C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSysguard8.zip

Hello, I've just gotten over an infection that has deleted my cmd.exe

After having run a search, it seems that the password protected FraudSysguard8.zip has the only copy.

Do you think that file is infected or a copy included for repair purposes?

Thanks :)

Danni

hello,

the Spybot S&D recovery folder contains the files that have been removed by Spybot S&D. In this case the cmd.exe contained in the FraudSysguard8.zip is a fake cmd.exe, it is not the one provided by Microsoft for your operating system.

The original cmd.exe is usually located in c:\windows\system32\
if the file gets deleted or changed it gets replaced with a backup copy stored elsewhere in the system by the Windows File Protection (WFP (http://support.microsoft.com/kb/222193)).

Thank you, Yodama :)

I've now been able to find a clean copy of cmd.exe on the net, however, it seems that the infection took the time to remove every backup copy of the original, including those which WFP relies on.

I'd hoped that it was all I'd need to be able to fix the strange winsocks problem i now have, but i'm still trying to fix that as of right now.

Resetting netsh or running a prepackaged WinsockFix tool does nothing. I can FTP and everything updates fine, but HTTP requests fail. Opera connects fine though.

Thanks again :)

Danni

Found it.

The virus uses port forwarding, via port 5555. Chrome and Safari use IE's settings :confused:

Please mark this as resolved