm

I'm sad to say that when I open the installation file of "avira", it automatically closes in which does not finish the installation. Other antivirus sites seems to be blocked by something too. Backup files are secured though..

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 10:50 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 11:26 pm

I'm not sure if I made it right, but when I started the "Combo-Fix" application.. There's a new folder in my drive C which is named "32788R22FWJFW"

Here are some screenshots related to this folder:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 11:27 pm

Don't worry about those, they contain Windows/Combofix files.

Do you have the log?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 11:30 pm

I downloaded Combo-Fix exactly as you said and opened it.. It just loaded for a while and when the green bar is full (some kind of loading thingy), combo-fix suddenly disappeared.. Tried to do it many times, but same result. I'm not sure what to do next..

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 11:34 pm

Did you rename Combofix? Try renaming it to something random, then run it again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 11:41 pm

Yes, I renamed it during download. I re-do it and renamed it as "Spaghetti" and same stuff happened. Nothing new..

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 11:43 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Mon Dec 28, 2009 11:49 pm

I'm sorry to say that I can't access the link..

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Mon Dec 28, 2009 11:50 pm

See if you can access this link, looks like were gonna have to chop this down bit by bit, the big guns are failing.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by omnarchy on Wed Dec 30, 2009 10:08 am

I'm using a pc in an internet cafe right now.. Sorry for the very late reply. I lost my internet connection because I haven't payed my bills yet.. Do you think it will be wise if I consider your first option? (the one reformatting my pc without internet connection)

omnarchy
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-12-28
OS : Windows XP
Points : 25458
# Likes : 0

View user profile

Back to top Go down

Re: Malware that infected my wingate32.dll and explorer

Post by Belahzur on Wed Dec 30, 2009 8:30 pm

Yes, that would be a wise choice if you ask me.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum