Malware?

View previous topic View next topic Go down

Malware?

Post by kwyyl on Tue 23 Nov 2010, 4:01 am

I used maleware bytes and now only one website works. Everything else seems to work. Can anyone help me?

kwyyl

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2010-11-21
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Malware?

Post by DragonMaster Jay on Tue 23 Nov 2010, 8:08 am

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Malware?

Post by kwyyl on Tue 23 Nov 2010, 9:17 am

Its working now.

ComboFix 10-11-22.02 - Admin 11/22/2010 14:40:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.143 [GMT -7:00]
Running from: E:\combo-fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna5476110798153351952.dll
c:\documents and settings\Admin\Local Settings\Temp\jna5476110798153351952.dll
c:\windows\Xkapua.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Code:
<pre>
c:\windows\inf\WG511v2\snetcfg .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride =
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-22 14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??????? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1344)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 14:57:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-22 21:57

Pre-Run: 65,158,811,648 bytes free
Post-Run: 65,815,916,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A3B19A5FF7342204E47646E91315D2D2

kwyyl

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2010-11-21
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Malware?

Post by Belahzur on Tue 23 Nov 2010, 11:57 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    RenV::
    c:\windows\inf\WG511v2\snetcfg .exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:23012
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Malware?

Post by kwyyl on Tue 23 Nov 2010, 12:44 pm

ComboFix 10-11-22.04 - Admin 11/22/2010 18:26:36.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.186 [GMT -7:00]
Running from: E:\combo-fix.exe
Command switches used :: E:\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna7411195242135381786.dll
c:\documents and settings\Admin\Local Settings\Temp\jna7411195242135381786.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-23 01:33 . 2010-11-23 01:33 16384 c:\windows\Temp\Perflib_Perfdata_794.dat
+ 2006-12-04 19:38 . 2006-12-04 19:38 53248 c:\windows\inf\WG511v2\snetcfg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-22 18:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??p???? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 18:40:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-23 01:40
ComboFix2.txt 2010-11-22 21:57

Pre-Run: 65,832,607,744 bytes free
Post-Run: 65,815,924,736 bytes free

- - End Of File - - C1B385F9C90175CD0017344E3DB48DAE

kwyyl

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2010-11-21
Operating System : Windows Xp

View user profile

Back to top Go down

Re: Malware?

Post by Sponsored content Today at 7:34 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum