We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Browser Hijack...
Comments
-
aliEnRIK, this is the last full Malwarebytes scan:-
Sorry, can I just ask again, would you do anything with Temp and Prefetch, or not bother at this point?
I'll run ComboFix shortly.
Thanks.
Sometimes ill remove all temp files, but its usually futile until the actual infections gone (which clearly it hasnt yet):idea:0 -
Just finished running ComboFix, and fingers crossed...
Part way through the scan, it came up saying something like "Rootkit activity found. Need to reboot". Don't know how significant that is, if at all.
Oh I should point out that I downloaded ComboFix from the first of the 2 links in BleepingComputer. When I ran it, it said newer version is available, do you want to download? I didn't know if this was some sort of Beta version so just stuck with the original downloaded version.
Anyway I've clicked on about 40 Google links, and it's worked correctly every time!!!
The log follows. Assuming it's now all gone away, is it likely to have been atapi.sys?ComboFix 09-12-25.04 - pc 26/12/2009 16:03:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.503.221 [GMT 0:00]
Running from: c:\documents and settings\pc\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\patch.exe
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.
2009-12-26 10:08 . 2009-12-26 10:08
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-26 10:08 . 2009-12-26 10:08
d
w- c:\program files\SUPERAntiSpyware
2009-12-26 10:08 . 2009-12-26 10:08
d
w- c:\documents and settings\pc\Application Data\SUPERAntiSpyware.com
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 16:15 . 2004-11-30 18:17 318 ----a-w- c:\windows\system32\wacom.dat
2009-12-26 15:27 . 2004-11-27 18:54
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-26 10:07 . 2004-11-27 14:08
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 00:32 . 2004-08-03 20:59 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-24 21:35 . 2004-11-27 18:54
d
w- c:\program files\Spybot - Search & Destroy
2009-12-24 21:02 . 2009-10-30 19:42
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 17:24 . 2005-12-10 16:33
d
w- c:\program files\PeerGuardian2
2009-12-05 10:28 . 2009-01-17 17:03
d
w- c:\documents and settings\pc\Application Data\Spotify
2009-12-03 16:14 . 2009-10-30 19:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 16:13 . 2009-10-30 19:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 09:39 . 2009-10-31 09:39
d
w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-10-31 09:39 . 2009-10-31 09:38
d
w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-10-31 09:38 . 2009-10-31 09:38
d
w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-10-31 09:38 . 2009-10-31 09:38
d
w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-10-30 19:42 . 2009-10-30 19:42
d
w- c:\documents and settings\pc\Application Data\Malwarebytes
2009-10-30 19:42 . 2009-10-30 19:42
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 19:36 . 2004-11-23 13:39
d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 19:33 . 2005-06-30 18:35
d
w- c:\program files\Google
2009-10-30 19:30 . 2004-11-27 19:14
d
w- c:\program files\Microsoft ActiveSync
2009-10-30 19:28 . 2004-11-27 18:50
d
w- c:\documents and settings\pc\Application Data\Lavasoft
2009-10-30 11:40 . 2009-01-20 19:22
d
w- c:\documents and settings\pc\Application Data\dvdcss
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]
"EPSON Stylus CX3200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2004-03-04 266240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-10-02 118784]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SpeedTouch USB Diagnostics"="c:\program files\Alcatel\SpeedTouch USB\Dragdiag.exe" [2001-10-03 4247552]
"EPSON Stylus CX3200"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-04 98304]
"WireLessMouse"="c:\program files\Office Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-21 2043160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-03 15360]
c:\documents and settings\pc\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-17 59080]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2004-6-17 59080]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-05 07:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-12-04 11:52 98304 ----a-w- c:\program files\QuickTime\qttask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [30/11/2004 17:27 4064]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/04/2009 10:20 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/04/2009 10:20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 08:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 08:43 74480]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/04/2009 10:20 297752]
R3 MOUSEWDFilter;MOUSEWDFilter;c:\windows\system32\drivers\MOUSEWD.SYS [29/04/2007 09:31 6528]
S3 RioDrv;Rio600 driver;c:\windows\system32\drivers\riodrv.sys [17/08/2001 13:24 12032]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 08:43 7408]
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: QuickDefine - c:\program files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
IE: QuickTranslate - c:\program files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - c:\program files\Common Files\Microsoft Shared\Information Retrieval\itss51.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 16:16
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX3200 = c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "c:\windows\system32\E_S25B.tmp"?t??w???w????????Z??w????*??w????????????????????????????????????????????????????|???????????g??w0??w????*??w???w????O??w?????????????????h[????w????\??????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\tabhook.dll
c:\windows\system32\SSSensor.dll
.
Other Running Processes
.
c:\program files\Sygate\SPF\smc.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\Tablet.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\program files\Office Mouse Driver\MouseDrv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-26 16:25:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 16:25
Pre-Run: 20,263,555,072 bytes free
Post-Run: 20,403,851,264 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 5E1BB407825F6353524AB3101B4EE478
Just had a look in the ComboFix quarantined log file which shows:-2009-12-26 16:11:36 . 2009-12-26 16:11:36 7,774 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-12-26 15:45:27 . 2009-12-26 16:02:19 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2005-10-22 08:22:06 . 2005-10-22 08:22:06 208,896 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\PATCH.EXE.vir
2004-08-03 20:59:44 . 2009-12-25 00:32:36 95,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir
2004-08-03 20:59:44 . 2009-12-25 00:32:36 95,360 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir_
The (modified?) date/time stamp on atapi.sys.vir of 25/12/09 @ 00:32:36 is 7 hours after the initial infection, while I'd left the PC doing a full Malwarebytes scan. I guess that it had a different date to the created date indicates it had been got at.
Anyway, hopefully all ok now. I'm just going to set a full Malwarebytes scan going again as a check. Anything else I ought to check?
Oh sorry, what about the temp files and prefetch files now?;)
Cheers!Nice to save.0 -
One of the smallest combofix logs ive seen
Well clearly things are on the up. I cant see anything dodgy in the log but that does NOT mean your clean for certain
Personally id ~
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
It will auto QUICK scan
After that set to scan the WHOLE computer and press the 'play' icon
***DO NOT UPGRADE TO FULL VERSION***:idea:0 -
Interesting...I had decided to change from AVG to Avast before I saw the message to try Dr Web, so had just run a scan with it. I had already made this change on my laptop about 3 weeks ago and was going to do the same on this desktop when I got around to it anyway. I did this full Avast scan, on standard setting, and it found Win32 : Alureon-EU on the atapi.sys file in the Combofix quarantine folder. This was the only thing it found.
Dr Web found the same file, this time calling it BackDoor.Tdss.1365 . It actually flagged up ComboFix.exe itself as suspicious. It indicated that A0034180.bat in C:\System Volume Information\_restore...etc. is 'Probably BATCH.Virus', although it didnt offer me any options.
I have a folder called C:Windows\Download Installations\{8A23...etc. This contains 2 files only, 0x0409.ini and iTunes.msi both dated 4/12/04. Dr Web has indicated that iTunes.msi has something called 'Tool.Reboot' in it. I don't use iTunes anyway, so 'Moved' it, although I'm guessing it was probably a false positive. It found another iTunes file with a similar name in C:\Windows\Installer which I also moved.
So Combofix, Avast, and Dr Web found the atapi.sys problem, but neither AVG or Malwarebytes did. It emphasises the need not to rely on just one tool.
Anything else to check?
Thanks again for your help.
Just noticed that with Dr Web I can select files and move/delete now the scan has finished. Should I do anything with A0034180.bat ?Nice to save.0 -
Sorry Nemo, I forhot all about this thread
If you can, just remove it (Manually will do):idea:0 -
aliEnRIK,
No worries. I thought it might have seemed a bit needy just to post asking if you'd forgotten about me, so just decided to let the thread fade.
I did a bit of Googling at the time and read that removing stuff from the Windows\Installer directory is a bit naughty without using a proper tool, so I put both of those iTunes files back. It was only Dr Web that flagged them out of half a dozen different applications I'd used to scan so presumed they were false positives anyway, and they were last modified in 2004. I removed the .BAT file.
After I'd finished, I went through scans with Avast, Malwarebytes, SuperAntiSpyware, Spybot, Dr Web, and CCleaner again. Everything was ok, and the PC seems to be working just fine.
What should I be using to prevent this malware problem happening again. I know there's tea-timer and immunize in Spybot that can be used. Do these work, or anything better?
Many thanks for your help.Nice to save.0 -
Use a better virus scanner, AVG8 doesn't cut the mustard.!!
> . !!!! ----> .0 -
Spybots 'tea timer' is next to useless as most people will allow everything through anyways
Personally id use FIREFOX with the NOSCRIPT plugin to stop anything coming through the browser (UNless you allow it through of course). or SANDBOXIE
MALWAREBYTES as a secondary scanner
and SPYBOTS IMMUNISE feature
Its more to do with 'being safe' than having the right programs. Dont go clicking silly links or opening dodgy looking emails etc:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards