We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
help please. possible keylogging infection?
Comments
-
Trojan.CWS/HWY
HKU\S-1-5-21-3021365215-3288840816-88731272-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C}
HKLM\Software\Microsoft\Internet Explorer\Extensions\{669695BC-A811-4A9D-8CDF-BA8C795F261C}0 -
I asked for only the TROJANS part. Simply highlight them (Drag with the mouse or press SHIFT and the arrow keys) Right click and COPY then right click and PASTE:idea:0
-
ok doki
Run the COMBOFIX scan now
:idea:0 -
combofix came up as potentially harmful when i went to download it. is it ok to run?0
-
yes ~ its fine so long as you follow the instructions it gives:idea:0
-
ive got a warning saying i need to disable the scanner ie norton internet security before continuing as it may damage the system. do i disable it? dontreally want to. im in enough mess already without worrying about not being able to get norton running again0
-
Ill try to explain your situation
If you DO actually have a keylogger on your system and norton cant do anything with it (Which id guess it cant) then you need to find something else that does. Or (safer option by a country mile) wipe the hardrive and reinstall windows
As im guessing you dont yet want to try the wiping and reinstalling avenue I dont see what choice you have
I cant see whats running properly until combofix has run (There are other programs but combofix alone is hard work to run through without complicating things for myself)
HOWEVER
If you want to risk just scanning with programs then try DR WEBS CURE IT next
It will auto scan a QUICK scan. Once thats finished set to runa FULL scan (probably take hours):idea:0 -
ok ill uninstall norton and go from there. norton is blocking the attempts but im wanting otget it off my system altogether. is that even possible?0
-
no no
dont UNINSTALL
just switch it off:idea:0 -
ComboFix 09-04-04.01 - Lucie 2009-04-06 20:19:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.207 [GMT 1:00]
Running from: c:\documents and settings\Lucie\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Internet Explorer\msimg32.dll
c:\windows\system32\drivers\fad.sys
.
((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.
2009-04-06 20:12 . 2009-04-06 20:12 <DIR> d
c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2009-04-06 18:00 . 2009-04-06 18:00 <DIR> d
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-06 17:59 . 2009-04-06 17:59 <DIR> d
c:\program files\SUPERAntiSpyware
2009-04-06 17:59 . 2009-04-06 17:59 <DIR> d
c:\documents and settings\Lucie\Application Data\SUPERAntiSpyware.com
2009-04-06 17:58 . 2009-04-06 17:58 <DIR> d
c:\program files\Common Files\Wise Installation Wizard
2009-04-06 17:37 . 2009-04-06 17:37 <DIR> d
c:\program files\Trend Micro
2009-04-06 15:07 . 2009-04-06 15:21 <DIR> d
c:\program files\Malwarebytes' Anti-Malware
2009-04-06 15:07 . 2009-04-06 15:07 <DIR> d
c:\documents and settings\Lucie\Application Data\Malwarebytes
2009-04-06 15:07 . 2009-04-06 15:07 <DIR> d
c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 15:07 . 2009-03-26 16:49 38,496 --a
c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-04-06 15:07 . 2009-03-26 16:49 15,504 --a
c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-04-06 14:54 . 2009-04-06 14:54 <DIR> d
c:\documents and settings\All Users\Application Data\PCPitstop
2009-04-06 14:52 . 2009-04-06 14:52 <DIR> d
c:\program files\PCPitstop
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 19:15
d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-06 19:14
d
w c:\program files\Common Files\Symantec Shared
2009-04-06 19:14
d
w c:\documents and settings\All Users\Application Data\Symantec
2009-04-06 19:12
d
w c:\program files\Symantec
2009-03-24 14:12
d
w c:\program files\Microsoft Silverlight
2009-02-09 11:13 1,846,784 ----a-w c:\windows\SYSTEM32\win32k.sys
2009-02-09 11:13 1,846,784
w c:\windows\SYSTEM32\DLLCACHE\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-09-26 3061248]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 57344]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"PC Pitstop Optimize Reminder"="c:\program files\PCPitstop\Optimize2\Reminder.exe" [2009-03-02 203504]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2008-01-29 583048]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AOL 8.0 Tray Icon.lnk - c:\program files\AOL 8.0b\aoltray.exe [2003-09-18 36937]
palstart.exe [2005-05-04 30720]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk8.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - LIVEUPDATE_NOTICE_SERVICE
.
Contents of the 'Scheduled Tasks' folder
2009-03-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.mjjcommunity.com/forum/forumdisplay.php?s=&daysprune=-1&f=11
mStart Page = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: &Search
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
Trusted Zone: autoregister.net\tesco
Trusted Zone: autoregister.net\tesco-online
Trusted Zone: tesco.net\memberservices
Trusted Zone: tesco.net\register
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\DAP\dapie.dll
Name-Space Handler: HTTPS\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\program files\DAP\dapie.dll
DPF: DirectAnimation Java Classes - [URL]file://c:\windows\Java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
DPF: NTLSignup - hxxps://register.tesco.net/tesco/NTLSignup.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:21:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-06 20:23:42
ComboFix-quarantined-files.txt 2009-04-06 19:22:52
Pre-Run: 62,857,400,320 bytes free
Post-Run: 64,737,533,952 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
143 --- E O F --- 2009-03-17 00:18:250
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards