Malware?

View previous topic View next topic Go down

Malware?

Post by kwyyl on 22nd November 2010, 5:01 pm

I used maleware bytes and now only one website works. Everything else seems to work. Can anyone help me?

kwyyl
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-11-20
Gender Gender : Male
OS OS : Windows Xp
Points Points : 22199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware?

Post by Dr Jay on 22nd November 2010, 9:08 pm

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14310
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302971
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Malware?

Post by kwyyl on 22nd November 2010, 10:17 pm

Its working now.

ComboFix 10-11-22.02 - Admin 11/22/2010 14:40:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.143 [GMT -7:00]
Running from: E:\combo-fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna5476110798153351952.dll
c:\documents and settings\Admin\Local Settings\Temp\jna5476110798153351952.dll
c:\windows\Xkapua.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Code:
<pre>
c:\windows\inf\WG511v2\snetcfg .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride =
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-22 14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??????? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1344)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 14:57:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-22 21:57

Pre-Run: 65,158,811,648 bytes free
Post-Run: 65,815,916,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A3B19A5FF7342204E47646E91315D2D2

kwyyl
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-11-20
Gender Gender : Male
OS OS : Windows Xp
Points Points : 22199
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware?

Post by Belahzur on 23rd November 2010, 12:57 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    RenV::
    c:\windows\inf\WG511v2\snetcfg .exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:23012
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware?

Post by kwyyl on 23rd November 2010, 1:44 am

ComboFix 10-11-22.04 - Admin 11/22/2010 18:26:36.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.186 [GMT -7:00]
Running from: E:\combo-fix.exe
Command switches used :: E:\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna7411195242135381786.dll
c:\documents and settings\Admin\Local Settings\Temp\jna7411195242135381786.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-23 01:33 . 2010-11-23 01:33 16384 c:\windows\Temp\Perflib_Perfdata_794.dat
+ 2006-12-04 19:38 . 2006-12-04 19:38 53248 c:\windows\inf\WG511v2\snetcfg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-22 18:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??p???? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 18:40:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-23 01:40
ComboFix2.txt 2010-11-22 21:57

Pre-Run: 65,832,607,744 bytes free
Post-Run: 65,815,924,736 bytes free

- - End Of File - - C1B385F9C90175CD0017344E3DB48DAE

kwyyl
Novice
Novice

Posts Posts : 9
Joined Joined : 2010-11-20
Gender Gender : Male
OS OS : Windows Xp
Points Points : 22199
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum