We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Need Help Urgently Might Have Been Attacked
kah22
Posts: 1,874 Forumite
in Techie Stuff
Last night while in the process of updating my anti-software, Vipre, I think I suffered an attack on my laptop.
Here's what happened. I had just downloaded a small torrent and then was in the process of doing my update when suddenly I started to get messages from my computer to the effect that I might be under attack, that my firewall was down, my personal details were at risk. That's not exactly the words used but it was something like that.
OK after the panic was over, the first thing I did was to do a system restore, taking the computer back to the previous day. That didn't seem to do any good.
The next item I tried was to do a complete scan but I found it difficult to get Vipre to work. It was telling me that some part of the program was missing.
Why I don't know but I then decided to open one or two other programs. When I went to open them that little box that pops up every now and again kept popping up asking me what program I wanted to open the program with, e.g. if I tried to open Word it would ask me what program I wanted to use to open the program. This seemed to be the case in all the programs I tried. There were a few that gave out a message like cannot find abc.exe or something along those lines.
Eventually I got Vipre to work and carried out a deep scan. Left the computer running all night. This morning it only reported one threat, a tracking cookie which it rated low leve.
At one stage a message popped up telling me that my hard disk was almost full
I'm actually quite afraid to use the computer now just in case it is completely infected, can someone please give me some advice on how to check this problem out, and how to fix it.
How for example do I keep that box that I mentioned above from popping up every time I try to open a new program?
Help please!
Kevin
Here's what happened. I had just downloaded a small torrent and then was in the process of doing my update when suddenly I started to get messages from my computer to the effect that I might be under attack, that my firewall was down, my personal details were at risk. That's not exactly the words used but it was something like that.
OK after the panic was over, the first thing I did was to do a system restore, taking the computer back to the previous day. That didn't seem to do any good.
The next item I tried was to do a complete scan but I found it difficult to get Vipre to work. It was telling me that some part of the program was missing.
Why I don't know but I then decided to open one or two other programs. When I went to open them that little box that pops up every now and again kept popping up asking me what program I wanted to open the program with, e.g. if I tried to open Word it would ask me what program I wanted to use to open the program. This seemed to be the case in all the programs I tried. There were a few that gave out a message like cannot find abc.exe or something along those lines.
Eventually I got Vipre to work and carried out a deep scan. Left the computer running all night. This morning it only reported one threat, a tracking cookie which it rated low leve.
At one stage a message popped up telling me that my hard disk was almost full
I'm actually quite afraid to use the computer now just in case it is completely infected, can someone please give me some advice on how to check this problem out, and how to fix it.
How for example do I keep that box that I mentioned above from popping up every time I try to open a new program?
Help please!
Kevin
0
Comments
-
[Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_ma..._anti_malware/
Open malwarebytes and go to UPDATE and click 'check for updates'. After its updated go to SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds0 -
Do you have access to another computer?
If so try Superantispyware portable here..............
http://www.superantispyware.com/portablescanner.html
Download it to a USB memory stick and try it on the infected computer.
PS. Try Malwarebytes first as per dogmary's post.0 -
Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_malwarebytes_anti_malware/
Open malwarebytes and goto UPDATE and click 'check for updates'. After its updated goto SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds
reboot
Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click MAIN MENU then DO A SYSTEM SCAN AND SAVE A LOGFILE(Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log):idea:0 -
[Download MALWAREBYTES (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_ma..._anti_malware/
Open malwarebytes and go to UPDATE and click 'check for updates'. After its updated go to SCANNER and click PERFORM FULL SCAN then click SCAN
Post the COMPLETE log here AFTER youve deleted everything it finds
Done as requested, deleted everything the program found here is a copy of the log file.
Malwarebytes' Anti-Malware 1.44
Database version: 3774
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
22/02/2010 15:13:30
mbam-log-2010-02-22 (15-13-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 398173
Time elapsed: 2 hour(s), 44 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4a7c84e2-e95c-43c6-8dd3-03abcd0eb60e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bebf} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cc3d8fe-f0e0-4dd1-a69a-8c56bcc7bec0} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Owner.WINDMILL\Desktop\ErrorNukerInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.WINDMILL\Local Settings\Temporary Internet Files\Content.IE5\ANEIJCA9\msdostr[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.0 -
Now do Hijack This as aliEnRIK requested.0
-
Once youve posted hijack and as youve had a trojan ~
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
And here is what I got. Couldn't find AVG Free running in the background. Tried everything, from search to program files to doing a manual search where I did find references to AVG I just deleted them from the computer although when a folder presented itself it said it was empty.
Anyway here is the log.
ComboFix 10-02-21.02 - Owner 22/02/2010 18:04:45.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.185 [GMT 0:00]
Running from: c:\documents and settings\Owner.WINDMILL\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner.WINDMILL\Application Data\inst.exe
c:\program files\Power Search Tool
c:\program files\Power Search Tool\alert_plugin.dll
c:\program files\Power Search Tool\basis.xml
c:\program files\Power Search Tool\ebay.bmp
c:\program files\Power Search Tool\icons.bmp
c:\program files\Power Search Tool\logo-4.bmp
c:\program files\Power Search Tool\mbback.bmp
c:\program files\Power Search Tool\mbbigopen.bmp
c:\program files\Power Search Tool\mbclose.bmp
c:\program files\Power Search Tool\mbfwd.bmp
c:\program files\Power Search Tool\mbsep.bmp
c:\program files\Power Search Tool\nav1c.bmp
c:\program files\Power Search Tool\options.html
c:\program files\Power Search Tool\PowerSearchTool4_0.crc
c:\program files\Power Search Tool\version.txt
c:\recycler\S-1-5-21-64039496-2066341317-1489871318-1006
c:\winxp\a3kebook.ini
c:\winxp\akebook.ini
c:\winxp\ANS2000.INI
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_R_SERVER
\Service_r_server
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.
2010-02-22 16:39 . 2010-02-22 16:39
d
w- c:\program files\TrendMicro
2010-02-22 11:58 . 2010-02-22 11:58
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\Malwarebytes
2010-02-22 11:58 . 2010-01-07 16:07 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
2010-02-22 11:58 . 2010-02-22 11:58
d
w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
2010-02-22 11:58 . 2010-01-07 16:07 19160 ----a-w- c:\winxp\system32\drivers\mbam.sys
2010-02-22 11:58 . 2010-02-22 12:00
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-02-22 07:31 . 2010-02-22 07:31
d-sh--w- c:\documents and settings\Administrator.LAPTOP_1.0000\IETldCache
2010-02-21 20:50 . 2010-02-21 20:50
d
w- c:\winxp\system32\wbem\Repository
2010-02-21 20:47 . 2010-02-21 20:47
d
w- c:\program files\Microsoft ATS
2010-02-19 16:16 . 2010-02-19 16:16
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\ElevatedDiagnostics
2010-02-15 01:13 . 2010-02-15 01:26 82 ----a-w- c:\winxp\options.dat
2010-02-15 01:02 . 2010-02-15 01:38
d
w- c:\program files\Evisoft
2010-02-13 22:13 . 2010-02-21 20:47
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\dvdcss
2010-02-10 18:23 . 2010-02-10 18:23
d
w- C:\temp
2010-02-10 18:23 . 2009-05-28 16:52 425984 ----a-w- c:\temp\ZbotUtility.exe
2010-02-09 22:12 . 2010-02-09 22:12
d
w- c:\documents and settings\Administrator.LAPTOP_1\Application Data\Sunbelt
2010-02-09 22:12 . 2010-02-09 22:12
d
w- c:\documents and settings\Administrator.LAPTOP_1\IETldCache
2010-02-09 22:12 . 2010-02-11 22:08
d
w- c:\documents and settings\Administrator.LAPTOP_1\Local Settings\Application Data\Microsoft
2010-02-09 22:12 . 2010-02-11 22:08
d-s---w- c:\documents and settings\Administrator.LAPTOP_1
2010-02-07 22:18 . 2010-02-07 22:18
d
w- c:\documents and settings\Owner.WINDMILL\Local Settings\Application Data\MicroVision Applications
2010-02-07 13:08 . 2010-02-07 22:58
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\Vso
2010-02-07 13:08 . 2010-02-07 13:08 47360 ----a-w- c:\winxp\system32\drivers\pcouffin.sys
2010-02-06 15:50 . 2010-02-07 23:21
d
w- c:\program files\Common Files\Nero
2010-02-03 12:07 . 2010-02-03 12:12
d
w- c:\program files\Port Forwarding Wizard
2010-02-02 22:50 . 2010-02-19 20:55
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\vlc
2010-02-02 20:15 . 2010-02-02 20:15
d
w- c:\program files\VideoLAN
2010-02-02 09:07 . 2010-02-02 09:07
d
w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
2010-02-02 09:06 . 2010-02-02 09:07
d
w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
2010-02-02 09:06 . 2010-02-02 09:07
d
w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
2010-01-31 00:07 . 2010-01-31 00:07
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\DivX
2010-01-30 23:44 . 2010-02-06 13:25
d
w- c:\program files\DivX
2010-01-28 17:19 . 2010-02-21 20:49
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\uTorrent
2010-01-28 10:46 . 2010-01-28 10:46
d
w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 16:39 . 2010-02-22 16:39 388096 ----a-r- c:\documents and settings\Owner.WINDMILL\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-21 20:52 . 2009-04-30 14:55
d
w- c:\documents and settings\All Users.WINXP\Application Data\Google Updater
2010-02-21 12:45 . 2004-12-22 21:17
d
w- c:\program files\Mozilla Thunderbird
2010-02-11 22:14 . 2008-12-31 12:47
d
w- c:\program files\RadarSync
2010-02-11 22:14 . 2007-10-22 21:37
d
w- c:\program files\Keyword Elite
2010-02-09 22:04 . 2009-11-14 12:24
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\Skype
2010-02-09 21:38 . 2009-11-14 16:07
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\skypePM
2010-02-07 22:58 . 2010-02-07 13:08 47360 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\pcouffin.sys
2010-02-07 22:58 . 2010-02-07 13:08 47360 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\pcouffin.sys
2010-02-06 20:44 . 2005-11-20 17:45
d
w- c:\program files\Ahead
2010-01-30 22:52 . 2004-03-09 00:26
d
w- c:\program files\Common Files\Adobe
2010-01-27 15:47 . 2009-11-01 13:00
d
w- c:\program files\Common Files\Adobe AIR
2010-01-27 15:47 . 2009-11-01 13:00 38784 ----a-w- c:\documents and settings\Default User.WINXP\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-27 15:47 . 2008-10-01 10:19 38784 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-23 10:03 . 2008-10-24 19:12
d
w- c:\program files\0Spam.com Express
2010-01-22 22:41 . 2010-01-22 22:41
d
w- c:\documents and settings\Owner.WINDMILL\Application Data\Sunbelt
2010-01-22 22:40 . 2010-01-22 22:40
d
w- c:\documents and settings\All Users.WINXP\Application Data\Sunbelt
2010-01-22 22:34 . 2010-01-22 22:34
d
w- c:\program files\Sunbelt Software
2010-01-04 17:02 . 2010-01-04 17:02 27984 ----a-w- c:\winxp\system32\sbbd.exe
2009-12-31 16:50 . 2003-07-16 20:46 353792 ----a-w- c:\winxp\system32\drivers\srv.sys
2009-12-23 20:49 . 2009-12-23 20:49 3584 ----a-r- c:\documents and settings\Owner.WINDMILL\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-12-21 19:14 . 2005-06-17 23:49 916480 ----a-w- c:\winxp\system32\wininet.dll
2009-12-19 00:07 . 2009-07-28 14:06 1 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-16 18:43 . 2005-11-19 17:51 343040 ----a-w- c:\winxp\system32\mspaint.exe
2009-12-14 07:08 . 2003-07-16 20:26 33280 ----a-w- c:\winxp\system32\csrsrv.dll
2009-12-08 19:27 . 2003-07-16 20:39 2189184 ----a-w- c:\winxp\system32\ntoskrnl.exe
2009-12-08 18:43 . 2002-08-29 01:04 2066048 ----a-w- c:\winxp\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2003-07-16 20:34 455424 ----a-w- c:\winxp\system32\drivers\mrxsmb.sys
2009-11-29 18:47 . 2003-02-21 04:42 348160 ----a-w- c:\winxp\system32\msvcr71.dll
2009-11-29 18:47 . 2003-03-18 22:14 499712 ----a-w- c:\winxp\system32\msvcp71.dll
2009-11-27 17:11 . 2003-07-16 20:42 1291776 ----a-w- c:\winxp\system32\quartz.dll
2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\winxp\system32\msyuv.dll
2009-11-27 16:07 . 2003-07-16 20:36 28672 ----a-w- c:\winxp\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\winxp\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-07-16 20:36 11264 ----a-w- c:\winxp\system32\msrle32.dll
2009-11-27 16:07 . 2003-07-16 20:24 84992 ----a-w- c:\winxp\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\winxp\system32\iyuv_32.dll
2009-11-25 16:28 . 2009-11-14 16:07 56 -c-ha-w- c:\winxp\system32\ezsidmv.dat
2009-11-25 11:19 . 2009-11-25 11:17 11935 ----a-w- C:\results_p5_4.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 16:20 279944 -c--a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\Owner.WINDMILL\Desktop\Downloads\utorrent.exe" [2010-02-11 319280]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\winxp\system32\Adobe\Shockwave 11\SwHelper_1150595.exe" [2009-03-19 460216]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
"0Spam.com Express"="c:\program files\0Spam.com Express\Express.exe" [2008-09-27 286720]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-01-04 959824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-03 198160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\winxp\System32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
c:\documents and settings\Kevin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-10-11 225280]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVDIdle Pro\DVDShell.dll" [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\old-SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Owner.WINDMILL\\Desktop\\Downloads\\utorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"45682:TCP"= 45682:TCP:torrent
R1 sbaphd;sbaphd;c:\winxp\system32\drivers\sbaphd.sys [23/01/2010 11:36 13360]
R1 SBRE;SBRE;c:\winxp\system32\drivers\SBREDrv.sys [13/10/2009 08:22 95024]
R1 sbtis;sbtis;c:\winxp\system32\drivers\sbtis.sys [23/01/2010 11:31 203056]
R2 sbapifs;sbapifs;c:\winxp\system32\drivers\sbapifs.sys [23/01/2010 11:36 69936]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [04/01/2010 17:02 1012080]
S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
S3 NaiAvFilter103;NAI Anti Virus;\Device\NaiAvFilter103.sys --> \Device\NaiAvFilter103.sys [?]
S4 Mrapncktnde;Mrapncktnde; [x]
.
Contents of the 'Scheduled Tasks' folder
2010-02-18 c:\winxp\Tasks\Disk Cleanup.job
- c:\winxp\system32\cleanmgr.exe [2003-07-16 00:12]
2010-02-22 c:\winxp\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 14:55]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.msn.com
uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
IE: &Winamp Search - c:\documents and settings\All Users.WINXP\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: POP3Intercept_lsp.dll
FF - ProfilePath - c:\documents and settings\Owner.WINDMILL\Application Data\Mozilla\Firefox\Profiles\zf5wex5l.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_uk&p=
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
Notify-avgrsstarter - avgrsstx.dll
AddRemove-RadarSync - c:\program files\RadarSync\uninst.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-22 18:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71B406A-64B6-7890-A4E79C228CB5B5C7}\{B2D97AB2-1AAA-0E19-47D2DF75F80031A6}\{B1F98325-4C85-36BE-448BCE0A416EDA34}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(824)
c:\winxp\System32\BCMLogon.dll
c:\winxp\System32\MFC42.DLL
- - - - - - - > 'lsass.exe'(880)
c:\winxp\system32\POP3Intercept_lsp.dll
- - - - - - - > 'explorer.exe'(3712)
c:\winxp\system32\WININET.dll
c:\winxp\system32\msi.dll
c:\winxp\system32\webcheck.dll
c:\winxp\system32\IEFRAME.dll
c:\winxp\system32\WPDShServiceObj.dll
c:\winxp\system32\POP3Intercept_lsp.dll
c:\winxp\system32\PortableDeviceTypes.dll
c:\winxp\system32\PortableDeviceApi.dll
c:\winxp\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
Other Running Processes
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\winxp\System32\wltrysvc.exe
c:\winxp\System32\bcmwltry.exe
.
**************************************************************************
.
Completion time: 2010-02-22 18:28:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-22 18:28
Pre-Run: 4,298,399,744 bytes free
Post-Run: 6,379,184,128 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINXP="Microsoft Windows XP Home Edition (NEW)" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition (OLD)" /fastdetect
- - End Of File - - C0FDAB4B440BF0F77B606C5089347E720 -
odd, as combofix thinks its running ~
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
I await the HIJACK THIS log before I advise any further:idea:0 -
Might be worth running the avg removal tool to ensure full removal - http://download.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe0
-
odd, as combofix thinks its running ~
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
I await the HIJACK THIS log before I advise any further
Hijack This Log after running AVG removal tool
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:08:40, on 22/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\wltrysvc.exe
C:\WINXP\System32\bcmwltry.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\0Spam.com Express\Express.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\wuauclt.exe
C:\WINXP\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: (no name) - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Owner.WINDMILL\Desktop\Downloads\utorrent.exe"
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINXP\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www8.agame.com/games/shockwave/d/dance_trends_3d/dance_trends_3d_games_co_uk.htm"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users.WINXP\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINXP\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINXP\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: pop3intercept_lsp.dll
O10 - Unknown file in Winsock LSP: pop3intercept_lsp.dll
O10 - Unknown file in Winsock LSP: pop3intercept_lsp.dll
O10 - Unknown file in Winsock LSP: pop3intercept_lsp.dll
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.8.05.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\System32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Unknown owner - C:\Program Files\Dantz\Retrospect\retrorun.exe (file missing)
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINXP\System32\wltrysvc.exe
--
End of file - 8326 bytes0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 349.9K Banking & Borrowing
- 252.7K Reduce Debt & Boost Income
- 453.1K Spending & Discounts
- 242.9K Work, Benefits & Business
- 619.8K Mortgages, Homes & Bills
- 176.4K Life & Family
- 255.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 15.1K Coronavirus Support Boards