We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Infected computer, need help understanding Hijack This log
Comments
-
which will be the avenue for the infection and they are in grave risk of losing personal data
This will be really worrying for them as they do shopping and banking on line, apart from getting their system up to scratch, any recommendations on what they should do now to protect their personal data?It's easier to get forgiveness than to ask permission
0 -
Would change all passwords on a clean computer and phone bank.0
-
make sure it's fully patched to SP3 and no outstanding updates....Ex forum ambassador
Long term forum member0 -
OK latest installment.
I tried to apply the SP1 patch and it does not look like it is a legit copy of windows. The computer shop they bought the computer from is no longer in business and did not give them any CDs with the computer when they bought it.
I have told them that they will need to get a copy of XP before they can use it again - any suggestion on where the best place to buy? They have the xp professional on at the moment, can this be replaced with XP home and how big a job is it to 'update' the OS once they get a legit disc?
As I am unable to update XP, I cannot put the latest version of AVG on as it doesn't support this version of XP.
I ran combofix but that didn't like the windows version either :rolleyes:. It ran through and rebooted the pc but didn't resume running and didn't produce a log - it does appear, however, to have got rid of some stuff.
Spybot also got rid of another 30 entries.
New hijack this in next post - still seem to be a couple of nasties on there!It's easier to get forgiveness than to ask permission
0 -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:38, on 2009-01-24
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\drivers\SbCtri.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SbCtri.exe
O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - !!3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: ZKBho Class - !!56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Radio - !!8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - !!2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tblive.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\3B Software\Common\Scheduler\wcomschd.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: !!8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\SbCtri.exe
--
End of file - 6767 bytesIt's easier to get forgiveness than to ask permission
0 -
fix
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
and then navigate to that location and make sure the file is deletedEx forum ambassador
Long term forum member0 -
take off the virgin Pcprotection
than put on a real firewall like comodo free
http://www.personalfirewall.comodo.com/
to give them some inbound/outbound protection
all I can suggest in the meantime is running adaware/superantispyware etc and possibly removing AVG and loading Avast or Avira which are more likely to run
for the secure transactions in the meantime they could try an Ubuntu boot CD which will come wiith Firefox and be "clean" and safe, just boot with it to do online shopping etcEx forum ambassador
Long term forum member0 -
fix
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
and then navigate to that location and make sure the file is deleted
Thanks very much Browntoa! That's gone now (rebooted and re ran Hijack this to check!)
What about sbCtri.exe? I google it and it flagged up as 'Cloaked Malware' :eek:It's easier to get forgiveness than to ask permission
0 -
HELP
My friend has gone out today to buy a copy of Windows XP.
In the meantime I have downloaded and ran Avast to try and clear the last couple of nasties!
I set Avast to run on reboot which it did, I then got a message saying the system was out of disc space so I clicked OK and the pc continued to boot.
The situation now is that I cannot load past the screen where it asks for the user name and password, as soon as I put the password in it says, Loading your settings' then logging off and 'saving your settings' and returns me to the password entry screen.
I have tried booting into safe mode and it behaves exactly the same.
I have ran the recovery console and run a CHKDSK /r in the hope that might help!
Please any suggestions!
ThanksIt's easier to get forgiveness than to ask permission
0 -
I'd wait now until they have the Xp Cd . then do a repair install from the CD , then legalise the dodgy copy
http://www.microsoft.com/genuine/selfhelp/XPPkuinst.aspx?displaylang=en&sGuid=3799f7fb-fec6-466a-b5d1-21582d100fc8Ex forum ambassador
Long term forum member0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards