Virus - Malware - Help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
Hi,

I have Malwarebytes' Anti-Malware on my PC.
It says me all time:
"Malwarebytes' Anti-Malware Successfully blocked
access to potentially malicious website:
85.12.46.159 " (and others IPs)

Also SpyHunter says me:
"host file changed - entry added:
127.0.0.1 jL.chura.pl "
When I try to update SpyHunter definition
I get message "There no new updates available"

What is wrong with my PC?

Please Help !

Thank you
Mark
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Click here to download HJTsetup.exe.
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


Also, please update MalwareBytes and run a scan and post that log.
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
Hi

When reply form my infected PC - have nothing

Here is my Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:27 PM, on 4/30/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
E:\Prog_Win_XP3\SpyStopper_2.75_C\spystopper.exe
E:\PROG_W~1\ZONE_A~1\zlclient.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\rundll32.exe
E:\Prog_Win_XP3\SiteUp_monitors\SiteUp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\windows\system32\wuaucldt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Prog_Win_XP3\Malware_bytes\mbamgui.exe
E:\Prog_Win_XP3\Spyware_Vanisher\SpywareVanisher.exe
E:\Prog_Win_XP3\Ashampoo_Uninstaller_suite_110\UIWatcher.exe
C:\WINDOWS\system32\svchost.exe
E:\Prog_Win_XP3\PGP_658\PGPTray.exe
E:\Prog_Win_XP3\Blue_Tooth_Soft\bin\btwdins.exe
C:\WINDOWS\System32\Rundll32.exe
E:\Prog_Win_XP3\Malware_bytes\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Prog_Win_XP3\Mail_Server_Pro_17_NEW\SMTPListener.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
E:\Prog_Win_XP3\Slim_Browser_4.08\sbrowser.exe
E:\Prog_Win_XP3\TypeItIn_Work_This\typeitin.exe
E:\Prog_Win_XP3\2xExplorer_New\2xExplorer.exe
E:\Prog_Win_XP3\Hijack_This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: üÛZ1bàç_%|½êŸüÛZ1bàç_%|½êŸüÛZ1bàç_%|½êŸ
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - E:\Prog_Win_XP3\12Ghosts_Popup-Killer_8.10\12popup.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Bridge Class - {E479EDE1-923E-11D3-B82B-00E09871521B} - E:\Prog_Win_XP3\Compass_283\CmpsIE.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpyStopper] E:\Prog_Win_XP3\SpyStopper_2.75_C\spystopper.exe
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROG_W~1\ZONE_A~1\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SiteUp] "E:\Prog_Win_XP3\SiteUp_monitors\SiteUp.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" -minimized
O4 - HKLM\..\Run: [syncman] c:\windows\system32\wuaucldt.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] E:\Prog_Win_XP3\Malware_bytes\mbamgui.exe /starttray
O4 - HKCU\..\Run: [Spyware Vanisher] E:\Prog_Win_XP3\Spyware_Vanisher\SpywareVanisher.exe -FastScan
O4 - HKCU\..\Run: [UIWatcher] E:\Prog_Win_XP3\Ashampoo_Uninstaller_suite_110\UIWatcher.exe
O4 - HKCU\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe
O4 - HKUS\S-1-5-18\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [syncman] c:\documents and settings\owner\wuaucldt.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PGPtray.lnk = E:\Prog_Win_XP3\PGP_658\PGPTray.exe
O8 - Extra context menu item: &Zeus Form Filler - E:\Prog_Win_XP3\Zeus_4\DragAndDrop.html
O8 - Extra context menu item: Advanced Email Extractor - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Scan link with AEE - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/link.html
O8 - Extra context menu item: Send To &Bluetooth - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - E:\Prog%5FWin%5FXP3\Advanced%5FEmail%5FExtractor%5F290\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - E:\Prog%5FWin%5FXP3\Advanced%5FEmail%5FExtractor%5F290\AeeMSIE.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Prog_Win_XP3\Blue_Tooth_Soft\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://D:\Program%5FWIN%5FXP2\Advanced%5FEmail%5FExtractor%5F2.76%5FPRO\AeePMsie.dll/page.html (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159303042765
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Prog_Win_XP3\SUPER_Anti_Spyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Beyond Remote Server - Unknown owner - E:\PROG_W~1\BEYOND~1.2\BRServer.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\Prog_Win_XP3\Blue_Tooth_Soft\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - E:\Prog_Win_XP3\Malware_bytes\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SMTP Server Service (SMTPMainService) - Unknown owner - E:\Prog_Win_XP3\Mail_Server_Pro_17_NEW\SMTPListener.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 8591 bytes


regards

Mark
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
Hi Cookiegal,

Thank you for your attention and Help me.

I read Instruction and have questions.

1. I have "Spybot - Search & Destroy" anti-virus
How to disable it completely before running "ComboFix"?
2. If I disable all my anti-viruses programs and Firewall (Zone Alarm)
during running "ComboFix" can I get new infection in that time?
Maybe I have to disable Internet access as well?

please advise

regards

Mark
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
I suggest you uninstall SpyBot first as if TeaTimer is activated it will restore entries in the registry after we're finished that we don't want restored.

You can disconnect from the Internet for the initial ComboFix scan.
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
Hi Cookiegal,

I try to install Windows Recovery Console on my PC
but have some problems.
I do not have it on my XP CD.
I followed instruction on "Manually installing the Windows Recovery Console section"
and Microsoft site as well - but no success.
So, I could not install it.

What can I do now?

Run ComboFix and HijackThis and post both logs here?
Can I post them as attached files? Is it better for you?

please advise

thank you

Mark
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Did you not allow ComboFix to attempt to install it or did that not work either?
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
I did not yet run ComboFix.
I tried to install Recovery Console by myself from CD Windows XP (it does not have it) or Internet.
I had to install SP2 on my PC, I downloaded it from Microsoft site
but that file was corrupted.
What can I do now?
Maybe try to install SP3 and then try to install
Recovery Console again?
Or run ComboFix and allow it to install Recovery Console?

regards

Mark
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Your HJT log said you had SP2. Why would you not even have SP2? Is this a genuine installation of Windows?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
Then just let ComboFix install the recovery console.
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
[FONT=&quot]URGENT!

Hi Cookiegal,

My first PC is screwEd up comletley
I tried to run ComboFox and got message:
"Alert! It is not Safe to continie.
ComboFix (not ComboFox) has been compromised.
Take fresh copy from Internet.
You maybe infected with patching virus "Virut"
I could not downloaded new one because PC is not working

I took my another PC and installed couple program from 1st PC.
After while my "Malware_Bytes" told me the same as on the first PC.
It blocked some IP.
I looked at 'host" file and saw the same "127.0.0.1 jL.chura.pl"
I run here [/FONT][FONT=&quot]ComboFox and got same Alert.
I took fresh one from Internet and run it - same Alert!
[/FONT][FONT=&quot]
I am absolutely frustrated!!!

What to do?

regards

Mark[/FONT]
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,182
It looks like you're infected with a polymorphic file infector called Virut which basically infects all exe, scr and various other types of files on the system and can't be cleaned. The only option is to reformat. It also seems you may have infected the other machine as well. Why did you transfer programs to the other machine?

Are you able to boot the infected machine?
 

Mark2247

Thread Starter
Joined
Mar 19, 2010
Messages
18
I did not know that my backup programs (from 1st PC like "Malware_Bytes"
and othe are infected.
I have 3 partitons on my 1st PC (2 with Windows XP and 1 with data) and 2 partitions on my 2 nd PC
(both with Windows XP)
I worked now with one partion on my 2nd PC (installing 2-3 programs).
After I saw the infection I made Systm Restore and reboot it - then PC rebooted.
I quckly turn PC off so I did not have time to see any infections (if they exist).

No I wrote you from 3d PC (incredible)

What can I dio now?
Why "ComboFix" have been compromized on 1st and 2nd PC?
I downloded ComboFix on 3d PC - I belive it is clean.
I can burn CD and run it on my 2nd PC. Will it work?
Or what to do?

I bakup all my soft and data from 1st PC to external HD.
But these files maybe infected aleady.
I can reformat my 1st PC.
And what then? What can I install there?
In what cases I have to disable System Restore??

Many question? Sorry
I relly need your Help!!!

regards

Mark
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top