📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Yet ANOTHER problem.

Options
2456

Comments

  • The_Grandmaster
    The_Grandmaster Posts: 1,424 Forumite
    Part of the Furniture Combo Breaker
    I'm not an expert on these things but I think system restore returns the computer to a previous date including any infections which may have been present.

    Rerun malwarebytes (UPDATE tab, CLICK FOR UPDATES) then run a quick scan and remove anything it finds. Post log here.
    Then rerun hijack this and post log here.
  • bbuckle
    bbuckle Posts: 82 Forumite
    Part of the Furniture Combo Breaker
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555

    The proxy server setting, in your original post, suggests that your system has been hijacked.

    I suspect that a piece of scareware has been installed on your system and is hijacking connection attempts to certain addresses.

    Take a look here for details of a similar problem (particularly the bit about the proxy server).

    http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/FakeSpypro

    I would await expert advice before doing anything else.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Uninstall the ASK toolbar

    TICK and FIX these in hijack ~
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: RoboForm - Disabled:{724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [ProcessGovernor] F:\Process Lasso\processgovernor.exe
    O4 - HKLM\..\Run: [ProcessLasso] F:\Process Lasso\ProcessLasso.exe
    :idea:
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Open notepad and copy/paste the text in RED below

    File::
    c:\windows\system32\setupempdrv03.exe
    c:\windows\system32\EuGdiDrv.sys
    c:\windows\system32\epmntdrv.sys
    c:\windows\system32\EuEpmGdi.dll
    c:\windows\cadkasdeinst01e.exe
    c:\windows\system32\edacded0.dat
    c:\windows\Sys6519.Data DB.dat
    c:\documents and settings\Terry\Application Data\System2583.Data.DB.dat


    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
    (If SNAPSHOT is stupidly large, leave that part out)

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    Hi Rik.

    Did that but when I returned computer had rebooted.

    Where do I find the log left by Combofix?

    Here is the latest Hijacklog.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:48:50, on 13/09/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Tall Emu\Online Armor\oaui.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    F:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Terry\Desktop\utilities\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by150w.bay150.mail.live.com/default.aspx?n=1721578409&wa=wsignin1.0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Roboform\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Roboform\roboform.dll
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
    O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - S-1-5-18 Startup: Alienware Dock.lnk = F:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Alienware Dock.lnk = F:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe (User 'Default user')
    O4 - Startup: Alienware Dock.lnk = F:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Customize Menu - [URL]file://D:\Roboform\RoboFormComCustomizeIEMenu.html[/URL]
    O8 - Extra context menu item: Fill Forms - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O8 - Extra context menu item: Identities Editor - [URL]file://D:\Roboform\RoboFormComEditIdent.html[/URL]
    O8 - Extra context menu item: Password Generator - [URL]file://D:\Roboform\RoboFormComPasswordGenerator.html[/URL]
    O8 - Extra context menu item: RoboForm Toolbar - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O8 - Extra context menu item: Save Forms - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - [URL]file://D:\Roboform\RoboFormComFillForms.html[/URL]
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - [URL]file://D:\Roboform\RoboFormComSavePass.html[/URL]
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - [URL]file://D:\Roboform\RoboFormComShowToolbar.html[/URL]
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\SPYBOT~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218797834562
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O20 - Winlogon Notify: !SASWinLogon - G:\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
    O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
    --
    End of file - 7600 bytes
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Combofix.txt logs in root of C drive
    :idea:
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    edited 13 September 2010 at 2:46PM
    Hi Rik.

    Nothing in the root dir. but dug this out of the Combofix folder (on 'C')

    Could this be what you are after?


    ComboFix 10-09-12.04 - Terry 13/09/2010 13:01:34.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1587 [GMT 1:00]
    Running from: G:\Downloads\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Terry\Desktop\CFScript.txt
    AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    FILE ::
    "c:\documents and settings\Terry\Application Data\System2583.Data.DB.dat"
    "c:\windows\cadkasdeinst01e.exe"
    "c:\windows\Sys6519.Data DB.dat"
    "c:\windows\system32\edacded0.dat"
    "c:\windows\system32\epmntdrv.sys"
    "c:\windows\system32\EuEpmGdi.dll"
    "c:\windows\system32\EuGdiDrv.sys"
    "c:\windows\system32\setupempdrv03.exe"


    Also, I had to run it with 'a-squared Anti-Malware' running (At risk, apparantly) as although removed, it still appears to be running but Revo doesn't find it and I can't.
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Was that the whole of the log?
    :idea:
  • rizla01
    rizla01 Posts: 7,260 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    edited 13 September 2010 at 3:19PM
    There were several TXT files in the Combofix folder namely

    VERSION
    10-09-12.04 3843568 M 10-01-24.02


    RESIDENT
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

    PEND
    .:\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\\(\\\|0!\|0\\0\)
    C:\\WINDOWS\\system32\\config\\\(\\\|0!\|0\\0\)
    C:\\WINDOWS\\system32\\csrss.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\Drivers\\\(\\\|0!\|0\\0\)
    C:\\WINDOWS\\system32\\hal.dll\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\lsass.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\ntdll.dll\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\services.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\smss.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\svchost.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\userinit.exe\\\(0!\|0\\0\)
    C:\\WINDOWS\\system32\\wbem\\\(\\\|0!\|0\\0\)
    C:\\WINDOWS\\system32\\winlogon.exe\\\(0!\|0\\0\)
    C:\\boot.ini\\\(0!\|0\\0\)
    C:\\ntdetect.com\\\(0!\|0\\0\)
    C:\\ntldr\\\(0!\|0\\0\)
    C:\\WINDOWS\\\(\\\|0!\|0\\0\)
    C:\\WINDOWS\\explorer.exe\\\(0!\|0\\0\)



    OSID
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1587 [GMT 1:00]

    MBR - Empty

    COMBOFIX

    ComboFix 10-09-12.04 - Terry 13/09/2010 13:01:34.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1587 [GMT 1:00]
    Running from: G:\Downloads\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Terry\Desktop\CFScript.txt
    AV: a-squared Anti-Malware *On-access scanning enabled* (Updated) {0F8591BB-342B-4493-91C3-4E948ED21255}
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
    FILE ::
    "c:\documents and settings\Terry\Application Data\System2583.Data.DB.dat"
    "c:\windows\cadkasdeinst01e.exe"
    "c:\windows\Sys6519.Data DB.dat"
    "c:\windows\system32\edacded0.dat"
    "c:\windows\system32\epmntdrv.sys"
    "c:\windows\system32\EuEpmGdi.dll"
    "c:\windows\system32\EuGdiDrv.sys"
    "c:\windows\system32\setupempdrv03.exe"


    and CF-RC.

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TU!!!!!SEKV98 /Kernel=TUKernel.exe
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TU!!!!!SEKV98-BAK



    All listed in the Combo-fix folder and all with todays date.

    None listed in the root dir.
    "Unhappiness is not knowing what we want, and killing ourselves to get it."
    Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))
    Women and cats will do as they please, and men and dogs should relax and get used to the idea.
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    It may not be the log expected because Combofix was run in safe mode.
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture