Bugbatter
6 Gallium

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

We're making progress, but there is more to do.

Disconnect from the internet....pull the plug!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.

Otherwise, they may interfere with running ComboFix.

Open Notepad and copy/paste the following text between the lines below.

Do not copy the dotted lines.

** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.

It will copy correctly to Notepad if you highlight and copy as is.

-----------------------------------------------------------------------------------

 

File::
c:\windows\system32\hgset.ini

 

----------------------------------------------------------------------------

Save this as CFScript.txt

Photobucket

Referring to the picture above, drag CFScript into ComboFix.exe

You will be prompted to run Combofix again.

Follow the same instructions you did before for running ComboFix.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

In your next reply, please post that log along with a new HijackThis log.


Windows Insider MVP 2016 -

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
pritam79
1 Nickel

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

Here is the latest log after combofix scan.

Please let me know if I need to do anything.

Thanks

ComboFix 09-03-04.01 - Administrator 2009-03-06 23:34:49.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.510.345 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\hgset.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hgset.ini

c:\windows\system32\userinit.exe . . . is infected!!

.
(((((((((((((((((((((((((   Files Created from 2009-02-07 to 2009-03-07  )))))))))))))))))))))))))))))))
.

2009-03-01 17:16 . 2009-03-04 19:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-01 17:16 . 2009-03-01 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-01 17:16 . 2009-03-01 17:16 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 17:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-01 17:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-28 13:43 . 2009-02-28 13:43 <DIR> d-------- c:\program files\Trend Micro
2009-02-28 13:43 . 2009-03-04 19:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\U3
2009-02-28 10:54 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
2009-02-28 10:53 . 2009-03-05 18:57 <DIR> d-------- c:\windows\system32\inf
2009-02-08 12:11 . 2009-02-08 12:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Graboid Inc
2009-02-08 12:10 . 2009-02-08 12:10 <DIR> d-------- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-02-08 12:02 . 2009-02-08 12:02 <DIR> d-------- c:\program files\VideoLAN
2009-02-08 12:00 . 2009-02-28 10:33 <DIR> d-------- c:\program files\Graboid

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 02:24 23,146 ----a-w c:\windows\system32\drivers\stac97e.log
2009-02-28 18:38 104,960 ----a-w c:\windows\system32\userinit.exe
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

------- Sigcheck -------

2009-02-28 10:38  104960  8e749f1ad6671309aed81b1fa212396a c:\windows\system32\userinit.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 536576]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2008-12-11 16194]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;c:\windows\system32\DRIVERS\WG511ICB.sys --> c:\windows\system32\DRIVERS\WG511ICB.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c98ce240-05e0-11de-9986-000d56b187c7}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 23:36:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(424)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-03-06 23:38:04
ComboFix-quarantined-files.txt  2009-03-07 07:37:36
ComboFix2.txt  2009-03-06 03:02:58

Pre-Run: 34,478,792,704 bytes free
Post-Run: 34,471,428,096 bytes free

116 --- E O F --- 2009-02-28 18:36:41

 

0 Kudos
Bugbatter
6 Gallium

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

Please update MBAM and run an other scan. Following that please post the log. Thanks.


Windows Insider MVP 2016 -

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos
pritam79
1 Nickel

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

Here is the MBAM scan a

0 Kudos
pritam79
1 Nickel

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

Here is the updated MBAM scan log.

Malwarebytes' Anti-Malware 1.34
Database version: 1825
Windows 5.1.2600 Service Pack 3

3/7/2009 11:37:08 AM
mbam-log-2009-03-07 (11-37-08).txt

Scan type: Quick Scan
Objects scanned: 58801
Time elapsed: 2 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

0 Kudos
Bugbatter
6 Gallium

Re: Malware: "Warning dangerous spyware. Many viruses.....". Cannot connect to internet. Computer slow. Pop windows

Just to be sure that file has been replaced. Let's run ComboFix one more time.

Disconnect from the internet....pull the plug!

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray.

Otherwise, they may interfere with running ComboFix.

Open Notepad and copy/paste the following text between the lines below.

Do not copy the dotted lines.

** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces.

It will copy correctly to Notepad if you highlight and copy as is.

-----------------------------------------------------------------------------------



FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe | c:\windows\system32\userinit.exe

 

----------------------------------------------------------------------------

Save this as CFScript.txt

Photobucket

Referring to the picture above, drag CFScript into ComboFix.exe

You will be prompted to run Combofix again.

Follow the same instructions you did before for running ComboFix.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

In your next reply, please post that log along with a new HijackThis log. Let me know how things are running. Back to normal yet?


Windows Insider MVP 2016 -

Microsoft MVP - Consumer Security 2006-2016

Social Media and Community Professional

0 Kudos