WiredWX Hobby Weather ToolsLog in

 


Malware that infected my wingate32.dll and explorer

2 posters

descriptionMalware that infected my wingate32.dll and explorer EmptyMalware that infected my wingate32.dll and explorer

more_horiz
I'm not really sure, but since my pc was infected, I can't play my favorite game anymore. It corrupts the gameguard which is why I can't play.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
I hope this helps:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:30 AM, on 12/29/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\runwin32.exe
C:\WINDOWS\System32\system07.exe
C:\WINDOWS\System32\kloa.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winqcphf.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxmrj.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ph.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ph.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ph.rd.yahoo.com/customize/ycomp/defaults/su/*http://ph.yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [antike] wingate32.exe
O4 - HKLM\..\Run: [Internet Security Service] expllorer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Update] C:\Program Files\Common Files\System\klass.exe
O4 - HKLM\..\Run: [7389A2] C:\WINDOWS\System32\E00893\7389A2.EXE
O4 - HKLM\..\Run: [41C855] C:\WINDOWS\System32\2D32E6\41C855.EXE
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [Windosupdate manager] runwin32.exe
O4 - HKLM\..\Run: [Microsoft system07 Service] system07.exe
O4 - HKLM\..\Run: [Windows nt ] kloa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [antike] wingate32.exe
O4 - HKLM\..\RunServices: [Internet Security Service] expllorer.exe
O4 - HKLM\..\RunServices: [Windosupdate manager] runwin32.exe
O4 - HKLM\..\RunServices: [Microsoft system07 Service] system07.exe
O4 - HKLM\..\RunServices: [Windows nt ] kloa.exe
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [antike] wingate32.exe
O4 - HKCU\..\Run: [Windows nt ] kloa.exe
O4 - HKCU\..\Run: [Internet Security Service] expllorer.exe
O4 - HKUS\S-1-5-18\..\Run: [antike] wingate32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Security Service] expllorer.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [antike] wingate32.exe (User 'Default user')
O4 - Startup: 7389A2.lnk = C:\WINDOWS\system32\E00893\7389A2.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C68DACE-E6BC-4650-9C7E-D036720CA729} - http://avs.liveprotect.net/onscan/tyscan/nps.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\System32\GameMon.des.exe (file missing)

--
End of file - 5564 bytes

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.
Actually, this doesn't suprise me, since you still have SP1 installed.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Is there any other way for me to remove the malware besides formatting?? It would be of great help..

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
We can try, but like I said, the malware you've collected can cause a lot of damage and fixing the damage isn't always possible.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Where do I start?

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
It would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
I'm sad to say that when I open the installation file of "avira", it automatically closes in which does not finish the installation. Other antivirus sites seems to be blocked by something too. Backup files are secured though..

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    Malware that infected my wingate32.dll and explorer CF_download_FF

    Malware that infected my wingate32.dll and explorer CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Malware that infected my wingate32.dll and explorer Cf410

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Malware that infected my wingate32.dll and explorer Cf510

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
I'm not sure if I made it right, but when I started the "Combo-Fix" application.. There's a new folder in my drive C which is named "32788R22FWJFW"

Here are some screenshots related to this folder:

https://i.servimg.com/u/f19/14/69/07/28/untitl10.jpg
https://i.servimg.com/u/f19/14/69/07/28/untitl11.jpg
https://i.servimg.com/u/f19/14/69/07/28/untitl12.jpg
https://i.servimg.com/u/f19/14/69/07/28/untitl13.jpg

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Don't worry about those, they contain Windows/Combofix files.

Do you have the log?

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
I downloaded Combo-Fix exactly as you said and opened it.. It just loaded for a while and when the green bar is full (some kind of loading thingy), combo-fix suddenly disappeared.. Tried to do it many times, but same result. I'm not sure what to do next..

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Did you rename Combofix? Try renaming it to something random, then run it again.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Yes, I renamed it during download. I re-do it and renamed it as "Spaghetti" and same stuff happened. Nothing new..

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionMalware that infected my wingate32.dll and explorer EmptyRe: Malware that infected my wingate32.dll and explorer

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum