Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I found a suspicious folder after removing Malware [RESOLVED]


  • This topic is locked This topic is locked

#1
Beetrix

Beetrix

    Member

  • Member
  • PipPipPip
  • 128 posts
After I received help removing all of my Malware and viruses, I found a fold that says it is a text document. It has very long numbers and letter.
8e802587a54a788fe38. Any help would be appreciated. :)
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Let's have a closer look...

1. Download combofix at http://www.techsuppo...Bs/ComboFix.exe or http://download.blee...Bs/ComboFix.exe
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Beetrix

Beetrix

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
The links are not working properly. Can you send me another one.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It should be working....I'm attaching it here. Try downloading the attachment.

Attached Files


  • 0

#5
Beetrix

Beetrix

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
I am getting an Error message saying:You cannot rename ComboFix as ComboFix [1]. Please rename it. :)
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did this prompt you when you try to run it? Did you get to the part where it asks you whether you agree to the warning/risk or not?
  • 0

#7
Beetrix

Beetrix

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
No, it doesn't even ask me that question. My computer won't let me run it at all.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is it saved to the desktop? Also, make sure it's completely downloaded. I think it's around 1.6MB in size.

Restart the computer. Disconnect from the internet and disable all your security programs. Then try running it again.
  • 0

#9
Beetrix

Beetrix

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
:) Got it! Here is the log.

ComboFix 08-04-22.5 - HP_Owner 2008-04-23 9:55:08.1 - NTFSx86
Running from: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for ComboFix.zip\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-03-23 to 2008-04-23 )))))))))))))))))))))))))))))))
.

2008-04-21 06:06 . 2008-04-21 06:06 <DIR> d-------- C:\Program Files\Sygate
2008-04-21 06:06 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-04-21 06:06 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-04-21 06:06 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-04-21 06:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-04-21 06:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-04-21 06:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-04-21 06:06 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-04-21 06:05 . 2008-04-21 06:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-20 18:12 . 2008-04-20 18:17 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-20 18:12 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-04-19 15:47 . 2008-04-19 15:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 15:44 . 2008-04-20 17:37 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-17 15:44 . 2008-04-20 17:37 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\SUPERAntiSpyware.com
2008-04-17 15:44 . 2008-04-17 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-17 14:57 . 2008-04-17 14:57 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-04-17 14:57 . 2008-04-17 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-15 13:39 . 2008-04-14 19:18 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-15 07:42 . 2008-04-15 07:57 73,352,020 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-04-15 07:42 . 2008-04-15 07:42 73,342,722 --a------ C:\SYM_REGISTRY_BACKUP.old
2008-04-15 07:27 . 2008-04-15 14:51 <DIR> d-------- C:\Program Files\ACW
2008-04-10 12:44 . 2008-04-10 12:44 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-04-10 12:43 . 2008-04-10 12:44 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-10 12:43 . 2008-04-10 12:44 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-10 12:43 . 2008-04-10 12:44 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-10 12:43 . 2008-04-10 12:44 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-10 09:47 . 2008-04-10 09:47 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-10 06:10 . 2008-04-17 14:55 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-10 06:10 . 2008-04-10 06:10 1,152 --a------ C:\WINDOWS\system32\windrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 16:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-04-23 14:51 2,098 ----a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2008-04-23 12:22 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-22 19:02 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-21 00:41 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-21 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 22:54 --------- d---a-w C:\Program Files\PC-Doctor for Windows
2008-04-17 22:54 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-04-14 23:33 --------- d-----w C:\Program Files\Yahoo!
2008-04-11 18:23 --------- d-----w C:\Program Files\RegistrySmart
2008-04-10 20:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-10 19:47 --------- d-----w C:\Program Files\Norton AntiVirus
2008-04-10 19:44 --------- d-----w C:\Program Files\Symantec
2008-04-10 19:33 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2008-04-10 03:17 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\PictureTrail
2008-04-04 01:18 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AdobeUM
2008-03-30 12:34 --------- d-----w C:\Program Files\Google
2008-03-21 18:22 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-07 04:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-07 04:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-07 04:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 20:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 20:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-02-01 10:21 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-10 12:45 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpySweeper"="" []
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2006-07-07 11:28 1110016]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Internet Explorer\iexplore.exe" [2008-02-29 01:55 625664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [ ]
"DXDllRegExe"="dxdllreg.exe" []
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 17:47 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-06 22:49 718704]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="C:\PROGRA~1\SYMNET~1\SNDWarn.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-08 12:11:03 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-07 14:33:32 16423]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-04-09 13:54:54 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IBM WebSphere Studio Homepage Builder V6\\bin\\hpbpage.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 Blink Service;Blink Service;"C:\Program Files\Blink\blink.exe" "C:\Program Files\Blink\blink.dll" Service []
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 03:30:54 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Owner.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-23 10:00:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-04-23 10:03:20
ComboFix-quarantined-files.txt 2008-04-23 17:02:56

Pre-Run: 142,844,559,360 bytes free
Post-Run: 143,351,111,680 bytes free

155 --- E O F --- 2008-04-09 15:17:43
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What was the problem earlier that was giving you issues on running it?

I can't find that suspicious file/folder, but whatever it is, you may delete it. It's either a Microsoft update or some other non-important file/folder.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run and copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#11
Beetrix

Beetrix

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 128 posts
Oh, I forgot to save it on my desktop! :)
OK I will delete it. Thank you for you help.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP