Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEWFOLDER.EXE AND BROWSER HIJACKED


  • This topic is locked This topic is locked
18 replies to this topic

#1 mracheiver

mracheiver

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 23 January 2010 - 07:42 AM

hI TEAM,

i HAD A BROWSER HIJACK(AUTOMATICALLY GETTING CONNECTED FOR A PPOE LOGIN). HAD A 500GB FILLED WITH NEW FOLDER.EXE VIRUS. CAN U GUIDE ME ON HOW 2 GET THIS ISSUE RESOLVED. ANOTHER ISSUE IS SYSTEM PROCESS IS USING AROUND 86000K OF MEMORY. CAN U GUIDE ME ON HOW 2 REDUCE IT ?

i HAVE DOWNLOADED HIJACK THIS, SUPER ANTISPYWARE,ERUNT, TFC, GMER AND HAVE AVG AS DEFAULT ANTIVIRUS. cAN U GUIDE ME 2 GET THIS ISSUE RESOLVED. I WANT IMP DATA IN EXTERNAL 500G HDD.

ATTACHED THE HIJACK THIS LOG.. !

Attached Files



BC AdBot (Login to Remove)

 


#2 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 27 January 2010 - 02:42 PM

Hi Team,

Can u please let me what option i have to delete this virus. I tried to remove it manually searching all the hidden folders with .exe extension of size 375kb with a creation data. I am able 2 remove them> its a hectic process and computer is unresponsive for few hours when trying 2 search and deleting them manually.
I am trying to delete them from external 500GB HDD.not able 2 find any suspicious autorun.ini file in the computer. i did run a few scans with various online scanners n browser seems to be fine( wondering to what extent though !).a 100gb scan took almost a day as it containd softwares with numerous folders. so computer became unresponsive for lot of time. as of now disconnected xternal HDD n waiting for a solution from u guys. Any suggestions on this would be helpful
busy.gif

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 29 January 2010 - 02:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 01 February 2010 - 12:35 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 03 February 2010 - 03:42 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 04 February 2010 - 06:00 PM

Re-opened upon user's request.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 05 February 2010 - 01:07 PM

hEI BUDDY,
thanks for reopening the post. iam attaching the scan reports for the ddsscan rootrepeal. i am yet to scan my external hdd as its taking so long. i will update as soon as i can. 2 issues here. 1 2 remove virus new folder.exe from hdd n to reduce usage of memory by process named "system".almost87000k.

thanks..extreme boy thumbup.gif

Attached Files



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 06 February 2010 - 02:44 PM

Hello.

First you have 2 AV. One is ESET and another is AVG. Having two AV is not recommended.
2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Please uninstall them until you are only running one antivirus using Add/Remove Programs if you are using XP or remove it via Programs and Features if you are using Vista.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 08 February 2010 - 03:00 PM

laugh.gif

HEI EB

THANKS FOR UR PATIENCE. I WIL POST COMBO LOG ASAP. DELAYED AS I WAS STUCK UP WITH WORK.

THANKS.. !

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 09 February 2010 - 04:34 PM

That's fine. Thanks for letting me know. smile.gif
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 10 February 2010 - 03:13 PM

Hei EB,

i am attaching the log here. a few things happened. now i dont see avg control panel in sys tray after running combo fix. but wen i manually click on its opening fine. i am not able 2 find it in start up items in msconfig. so dont know if avg is still active on this computer. please guide me if u have some steps for this. combo fix not generating any log for external drive. have a xternal HDD of 500gb which has some imp data. so can u guide me how can i check if i have some virus left on it. aVG scan is not showing up anything. new folder.exe is not detected by avg. i did try 2 manually delete with steps from other topics. dont knw how far i was successful.
1 last thing system process is using as much as 89000k which was not the case before few months. a fresh install shows an usage of 414k-1000k. a process explorer scan indicates a continuos data stream of 715mb occupied by it always in graph.if u have any steps i am ready 2 check them out on the system... !
:-)

thanks.. EB smile.gif !

Attached Files



#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 11 February 2010 - 08:25 PM

Hi again.

Okay, you appear to have a Virtual Machine, may I ask what that is used for?

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\szeeba]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"=-
    "9873:TCP"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "nltide_2"=-
    [-HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
    File::
    f:\windows\system32\gljql.dll
    Netsvc::
    szeeba
    Driver::
    szeeba
    Folder::
    f:\windows\system32\1053
    f:\windows\system32\1049
    f:\windows\system32\1046
    f:\windows\system32\1043
    f:\windows\system32\1040
    f:\windows\system32\1036
    f:\windows\system32\1034
    f:\windows\system32\1030
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link


Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 13 February 2010 - 01:56 PM

Hi EB,

s i use Vm player for linux. after running cbfix i am missing some files in sys tray for eg 1. sound control 2.avg 3.sql server launch sort of things.

please check the cbfix & MB log here. still system process show a high usage of memory. can u let me what was done in the previous step( out of curiosity 2 learn). mb deleted 2 malwares. let me knowwhat needs 2 be done ..thanks..EB ! busy.gif

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:55 AM

Posted 14 February 2010 - 01:27 PM

Hello again.

I basically told Combofix to remove a few things and Malwarebytes detected some further stuff that it quarantined. Overall things are looking good.

Let's get an online scan now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 mracheiver

mracheiver
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 15 February 2010 - 08:15 AM

hI EB,

Now i am not able 2 access internet properly on this computer. SO i am trying 2 login from a different computer to check my mails even(just loading the home page and not responding later on), from yesterday and sys is taking extra time 2 boot up than normal. Dont know if the normal avg scanner is running now or not ! i will just check it out if i can access my account once again on the LT. If i can i will go through the above process. I will keep u updated EB !

Thanks.. laugh.gif

Edited by mracheiver, 15 February 2010 - 08:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users