We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Quick Help Needed Pls!! Virus!! System Security
Comments
-
That might have been remotely funny if I hadn't spent nearly 5 hours last night and the whole of this morning trying to sort this out :rolleyes:If at first you don't succeed ........
Alternative autism therapies should be free!!0 -
use system restore to roll back to before this happened
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
then download and scan with combofix straight away , do a scan that should take 20 minutesEx forum ambassador
Long term forum member0 -
Right, I see a trojan in the original Combofix log. Can you run the following programme for me I want to see what else is hiding,
- Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
- Double click on RSIT.exe to run RSIT.
- Click Continue at the disclaimer screen.
- Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
0 -
Wrong place sorryClixsense since 31.01.16 $122.13 Neo bux since 31.01.16 400 RR $1018.00
Swagbucks since 27.09.15 £310 amazon gc, $50.00 Steam gc £100.00 paypal 2,805 points to cash out0 -
you need to start your own thread , each infection/response is uniqueEx forum ambassador
Long term forum member0 -
OK thanks for that will do, I will delete my above postClixsense since 31.01.16 $122.13 Neo bux since 31.01.16 400 RR $1018.00
Swagbucks since 27.09.15 £310 amazon gc, $50.00 Steam gc £100.00 paypal 2,805 points to cash out0 -
use system restore to roll back to before this happened
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
then download and scan with combofix straight away , do a scan that should take 20 minutes
Okay, I have done a system restore and the pop ups have stopped and the system security icons have disappeared, Iam now running combofix. But I have noticed that the little icons you get in your address bar of a webpage have all changed for me. For example, a lot of them have the letters BT??? BT is not my internet provider even?? I used to get a little pic of Martin Lewis in my address bar on the moneysaving webpages..... now I'm getting BT
If at first you don't succeed ........ Alternative autism therapies should be free!!0 -
Here is the log from the Combofix notepad
ComboFix 09-02-21.01 - Jackie 2009-02-22 6:43:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1019 [GMT 0:00]
Running from: c:\documents and settings\Jackie\My Documents\ComboFix1.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.
2009-02-21 12:46 . 2009-02-21 12:46 <DIR> d
c:\documents and settings\All Users\Application Data\SITEguard
2009-02-21 12:45 . 2009-02-21 12:45 <DIR> d
c:\program files\Common Files\iS3
2009-02-21 12:45 . 2009-02-22 06:32 <DIR> d
c:\documents and settings\All Users\Application Data\STOPzilla!
2009-02-21 10:54 . 2009-02-22 06:33 <DIR> d
c:\program files\SUPERAntiSpyware
2009-02-21 10:54 . 2009-02-21 10:54 <DIR> d
c:\documents and settings\Jackie\Application Data\SUPERAntiSpyware.com
2009-02-21 10:02 . 2009-02-22 06:32 <DIR> d
C:\RECYCLER(2)
2009-02-21 08:24 . 2009-02-22 06:40 <DIR> d
C:\ComboFix
2009-02-21 08:03 . 2009-02-21 08:03 <DIR> d
c:\program files\Trend Micro
2009-02-21 06:34 . 2009-02-22 06:32 <DIR> d
c:\documents and settings\All Users\Application Data\1527240312
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 06:44
d
w c:\documents and settings\All Users\Application Data\Kontiki
2009-02-22 06:32
d
w c:\program files\Malwarebytes' Anti-Malware
2009-02-20 13:11
d
w c:\program files\McAfee
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-09-21 19:36 61,224 -c--a-w c:\documents and settings\Jackie\GoToAssistDownloadHelper.exe
2007-09-27 17:20 168 -csh--r c:\windows\system32\3B8AC5DE95.sys
2007-09-27 17:20 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-09-28 02:07 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-18 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-08-29 160592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2004-09-02 83968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-30 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-03 26112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 614960]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-03 98304]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 271360]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-08-25 28672]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-06-21 67128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-03-31 884840]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Common Files\\aol\\1190534892\\ee\\aolsoftware.exe"=
"c:\\Program Files\\NETGEAR\\WG111T\\wlan111t.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-12-02 206096]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-02-22 17149]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!97da2ef8-9a7b-11db-a1e0-000feac34a73}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
2009-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2009-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.sky.com/
uInternet Settings,ProxyOverride = localhost
IE: !!!!08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - !!9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Jackie\Application Data\Mozilla\Firefox\Profiles\d0m0bs06.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 06:44:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-22 6:47:14
ComboFix-quarantined-files.txt 2009-02-22 06:46:37
ComboFix2.txt 2009-02-21 08:33:36
Pre-Run: 91,654,565,888 bytes free
Post-Run: 91,731,083,264 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
159 --- E O F --- 2009-02-10 10:33:23If at first you don't succeed ........ Alternative autism therapies should be free!!0 -
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:Killall::
DirLook::
c:\documents and settings\All Users\Application Data\1527240312
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.0 -
Okay, as well as the above Combofix log, I have just run a quick scan in malwarebytes and here is the log for this
Malwarebytes' Anti-Malware 1.34
Database version: 1793
Windows 5.1.2600 Service Pack 3
22/02/2009 07:30:55
mbam-log-2009-02-22 (07-30-55).txt
Scan type: Quick Scan
Objects scanned: 64312
Time elapsed: 5 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
PS: Sorry reluctant_spender, just seen your post, do you still want me to follow your instructions?If at first you don't succeed ........ Alternative autism therapies should be free!!0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.1K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards