We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Please help . New infection
Comments
-
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 21:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
[HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{63B97F04-9032-2D21-7BE0-EA7F7AE7EE4B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"nanhidfkkcpkpahaeliapjmohhon"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,
68,6f,65,68,6b,70,00,0c
"madhoahnjofkbbmejiepajomch"=hex:6a,61,65,67,68,69,66,68,66,65,6b,6d,6d,63,68,
6f,65,68,6b,70,00,56
"abbaoepgoddjdfkamchgkahkhkddfmehpc"=hex:61,62,6b,68,62,64,67,68,65,6c,67,67,
64,67,6c,6a,64,62,6a,64,63,6d,70,67,70,6a,70,6e,61,6e,6a,63,62,66,00,77
"maoppejgogbliogaieoebfhdhf"=hex:64,62,64,68,6d,66,65,66,6b,65,6e,68,6a,68,6a,
63,64,63,66,69,61,62,70,63,61,68,6c,70,6a,61,6d,68,62,65,69,6a,69,64,6c,6b,\
[HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8AA92D77-C3A3-884A-7EA8-1CD3D0BBD18D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-746137067-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F7DAF699-3319-E05F-CCAA-2BCB894FA322}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"naihibmkhoenfhpkbfemdhphimdc"=hex:6a,61,65,67,65,67,67,64,70,6b,6e,64,63,67,
67,63,62,69,66,6c,00,03
"macgobkcfnlbgaobohegbmmnlg"=hex:6a,61,65,67,65,67,67,64,70,6b,6e,64,63,67,67,
63,62,69,66,6c,00,56
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
"l_encryption_d"="585A4A574A5F"
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(528)
G:\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-03-02 21:41:30
ComboFix-quarantined-files.txt 2011-03-02 21:41
ComboFix2.txt 2011-03-02 02:22
ComboFix3.txt 2010-11-13 22:58
ComboFix4.txt 2010-11-13 15:49
ComboFix5.txt 2011-03-02 21:26
Pre-Run: 9,838,678,016 bytes free
Post-Run: 9,859,948,544 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TU!!!!!SEKV98 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TU!!!!!SEKV98-BAK
- - End Of File - - C83DA0897B1429D70500A1B59B9A8D1C"Unhappiness is not knowing what we want, and killing ourselves to get it."Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))Women and cats will do as they please, and men and dogs should relax and get used to the idea.0 -
Hi Rik
How does that look?"Unhappiness is not knowing what we want, and killing ourselves to get it."Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))Women and cats will do as they please, and men and dogs should relax and get used to the idea.0 -
Id say its clean. Though id recommend a clean up and one last (very long!) scan
Download CCLEANER
http://www.piriform.com/ccleaner/download/slim
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
Download and run the FREE version of DR WEB
http://www.freedrweb.com/download+cureit/gr/
Turn your anti virus OFF
Click CANCEL to its first question (Unless your happy to lock windows until its run)
Click NO to opening the purchase page
Click START
click YES
It will auto QUICK scan
Pess the STOP button on the right (Unless your happy to quick scan first)
After that set to COMPLETE SCAN the computer and press the 'play' icon
This will more than likely take hours (12 is average!), so leave running overnight or whatever
***DO NOT UPGRADE TO FULL VERSION***:idea:0 -
OK Rik, Will do.
Thanks a bunch for your help again.
Very Good of you to spare your time.
Well appreciated.
Riz"Unhappiness is not knowing what we want, and killing ourselves to get it."Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))Women and cats will do as they please, and men and dogs should relax and get used to the idea.0 -
Hi Rik,
Just to let you know that DrwEB found 3x more threats of which one was easily deleted and the other two needed a shutdown to delete.
Thanks again."Unhappiness is not knowing what we want, and killing ourselves to get it."Post Count: 4,111 Thanked 3,111 Times in 1,111 Posts (Actual figures as they once were))Women and cats will do as they please, and men and dogs should relax and get used to the idea.0 -
Delete this folder -
c:\documents and settings\All Users\Application Data\bPfAnNm06300
Then run combofix again and post the log:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards