We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
Antispyware 2011
tranmererovers
Posts: 2,313 Forumite
in Techie Stuff
I've had an SOS from a friend who's computer is infected with Antispyware 2011.
Unfortunately, when the rogue warning appeared, I suspect he may have clicked to clear the 'infections' and may well have deleted some genuine windows files but I can't be sure.
He had run malwarebytes and I have got him to forward the logs, I also asked him to run Hijack This.
He reports that he cannot find system restore functionality and when he clicks start there are no programs showing, not sure if this is symptomatic of the virus?
It's still infected so I am going round there tonight and will run RKILL and then re run malwarebytes and see if that gets rid.
Will I need to run combofix or anything else? If he has inadvertently deleted any windows files is there any easy way to determine which ones and fix this or will we have to do a reinstall?
Thanks, as always in anticipation of your helpful replies
Unfortunately, when the rogue warning appeared, I suspect he may have clicked to clear the 'infections' and may well have deleted some genuine windows files but I can't be sure.
He had run malwarebytes and I have got him to forward the logs, I also asked him to run Hijack This.
He reports that he cannot find system restore functionality and when he clicks start there are no programs showing, not sure if this is symptomatic of the virus?
It's still infected so I am going round there tonight and will run RKILL and then re run malwarebytes and see if that gets rid.
Will I need to run combofix or anything else? If he has inadvertently deleted any windows files is there any easy way to determine which ones and fix this or will we have to do a reinstall?
Thanks, as always in anticipation of your helpful replies
It's easier to get forgiveness than to ask permission 
0
Comments
-
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org
Database version: 6420
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
22/04/2011 18:17:51
mbam-log-2011-04-22 (18-17-51).txt
Scan type: Full scan (C:\|)
Objects scanned: 221163
Time elapsed: 2 hour(s), 5 minute(s), 6 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 8
Memory Processes Infected:
c:\documents and settings\all users\application data\uvewqxceajwf.exe (Trojan.FakeAlert) -> 3608 -> Unloaded process successfully.
c:\documents and settings\all users\application data\19062580.exe (Trojan.FakeAlert) -> 3792 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{09F1ADAC-76D8-4D0F-99A5-5C907DADB988} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uvEWQXCeAJwf (Trojan.FakeAlert) -> Value: uvEWQXCeAJwf -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\lee broom\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\all users\application data\uvewqxceajwf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\19062580.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-3593513685-952686575-1734283626-1005\Dc3\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
c:\documents and settings\another\Desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\another\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\another\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\another\Cookies\MM2048.DAT (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\another\Cookies\MM256.DAT (Trojan.Agent) -> Quarantined and deleted successfully.It's easier to get forgiveness than to ask permission
0 -
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org
Malwarebytes' Anti-Malware 1.50.1.1100
https://www.malwarebytes.org
Database version: 6420
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
24/04/2011 15:32:58
mbam-log-2011-04-24 (15-32-58).txt
Scan type: Full scan (C:\|)
Objects scanned: 213167
Time elapsed: 1 hour(s), 45 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2B5BEEEC4E692BCD (Trojan.SpyEyes) -> Value: 2B5BEEEC4E692BCD -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)It's easier to get forgiveness than to ask permission
0 -
Database version: 6420
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
24/04/2011 13:39:15
mbam-log-2011-04-24 (13-39-15).txt
Scan type: Quick scan
Objects scanned: 152841
Time elapsed: 18 minute(s), 32 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 13
Memory Processes Infected:
c:\program files\mighty magoo\mightymagoo32.exe (PUP.MightyMagoo) -> 1372 -> Unloaded process successfully.
Memory Modules Infected:
c:\program files\mighty magoo\mightymagoolib32.dll (PUP.MightyMagoo) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{97E74A14-E5F1-40cc-9B0F-0D11946E5469} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MightyMagooText.Linker.1 (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MightyMagooText.Linker (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97E74A14-E5F1-40CC-9B0F-0D11946E5469} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97E74A14-E5F1-40CC-9B0F-0D11946E5469} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{EEAD004E-7E2D-49f8-831C-A01647E85B53} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEAD004E-7E2D-49F8-831C-A01647E85B53} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{EEAD004E-7E2D-49F8-831C-A01647E85B53} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEAD004E-7E2D-49F8-831C-A01647E85B53} (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\APPID\MightyMagooText.DLL (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\mmagootl (PUP.MightyMagoo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MightyMagoo (PUP.MightyMagoo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mightymagoo (PUP.MightyMagoo) -> Value: Mightymagoo -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\winntse.bin (Trojan.SpyEyes) -> Delete on reboot.
c:\program files\mighty magoo (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components (PUP.MightyMagoo) -> Quarantined and deleted successfully.
