1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus - Malware - Help

Discussion in 'Virus & Other Malware Removal' started by Mark2247, Apr 28, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    Hi,

    I have Malwarebytes' Anti-Malware on my PC.
    It says me all time:
    "Malwarebytes' Anti-Malware Successfully blocked
    access to potentially malicious website:
    85.12.46.159 " (and others IPs)

    Also SpyHunter says me:
    "host file changed - entry added:
    127.0.0.1 jL.chura.pl "
    When I try to update SpyHunter definition
    I get message "There no new updates available"

    What is wrong with my PC?

    Please Help !

    Thank you
    Mark
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


    Also, please update MalwareBytes and run a scan and post that log.
     
  3. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    Hi

    When reply form my infected PC - have nothing

    Here is my Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:54:27 PM, on 4/30/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\RTHDCPL.EXE
    E:\Prog_Win_XP3\SpyStopper_2.75_C\spystopper.exe
    E:\PROG_W~1\ZONE_A~1\zlclient.exe
    C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    C:\WINDOWS\system32\rundll32.exe
    E:\Prog_Win_XP3\SiteUp_monitors\SiteUp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
    C:\windows\system32\wuaucldt.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    E:\Prog_Win_XP3\Malware_bytes\mbamgui.exe
    E:\Prog_Win_XP3\Spyware_Vanisher\SpywareVanisher.exe
    E:\Prog_Win_XP3\Ashampoo_Uninstaller_suite_110\UIWatcher.exe
    C:\WINDOWS\system32\svchost.exe
    E:\Prog_Win_XP3\PGP_658\PGPTray.exe
    E:\Prog_Win_XP3\Blue_Tooth_Soft\bin\btwdins.exe
    C:\WINDOWS\System32\Rundll32.exe
    E:\Prog_Win_XP3\Malware_bytes\mbamservice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    E:\Prog_Win_XP3\Mail_Server_Pro_17_NEW\SMTPListener.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    E:\Prog_Win_XP3\Slim_Browser_4.08\sbrowser.exe
    E:\Prog_Win_XP3\TypeItIn_Work_This\typeitin.exe
    E:\Prog_Win_XP3\2xExplorer_New\2xExplorer.exe
    E:\Prog_Win_XP3\Hijack_This\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O1 - Hosts: üÛZ1bàç_%|½êŸüÛZ1bàç_%|½êŸüÛZ1bàç_%|½êŸ
    O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - E:\Prog_Win_XP3\12Ghosts_Popup-Killer_8.10\12popup.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
    O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\Prog_Win_XP3\Compass_283\CmpsIE.dll
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SpyStopper] E:\Prog_Win_XP3\SpyStopper_2.75_C\spystopper.exe
    O4 - HKLM\..\Run: [Zone Labs Client] E:\PROG_W~1\ZONE_A~1\zlclient.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SiteUp] "E:\Prog_Win_XP3\SiteUp_monitors\SiteUp.exe"
    O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
    O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] E:\Prog_Win_XP3\Malware_bytes\mbamgui.exe /starttray
    O4 - HKCU\..\Run: [Spyware Vanisher] E:\Prog_Win_XP3\Spyware_Vanisher\SpywareVanisher.exe -FastScan
    O4 - HKCU\..\Run: [UIWatcher] E:\Prog_Win_XP3\Ashampoo_Uninstaller_suite_110\UIWatcher.exe
    O4 - HKCU\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe
    O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: PGPtray.lnk = E:\Prog_Win_XP3\PGP_658\PGPTray.exe
    O8 - Extra context menu item: &Zeus Form Filler - E:\Prog_Win_XP3\Zeus_4\DragAndDrop.html
    O8 - Extra context menu item: Advanced Email Extractor - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html
    O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
    O8 - Extra context menu item: Scan link with AEE - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/link.html
    O8 - Extra context menu item: Send To &Bluetooth - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - E:\Prog%5FWin%5FXP3\Advanced%5FEmail%5FExtractor%5F290\AeeMSIE.dll (file missing)
    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - E:\Prog%5FWin%5FXP3\Advanced%5FEmail%5FExtractor%5F290\AeeMSIE.dll (file missing)
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159303042765
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - E:\Prog_Win_XP3\SUPER_Anti_Spyware\SASWINLO.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
    O23 - Service: Beyond Remote Server - Unknown owner - E:\PROG_W~1\BEYOND~1.2\BRServer.exe (file missing)
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Prog_Win_XP3\Blue_Tooth_Soft\bin\btwdins.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - E:\Prog_Win_XP3\Malware_bytes\mbamservice.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SMTP Server Service (SMTPMainService) - Unknown owner - E:\Prog_Win_XP3\Mail_Server_Pro_17_NEW\SMTPListener.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
    --
    End of file - 8591 bytes


    regards

    Mark
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  5. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    Hi Cookiegal,

    Thank you for your attention and Help me.

    I read Instruction and have questions.

    1. I have "Spybot - Search & Destroy" anti-virus
    How to disable it completely before running "ComboFix"?
    2. If I disable all my anti-viruses programs and Firewall (Zone Alarm)
    during running "ComboFix" can I get new infection in that time?
    Maybe I have to disable Internet access as well?

    please advise

    regards

    Mark
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    I suggest you uninstall SpyBot first as if TeaTimer is activated it will restore entries in the registry after we're finished that we don't want restored.

    You can disconnect from the Internet for the initial ComboFix scan.
     
  7. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    Hi Cookiegal,

    I try to install Windows Recovery Console on my PC
    but have some problems.
    I do not have it on my XP CD.
    I followed instruction on "Manually installing the Windows Recovery Console section"
    and Microsoft site as well - but no success.
    So, I could not install it.

    What can I do now?

    Run ComboFix and HijackThis and post both logs here?
    Can I post them as attached files? Is it better for you?

    please advise

    thank you

    Mark
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    Did you not allow ComboFix to attempt to install it or did that not work either?
     
  9. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    I did not yet run ComboFix.
    I tried to install Recovery Console by myself from CD Windows XP (it does not have it) or Internet.
    I had to install SP2 on my PC, I downloaded it from Microsoft site
    but that file was corrupted.
    What can I do now?
    Maybe try to install SP3 and then try to install
    Recovery Console again?
    Or run ComboFix and allow it to install Recovery Console?

    regards

    Mark
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    Your HJT log said you had SP2. Why would you not even have SP2? Is this a genuine installation of Windows?
     
  11. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    Hi,

    My Windows XP is old and CD did have have SP2.
    I upgraded my Windows XP to SP2 later.

    When I tried to install Recovery Console I got error message:
    "Setup cannot continue because the version of Windows
    on your computer is newer than the version on the CD."

    So I found these pages:
    http://support.microsoft.com/kb/898594/
    http://support.microsoft.com/kb/900871/

    and followed the instruction over there.

    regards

    Mark
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    Then just let ComboFix install the recovery console.
     
  13. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    URGENT!

    Hi Cookiegal,

    My first PC is screwEd up comletley
    I tried to run ComboFox and got message:
    "Alert! It is not Safe to continie.
    ComboFix (not ComboFox) has been compromised.
    Take fresh copy from Internet.
    You maybe infected with patching virus "Virut"
    I could not downloaded new one because PC is not working

    I took my another PC and installed couple program from 1st PC.
    After while my "Malware_Bytes" told me the same as on the first PC.
    It blocked some IP.
    I looked at 'host" file and saw the same "127.0.0.1 jL.chura.pl"
    I run here ComboFox and got same Alert.
    I took fresh one from Internet and run it - same Alert!

    I am absolutely frustrated!!!

    What to do?

    regards

    Mark
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,916
    First Name:
    Karen
    It looks like you're infected with a polymorphic file infector called Virut which basically infects all exe, scr and various other types of files on the system and can't be cleaned. The only option is to reformat. It also seems you may have infected the other machine as well. Why did you transfer programs to the other machine?

    Are you able to boot the infected machine?
     
  15. Mark2247

    Mark2247 Thread Starter

    Joined:
    Mar 19, 2010
    Messages:
    18
    I did not know that my backup programs (from 1st PC like "Malware_Bytes"
    and othe are infected.
    I have 3 partitons on my 1st PC (2 with Windows XP and 1 with data) and 2 partitions on my 2 nd PC
    (both with Windows XP)
    I worked now with one partion on my 2nd PC (installing 2-3 programs).
    After I saw the infection I made Systm Restore and reboot it - then PC rebooted.
    I quckly turn PC off so I did not have time to see any infections (if they exist).

    No I wrote you from 3d PC (incredible)

    What can I dio now?
    Why "ComboFix" have been compromized on 1st and 2nd PC?
    I downloded ComboFix on 3d PC - I belive it is clean.
    I can burn CD and run it on my 2nd PC. Will it work?
    Or what to do?

    I bakup all my soft and data from 1st PC to external HD.
    But these files maybe infected aleady.
    I can reformat my 1st PC.
    And what then? What can I install there?
    In what cases I have to disable System Restore??

    Many question? Sorry
    I relly need your Help!!!

    regards

    Mark
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/919775

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice