GeekPolice Tech TutorialsLog in

 


Share

descriptionMalware?

more_horiz
I used maleware bytes and now only one website works. Everything else seems to work. Can anyone help me?

descriptionRe: Malware?

more_horiz
Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

descriptionRe: Malware?

more_horiz
Its working now.

ComboFix 10-11-22.02 - Admin 11/22/2010 14:40:37.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.143 [GMT -7:00]
Running from: E:\combo-fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna5476110798153351952.dll
c:\documents and settings\Admin\Local Settings\Temp\jna5476110798153351952.dll
c:\windows\Xkapua.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-22 to 2010-11-22 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

Code:

<pre>
c:\windows\inf\WG511v2\snetcfg .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride =
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 14:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??????? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1344)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 14:57:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-22 21:57

Pre-Run: 65,158,811,648 bytes free
Post-Run: 65,815,916,544 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A3B19A5FF7342204E47646E91315D2D2

descriptionRe: Malware?

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Code:


    RenV::
    c:\windows\inf\WG511v2\snetcfg .exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:23012
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionRe: Malware?

more_horiz
ComboFix 10-11-22.04 - Admin 11/22/2010 18:26:36.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.478.186 [GMT -7:00]
Running from: E:\combo-fix.exe
Command switches used :: E:\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Admin\LOCALS~1\Temp\jna7411195242135381786.dll
c:\documents and settings\Admin\Local Settings\Temp\jna7411195242135381786.dll

.
((((((((((((((((((((((((( Files Created from 2010-10-23 to 2010-11-23 )))))))))))))))))))))))))))))))
.

2010-11-21 03:53 . 2010-11-21 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\T-Mobile
2010-11-21 03:50 . 2010-11-21 03:50 -------- d-----w- c:\documents and settings\Admin\Application Data\MSNInstaller
2010-11-21 00:17 . 2010-11-21 00:17 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\PackageAware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-20 22:44 . 2010-11-20 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-20 22:44 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-20 21:59 . 2010-11-20 21:59 -------- d--h--w- c:\windows\PIF
2010-11-20 20:07 . 2010-11-20 20:17 -------- d-----w- c:\documents and settings\Admin\Application Data\GetRightToGo
2010-11-20 08:04 . 2010-11-20 08:04 105984 --sha-r- c:\windows\system32\rtutilsh.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-11-22_21.51.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-23 01:33 . 2010-11-23 01:33 16384 c:\windows\Temp\Perflib_Perfdata_794.dat
+ 2006-12-04 19:38 . 2006-12-04 19:38 53248 c:\windows\inf\WG511v2\snetcfg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-01-06 3552256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 290816]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-11-02 26112]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-14 229438]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
DesktopVideoPlayer.LNK - c:\program files\vghd\vghd.exe [2009-2-21 600904]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG511v2 Smart Wizard.lnk - c:\program files\NETGEAR\WG511v2\WG511v2.exe [2007-6-26 1499136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

.
Contents of the 'Scheduled Tasks' folder

2010-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2008-02-17 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 21:58]

2010-11-22 c:\windows\Tasks\User_Feed_Synchronization-{97C9DE83-BE45-4951-829E-8AC1625FF1F0}.job
- c:\windows\system32\msfeedssync.exe [2008-08-22 10:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-22 18:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?5?5?4??p???? ???B?????????????H
scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\vghd\VirtuaGirl_Downloader.exe
.
**************************************************************************
.
Completion time: 2010-11-22 18:40:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-23 01:40
ComboFix2.txt 2010-11-22 21:57

Pre-Run: 65,832,607,744 bytes free
Post-Run: 65,815,924,736 bytes free

- - End Of File - - C1B385F9C90175CD0017344E3DB48DAE

descriptionRe: Malware?

more_horiz
Permissions in this forum:
You cannot reply to topics in this forum