Files Infected:
c:\program files\mighty magoo\mmagootl.dll (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\program files\mighty magoo\mightymagoolib32.dll (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\program files\mighty magoo\mightymagoo32.exe (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\winntse.bin\winntse.bin.exe (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\winntse.bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
c:\program files\mighty magoo\ars.cfg (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\program files\mighty magoo\icon.ico (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\program files\mighty magoo\mmagooun.exe (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome.manifest (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\install.rdf (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\chrome\mmtextlinks.jar (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.dll (PUP.MightyMagoo) -> Quarantined and deleted successfully.
c:\documents and settings\another\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@mmagoo.com\components\mmagootlf.xpt (PUP.MightyMagoo) -> Quarantined and deleted successfully.It's easier to get forgiveness than to ask permission
0 -
And here is the Hijack This
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:53:16, on 24/04/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Media\Security\Fws.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Media\Security\rps.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUBComHandler.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe
C:\WINDOWS\Philips\SPC230NC\Monitor.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
C:\Program Files\Virgin Media\HUB\ServicepointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.ask.com?o=16703&l=dis&gct=hp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ntl:home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [VirginMediaHUB.exe] "C:\Program Files\Virgin Media\HUB\VirginMediaHUB.exe" /AUTORUN
O4 - HKLM\..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
O4 - HKLM\..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Philips Intelligent Agent] "C:\Program Files\Philips\Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PI Monitor.lnk = C:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exe
O4 - Global Startup: TrayMin230.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\another\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\Documents and Settings\another\Desktop\WH GBP Casino.lnk (file missing)
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?138533725203
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Update Service (gupdate1c9f6fcfa9b373c) (gupdate1c9f6fcfa9b373c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: Virgin Media Security (Radialpoint Security Services) - Virgin Media - C:\Program Files\Virgin Media\Security\RpsSecurityAwareR.exe
O23 - Service: RadialpointIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\Virgin Media\Security\AVG\Identity Protection\agent\Bin\AVGIDSAgent.exe
O23 - Service: Virgin Media Security Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Media\Security\Fws.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Virgin Media\HUB\ServicepointService.exe
End of file - 11818 bytesIt's easier to get forgiveness than to ask permission
0 -
I would do rkill and then combofix , try combofix on its own first , if it runs then no need for rkillEx forum ambassador
Long term forum member0 -
I had one of these recently, Combofix did most the work as the core was a root kit, then malwarebytes cleaned up. One of the tactics of these things is to set the attributes of files, including the program links in the start menu folder, to hidden, everything is still really there just gives the impression the hard drive is failing. Setting the folder option/view to show hidden files should bring stuff back until the malware sets it off again shortly! after clearing system you may need to go round reseting the folder/file attributes to non-hidden.European for 3 weeks in August, the rest of the year only British and proud.0
-
Thanks for your replies. After spending 3 hours round there running scans, removing programs and installing av software his machine was running much better but all his data was missing. He doesn't have any backups!!!! (Family photos and office documents) So he has now done a system restore, firstly to 1 week ago and when no data was found, back another week.
Now I know that system restore does not recover any data files but we had hoped that the data was somewhere and just being masked by the system problems, maybe with a corrupt user?? (Bit of a long shot but worth a try we thought)
I know I am now back at square one and will need to re run all scans etc but any thoughts on if and where this data may be recoverable? ThanksIt's easier to get forgiveness than to ask permission
0 -
What do you mean his data is all gone?
Try unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe), as the files are likely just set to hidden.
Even if it was wiped, it'd all be recoverable with Piriform Recuva or photorec. I haven't read any of your logs so I'll leave that for someone else.0 -
What do you mean his data is all gone?
Try unhide.exe (http://download.bleepingcomputer.com/grinler/unhide.exe), as the files are likely just set to hidden.
Even if it was wiped, it'd all be recoverable with Piriform Recuva or photorec. I haven't read any of your logs so I'll leave that for someone else.
Hi RussJK
He tells me that there are no pictures or documents to be found on the C drive, they are no longer in the location where they were saved???
I'll try the above program and hope they are indeed just hidden - fingers crossed. ThanksIt's easier to get forgiveness than to ask permission
0 -
post a fresh hijackthis log if still slow, the earlier one is bloated.!!
> . !!!! ----> .0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.3K Banking & Borrowing
- 252.9K Reduce Debt & Boost Income
- 453.2K Spending & Discounts
- 243.3K Work, Benefits & Business
- 597.8K Mortgages, Homes & Bills
- 176.6K Life & Family
- 256.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards