We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Virus Scam

2»

Comments

  • fld14
    fld14 Posts: 463 Forumite
    Part of the Furniture
    Hi,
    When I connected to the internet and turned the computer on it said system restored to 16 march. I didnt do it.
    No.2 there was no remote registry.
    No.3 Port 135 status Stealth ?
    No.4 Left this one as not sure what the result of no.3 meant.
    No.5 3 infected, spyware password, PUM.Disabled.s... (registry data) times 2 both the same.
    Thanks to all competitions posters and answer finders
    :T
    Don't squander time its the stuff lives are made of
    :rotfl::rotfl::rotfl::rotfl::rotfl:
  • RussJK
    RussJK Posts: 2,359 Forumite
    edited 27 March 2011 at 7:35PM
    fld14 wrote: »
    Hi,
    When I connected to the internet and turned the computer on it said system restored to 16 march. I didnt do it.
    No.2 there was no remote registry.
    No.3 Port 135 status Stealth ?
    No.4 Left this one as not sure what the result of no.3 meant.
    No.5 3 infected, spyware password, PUM.Disabled.s... (registry data) times 2 both the same.

    They must have done it, for whatever reason. Perhaps they wanted to undo whatever "help" they rendered.

    2. Try this guide to find it:
    http://tech-wonders.blogspot.com/2009/08/disable-remote-registry-service-in.html     . Edit: I just noticed that XP home doesn't have 'remote registry', sorry about that.

    3. Rerun the tool, and on the 'Am I vulnerable tab?' click on Local Dcom Test. If it indicates that you need to, click on the 'DCOMbobulate Me' and select Disable DCOM.

    4. Please try it. It'll just test the ports on the computer, seeing if there are any insecure ports. It ideally and probably should all appear 'green' and say stealth, but if not it would be good to know.

    5. Please reload Malwarebytes, and click on the 'Logs' tab, and copy/paste the contents of any of the logs there.
  • fld14
    fld14 Posts: 463 Forumite
    Part of the Furniture
    No.3 still says stealth so its invisible
    No.4 All green so passed
    Logs tab from Malwarebytes

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 6183
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    27/03/2011 17:42:54
    mbam-log-2011-03-27 (17-42-54).txt
    Scan type: Quick scan
    Objects scanned: 248679
    Time elapsed: 56 minute(s), 43 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\documents and settings\Rudd\local settings\Temp\pqipuydm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    Thanks to all competitions posters and answer finders
    :T
    Don't squander time its the stuff lives are made of
    :rotfl::rotfl::rotfl::rotfl::rotfl:
  • fld14
    fld14 Posts: 463 Forumite
    Part of the Furniture
    CouponBar: [SBI $EFE6495E] Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    CouponBar: [SBI $CB95FB49] Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
    CouponBar: [SBI $51FE8B2E] Root class (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cpbrkpie.Coupon6Ctrl.1
    CouponBar: [SBI $51FE8B2E] Class ID (Registry key, nothing done)
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
    CouponBar: [SBI $7A5ACBCB] Interface (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Interface\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}
    CouponBar: [SBI $7B15781E] Interface (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Interface\{A138BE8B-F051-4802-9A3F-A750A6D862D4}
    CouponBar: [SBI $E3788A7B] Type library (Registry key, nothing done)
    HKEY_CLASSES_ROOT\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}
    Zedo: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    MediaPlex: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    FastClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    WebTrends live: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    MediaPlex: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    CasaleMedia: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    DoubleClick: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)

    Right Media: Tracking cookie (Internet Explorer: Owner) (Cookie, nothing done)


    --- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
    2009-01-26 blindman.exe (1.0.0.8)
    2009-01-26 SDFiles.exe (1.6.1.7)
    2009-01-26 SDMain.exe (1.0.0.6)
    2009-01-26 SDShred.exe (1.0.2.5)
    2009-01-26 SDUpdate.exe (1.6.0.12)
    2009-01-26 SpybotSD.exe (1.6.2.46)
    2009-01-26 TeaTimer.exe (1.6.4.26)
    2011-03-27 unins000.exe (51.49.0.0)
    2009-01-26 Update.exe (1.6.0.7)
    2009-11-04 advcheck.dll (1.6.5.20)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2009-01-26 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2009-01-26 Tools.dll (2.1.6.10)
    2009-01-16 UninsSrv.dll (1.0.0.0)
    2011-03-18 Includes\Adware.sbi (*)
    2011-03-22 Includes\AdwareC.sbi (*)
    2010-08-13 Includes\Cookies.sbi (*)
    2010-12-14 Includes\Dialer.sbi (*)
    2011-03-08 Includes\DialerC.sbi (*)
    2011-02-24 Includes\HeavyDuty.sbi (*)
    2010-11-30 Includes\Hijackers.sbi (*)
    2011-03-08 Includes\HijackersC.sbi (*)
    2010-09-15 Includes\iPhone.sbi (*)
    2010-12-14 Includes\Keyloggers.sbi (*)
    2011-03-08 Includes\KeyloggersC.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2011-02-24 Includes\Malware.sbi (*)
    2011-03-22 Includes\MalwareC.sbi (*)
    2011-02-24 Includes\PUPS.sbi (*)
    2011-03-15 Includes\PUPSC.sbi (*)
    2010-01-25 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2011-03-08 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2011-02-24 Includes\Spyware.sbi (*)
    2011-03-15 Includes\SpywareC.sbi (*)
    2010-03-08 Includes\Tracks.uti
    2010-12-28 Includes\Trojans.sbi (*)
    2011-03-22 Includes\TrojansC-02.sbi (*)
    2011-03-03 Includes\TrojansC-03.sbi (*)
    2011-03-08 Includes\TrojansC-04.sbi (*)
    2011-03-21 Includes\TrojansC-05.sbi (*)
    2011-03-08 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll
    Thanks to all competitions posters and answer finders
    :T
    Don't squander time its the stuff lives are made of
    :rotfl::rotfl::rotfl::rotfl::rotfl:
  • RussJK
    RussJK Posts: 2,359 Forumite
    fld14 wrote: »
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\documents and settings\Rudd\local settings\Temp\pqipuydm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

    Basically that's a keylogger and password stealer. For this reason, you'd want to change all of your passwords unfortunately.

    Thanks for the HijackHunter log (different to Hijackthis)

    Download and install Ccleaner as there are some files in the temp folders that need to be deleted:
    http://www.piriform.com/ccleaner
    and run it. Uncheck 'windows log' files, as well as browser history if you want to keep that - then Analyse and clean.

    Also double check Internet Explorer: go to Tools, Internet Options, then Connections Tab, finally LAN settings and make sure that it's set to "Automatically detect settings" - also please tell me if it wasn't (although I should be able to tell from the hijackhunter log anyway).

    Run a scan with this (it's quick, select the single scan option and don't worry about installing it):
    Hitman Pro: Second Opinion Malware Scanner
    http://www.surfright.nl/en/hitmanpro

    Afterwards, you could leave it running a long scan with
    Microsoft Windows Malicious Software Removal Tool 32-bit (no install needed)
    http://www.microsoft.com/downloads/en/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Id recommend a combofix run


    Please run COMBOFIX
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Shut down your anti virus
    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    (If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)
    :idea:
  • fld14
    fld14 Posts: 463 Forumite
    Part of the Furniture
    aliEnRIK wrote: »
    Id recommend a combofix run


    Please run COMBOFIX
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Shut down your anti virus
    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be) ~ if there are loads of 'SNAPSHOT' pages then leave them out

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    (If no log comes up or you lose it, COMBOFIX.TXT can be found in C drive)

    Thanks Rik as long as it wont conflict with what I have already done I will try it tomorrow. Thanks for your help.
    Thanks to all competitions posters and answer finders
    :T
    Don't squander time its the stuff lives are made of
    :rotfl::rotfl::rotfl::rotfl::rotfl:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.7K Banking & Borrowing
  • 253.4K Reduce Debt & Boost Income
  • 454K Spending & Discounts
  • 244.7K Work, Benefits & Business
  • 600.1K Mortgages, Homes & Bills
  • 177.3K Life & Family
  • 258.3K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture