We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Have I been hacked?
Options
Comments
-
HJT scan indicates that the OP is still running Vista (no SP1 or SP2), so Windows auto updates is turned off and updates at least 2 years out of date (SP1 was released early 2008)?
When I allowed windows free run it kept updating loads of rubbish every day, so now it does essential updates only on a Sunday, is that wrong?Starting weight 17st 4lb - weight now 15st 2lbs
30lb lost of 30lb by June 2012 :j:j:j (80lb overall goal)0 -
Can you confirm which edn of Vista you are running? Go to Computer, General tab. It should say Windows Vista SP2 if up to date. if it say SP1, or just Windows Vista, then you are not up to date.
'Loads of rubbish' are the fixes designed to keep your computer secure...is it actually switched on at the time on Sunday when you have set it to check? The default time is usually 3am.No free lunch, and no free laptop
0 -
It just says Windows Vista, no SP's and yes I set it to lunch time Sunday so I knew it would be on.
Should I click on the upgrade vista button?Starting weight 17st 4lb - weight now 15st 2lbs
30lb lost of 30lb by June 2012 :j:j:j (80lb overall goal)0 -
Then you do not have either SP1 or SP2 installed.
I would deal with the Combofix scan first, but once you get it clean do a manual update-it may require several runs to update all that.No free lunch, and no free laptop0 -
So are you saying tha my computer has been compromised then? And, do I have to turn off my McAfee before I download the combofix?Starting weight 17st 4lb - weight now 15st 2lbs
30lb lost of 30lb by June 2012 :j:j:j (80lb overall goal)0 -
Quite obviously you do yes:idea:0
-
Quite obviously you do yes
Here is the combofix log:
ComboFix 10-01-27.05 - Karen 28/01/2010 10:37:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2045.1272 [GMT 0:00]
Running from: c:\users\Karen\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
SP: McAfee VirusScan *disabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-1441003981-2371823734-2716902898-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\users\Karen\AppData\Roaming\Microsoft\AdjMmsVista.dll
.
((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-28 )))))))))))))))))))))))))))))))
.
2010-01-28 10:45 . 2010-01-28 10:45
d
w- c:\users\Default\AppData\Local\temp
2010-01-27 13:38 . 2010-01-27 13:38 388096 ----a-r- c:\users\Karen\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-27 13:38 . 2010-01-27 13:38
d
w- c:\program files\TrendMicro
2010-01-27 11:40 . 2010-01-27 11:40
d
w- c:\users\Karen\AppData\Roaming\Malwarebytes
2010-01-27 11:40 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-27 11:40 . 2010-01-27 11:40
d
w- c:\programdata\Malwarebytes
2010-01-27 11:40 . 2010-01-27 11:40
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-01-27 11:40 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-26 06:57 . 2010-01-26 06:57
d
w- c:\users\Karen\AppData\Roaming\Trusteer
2010-01-26 06:57 . 2010-01-26 06:57
d
w- c:\program files\Trusteer
2010-01-26 06:56 . 2010-01-26 06:56
d
w- c:\programdata\Trusteer
2010-01-13 06:01 . 2009-10-19 14:42 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 06:01 . 2009-10-19 14:39 24064 ----a-w- c:\windows\system32\lpk.dll
2010-01-13 06:01 . 2009-10-19 14:37 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 06:01 . 2009-10-19 14:37 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-01-13 06:01 . 2009-10-19 14:36 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-01-13 06:01 . 2009-10-19 11:45 289792 ----a-w- c:\windows\system32\atmfd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-28 05:12 . 2009-10-15 18:32
d
w- c:\programdata\Electronic Arts
2010-01-28 05:12 . 2009-06-07 21:12
d
w- c:\program files\Common Files\Adobe AIR
2010-01-28 05:10 . 2010-01-28 05:12 38784 ----a-w- c:\users\Karen\AppData\Roaming\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-28 05:10 . 2010-01-28 05:12 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-27 21:13 . 2008-03-09 13:23 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-25 09:23 . 2009-11-26 07:54 439816 ----a-w- c:\users\Karen\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-01-25 05:57 . 2009-11-09 12:48
d
w- c:\program files\Coupon Printer
2010-01-25 05:53 . 2008-03-20 18:10
d
w- c:\programdata\AOL
2010-01-17 12:04 . 2008-11-03 20:13
d
w- c:\programdata\Microsoft Help
2010-01-17 12:03 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-01-14 11:12 . 2009-10-03 09:04 181120
w- c:\windows\system32\MpSigStub.exe
2010-01-14 06:11 . 2008-03-20 18:07
d
w- c:\programdata\AOL Downloads
2010-01-14 06:11 . 2008-03-20 18:09 228912 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\migrator.exe
2010-01-14 06:11 . 2008-03-20 18:09 141944 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\alsetup.exe
2010-01-14 06:11 . 2008-03-20 18:08 120368 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\aoldlmgr.exe
2010-01-14 06:11 . 2008-03-20 18:08 63024 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\instSup.dll
2010-01-14 06:11 . 2008-03-20 18:08 35888 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\postproc.exe
2010-01-14 06:11 . 2008-03-20 18:08 83504 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\ProgUpd.dll
2010-01-14 06:11 . 2008-03-20 18:08 15920 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\ocpchk.dll
2010-01-14 06:11 . 2008-03-20 18:08 1273280 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\AIMinst.exe
2010-01-14 06:11 . 2008-03-20 18:08 87600 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\AOLFirewallMgr.dll
2010-01-14 06:10 . 2008-03-20 18:08 13872 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\imappver.dll
2010-01-14 06:10 . 2008-03-20 18:08 169520 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\setup.exe
2010-01-14 06:10 . 2008-03-20 18:08 376568 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\unagi3.exe
2010-01-14 06:10 . 2008-03-20 18:08 3858056 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\Vwpt.exe
2010-01-14 06:10 . 2008-03-20 18:08 481480 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\AIMLang.exe
2010-01-14 06:10 . 2008-03-20 18:08 237104 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\gui.dll
2010-01-14 06:10 . 2008-03-20 18:08 477520 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\aimlang_uk.exe
2010-01-14 06:10 . 2008-03-20 18:08 357776 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\tbsetup.exe
2010-01-14 06:10 . 2008-03-20 18:07 5095496 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\ocpinst.exe
2010-01-14 06:10 . 2008-03-20 18:07 11824 ----a-w- c:\programdata\AOL Downloads\triton_uk\6.1.17.1\tbinst.dll
2010-01-13 07:56 . 2008-10-25 13:50
d
w- c:\users\Karen\AppData\Roaming\FrostWire
2010-01-13 07:35 . 2010-01-13 07:35 58 ----a-w- c:\windows\nct21E3.tmp
2009-12-24 10:07 . 2008-10-25 13:50
d
w- c:\program files\FrostWire
2009-12-24 10:03 . 2009-09-15 04:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-24 10:03 . 2007-06-23 16:14
d
w- c:\program files\Java
2009-12-23 10:29 . 2009-12-23 10:29 22883 ----a-w- c:\program files\uninstal.log
2009-12-23 10:29 . 2009-12-23 10:29
d---a-w- c:\program files\virtual_garden
2009-12-21 11:09 . 2009-12-21 11:09 1230960 ----a-w- c:\programdata\Google\Google Toolbar\Component\GoogleCld_3F6C343113693CD9.dll
2009-12-21 09:47 . 2009-12-21 09:47 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb5219.tmp.exe
2009-12-21 09:46 . 2009-12-21 09:46
d
w- c:\program files\Google
2009-12-20 11:49 . 2008-03-24 14:14
d
w- c:\program files\Electronic Arts
2009-12-20 11:49 . 2007-06-23 16:14
d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 12:52 . 2010-01-22 05:57 832512 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 12:48 . 2010-01-22 05:57 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-12-18 12:48 . 2010-01-22 05:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 12:48 . 2010-01-22 05:57 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2009-12-18 12:46 . 2010-01-22 05:57 72704 ----a-w- c:\windows\system32\admparse.dll
2009-12-18 10:18 . 2010-01-22 05:57 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-18 08:45 . 2010-01-22 05:57 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-12-04 08:23 . 2009-12-04 08:23 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-11-26 15:54 . 2009-11-26 15:54 118784 ----a-w- c:\users\Karen\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2009-11-15 09:40 . 2008-10-25 14:16 4506256 ----a-w- c:\users\Karen\AppData\Roaming\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
2009-11-10 12:47 . 2008-03-05 12:55 362144 ----a-w- c:\users\Karen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-10 12:44 . 2009-11-10 12:44 3186688 ----a-w- c:\windows\system32\acXMLParser.dll
2009-11-10 12:44 . 2009-11-10 12:44 3186688 ----a-w- c:\windows\system32\cdintf300.dll
2009-11-10 12:36 . 2009-11-10 12:36 79052 ----a-w- c:\windows\system32\drivers\AFS.SYS
2009-11-09 13:34 . 2009-12-13 18:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:30 . 2009-12-13 18:26 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 12:48 . 2009-11-09 12:48 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-11-09 11:17 . 2009-12-13 18:26 396800 ----a-w- c:\windows\system32\drivers\http.sys
2007-06-24 00:00 . 2007-06-23 23:59 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-21 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-06-24 1006264]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-03-16 17920]
"SiteAdvisor"="c:\program files\SiteAdvisor\6261\SiteAdv.exe" [2007-02-09 36904]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-22 185896]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-24 149280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
R0 AFS;AFS;c:\windows\System32\drivers\AFS.SYS [10/11/2009 12:36 79052]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [12/01/2010 18:29 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [12/01/2010 18:29 108648]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [12/01/2010 18:29 779496]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [05/06/2007 08:25 202280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-21 11:22]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.aol.co.uk/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: o2.co.uk\*.broadband
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
ActiveSetup-ccc-core-static - msiexec
AddRemove-Macromedia Shockwave Player - c:\windows\System32\Macromed\SHOCKW~2\UNWISE.EXE
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 10:45
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-1441003981-2371823734-2716902898-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,f1,32,fe,ca,d4,40,4c,57,4f,ec,81,02,3b,81,f4,17,01,d9,9a,64,0e,2c,
7f,19,75,c6,d7,e4,3e,ab,84,6f,36,d3,db,7e,36,b8,8b,b5,01,09,97,af,48,58,43,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
Completion time: 2010-01-28 10:49:41
ComboFix-quarantined-files.txt 2010-01-28 10:49
Pre-Run: 44,045,266,944 bytes free
Post-Run: 44,059,824,128 bytes free
- - End Of File - - D3E0DDE9D18CCECDD7376E6A18FC4A75Starting weight 17st 4lb - weight now 15st 2lbs
30lb lost of 30lb by June 2012 :j:j:j (80lb overall goal)0 -
Youve definitely gotten 'something' on your computer
Its almost certainly going to be limewire or frostwire related
Open notepad and copy/paste the text in RED below
File::
c:\windows\nct21E3.tmp
c:\programdata\Google\Google Toolbar\Update\gtb5219.tmp.exe
Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 30 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.:idea:0 -
Ok, I have tried to do what you have asked. McAfee deleted the file, even though the virus scanner was switched off, so I downloaded it again, it ran through it again, I then tried to drop the file into it and my computer said I have performed at illegal operation, the file you are trying to access is earmarked for deletion. So I rebooted the computer, tried again, it thought about it, then McAfee deleted it again, again with the virus scanner turned off completely.
Is this action necessary to the smooth running of my machine, or is this for information purposes to try and find out more about the "something"?Starting weight 17st 4lb - weight now 15st 2lbs
30lb lost of 30lb by June 2012 :j:j:j (80lb overall goal)0 -
Mcafee deleted which file?:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.9K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards