We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Virus help please
Comments
-
Update.
Dont know what I did, but it seems to be fixed. Downloaded bleep. Installed file, nothing happened, so rebooted. After reboot no pop ups nothing, running fine.
Even able to run anti-mal, just running a full invasive scan, then gona run all other virus scanners. Also got the firewall back up and running.
Thanks again for all your help. I will let you know the results.I maybe flirtatious. So please bare with me.:D0 -
Update 2
Still getting a strange pop-up. The XP anti-mal thing still not popped up. But still getting one that make you have to put in one of them ghost code things, popped yup twise in about an hour.
Other than that things seem to be going well.I maybe flirtatious. So please bare with me.:D0 -
Im waiting for the malwarebytes log (And if you havnt already, UPDATE and run a FULL scan):idea:0
-
He's just emailed me the logs for the anti-mal, Ive asked him to update and run again as its an old version.
Malwarebytes' Anti-Malware 1.41
Database version: 3217
Windows 5.1.2600 Service Pack 3
11/04/2010 13:48:27
mbam-log-2010-04-11 (13-48-20).txt
Scan type: Full Scan (C:\|)
Objects scanned: 228578
Time elapsed: 1 hour(s), 14 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)I maybe flirtatious. So please bare with me.:D0 -
They all say "No action taken."
make sure they UPDATE and run a FULL SCAN and TICK and REMOVE EVERYTHING:idea:0 -
Im finishing it off in the morning. For some reason his malwarebytes wont up date, so gona uninstall and redownload the newest version.
Also looks like he has a trojan that nothing is picking up. All the research I have done on that 'XP ANTI MAL' thing, says its one. I have found a walk through to get rid of it, so gona try that.I maybe flirtatious. So please bare with me.:D0 -
Ok manged to update malwarebytes to newest, ran full scan. I know they say no acton taken, as he saved the logs before he took any action, but I know he did, I was there. He also ran it again after and nothing came up. Here are the logs-
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3979
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/04/2010 11:16:51
mbam-log-2010-04-12 (11-16-51).txt
Scan type: Full scan (C:\|)
Objects scanned: 215242
Time elapsed: 1 hour(s), 7 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\captcha.dll (Worm.KoobFace) -> No action taken.
c:\WINDOWS\system32\certoko.dll (Worm.Koobface) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\captcha (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipokoraid (Worm.Koobface) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPOKORAID (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmoko (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMOKO (Worm.KoobFace) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\rpcssc (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\captcha (Worm.KoobFace) -> No action taken.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> No action taken.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\OGGY\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\captcha.dll (Worm.KoobFace) -> No action taken.
c:\WINDOWS\system32\certoko.dll (Worm.Koobface) -> No action taken.
C:\WINDOWS\system32\drivers\ndisoko.sys (Worm.Koobface) -> No action taken.
C:\Documents and Settings\OGGY\Local Settings\Application Data\010112010146100109.xxe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\OGGY\Local Settings\Application Data\010112010146115119.xxe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\OGGY\Local Settings\Application Data\0101120101465198.xxe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\OGGY\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> No action taken.I maybe flirtatious. So please bare with me.:D0 -
Please run COMBOFIX
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download:idea:0 -
I didnt get time to get back on last night. The up date and run of malewarebytes and same with spybot search and destroy seems to have fixed it. S&D found 3 infections, one of which was a worm of some sort (dont have any logs for it). No more pop-up or problems so far. If it protists I will run combofix and post the logs.
I would once again like to thank you for all your help on this.
ChauffI maybe flirtatious. So please bare with me.:D0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455K Spending & Discounts
- 246.6K Work, Benefits & Business
- 602.9K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards