📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

I have a serious infection

Options
189101113

Comments

  • samdd
    samdd Posts: 1,344 Forumite
    + 2009-07-14 04:41 . 2011-09-28 20:30 1540096 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:34 . 2011-09-28 09:28 7150542 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:34 . 2011-09-28 18:14 7150542 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2011-05-13 23:38 . 2011-09-28 09:23 2894508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1653054434-1350618669-3324376920-1000-8192.dat
    + 2011-05-13 23:38 . 2011-09-28 20:25 2894508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1653054434-1350618669-3324376920-1000-8192.dat
    + 2011-06-02 12:21 . 2011-09-28 18:11 1458020 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1653054434-1350618669-3324376920-1000-12288.dat
    + 2011-09-28 15:42 . 2011-09-28 15:42 1691648 c:\windows\Installer\194b20.msi
    + 2011-08-04 18:19 . 2011-08-04 18:19 3691816 c:\windows\Installer\194b19.msi
    + 2011-05-13 09:41 . 2011-09-28 15:37 29538896 c:\windows\winsxs\ManifestCache\a786a517e28d5687_blobs.bin
    + 2011-09-28 14:55 . 2011-06-28 15:37 10127976 c:\windows\System32\DriverStore\FileRepository\hdart.inf_x86_neutral_5373149122537d5a\RtHDVCpl.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "InstallIQUpdater"="c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe" [2011-08-09 1176064]
    "AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS5\Bridge.exe" [2011-06-09 12002664]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
    "tsnpstd3"="c:\windows\tsnpstd3.exe" [2009-03-10 262144]
    "VMonitorVMUVC"="c:\program files\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
    "Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-7-23 113664]
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2011-8-3 1008928]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
    .
    [HKLM\~\startupfolder\C:^Users^Kev B^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\users\Kev B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnk.Startup
    backupExtension=.Startup
    .
    R1 CSN5PDTS82;CSN5PDTS82 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82.sys [x]
    R1 CSN5PDTS82x64;CSN5PDTS82x64 NDIS Protocol Driver;c:\windows\system32\Drivers\CSN5PDTS82x64.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-14 135664]
    R3 AntiZeroAccess;PrevX AntiZeroAccess Driver;c:\windows\system32\drivers\ZeroAccess.sys [x]
    R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys [2011-03-23 102784]
    R3 ew_usbenumfilter;huawei_CompositeFilter;c:\windows\system32\DRIVERS\ew_usbenumfilter.sys [2011-03-23 11136]
    R3 ewusbmbb;HUAWEI USB-WWAN miniport;c:\windows\system32\DRIVERS\ewusbwwan.sys [2011-03-23 353280]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-14 135664]
    R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-27 9216]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
    R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 252032]
    R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 398720]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-10-17 1343400]
    R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-09-06 54616]
    S2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [2011-03-23 1740696]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
    S3 btwampfl;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys [2011-08-04 525352]
    S3 BTWDPAN;Bluetooth Personal Area Network;c:\windows\system32\DRIVERS\btwdpan.sys [2011-08-04 76328]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2011-08-04 33832]
    S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys [2011-03-23 73216]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-14 12:16]
    .
    2011-09-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-10-14 12:16]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.com/
    IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
    IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
    IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\Kev B\AppData\Roaming\Mozilla\Firefox\Profiles\ic1tlj6a.default\
    FF - prefs.js: browser.search.selectedEngine - Facemoods Search
    FF - prefs.js: browser.startup.homepage - https://www.google.com
    .
    .
    LOCKED REGISTRY KEYS
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    DLLs Loaded Under Running Processes
    .
    - - - - - - - > 'lsass.exe'(532)
    c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
    .
    - - - - - - - > 'Explorer.exe'(3308)
    c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
    .
    Completion time: 2011-09-28 22:13:35
    ComboFix-quarantined-files.txt 2011-09-28 21:12
    ComboFix2.txt 2011-09-28 19:09
    ComboFix3.txt 2011-09-28 17:28
    ComboFix4.txt 2011-09-28 13:18
    ComboFix5.txt 2011-09-28 20:53
    .
    Pre-Run: 107,034,570,752 bytes free
    Post-Run: 107,004,157,952 bytes free
    .
    - - End Of File - - 4FF0CFBE6273275FE2082B593A0A6501
  • samdd
    samdd Posts: 1,344 Forumite
    waddler_8 wrote: »
    You missed an l off - combofix /uninstall ;)

    blx... i'll do it again.. :rotfl:
  • samdd
    samdd Posts: 1,344 Forumite
    Snapshot_6-1.jpg

    What am i doing wrong?


    Snapshot_7-1.jpg
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Is it still on the desktop? Try:

    "%userprofile%\desktop\combofix.exe" /uninstall
  • samdd
    samdd Posts: 1,344 Forumite
    That's got it.. combofix is now un installed...:T:beer::j

    is it safe to assume that my system is now clean?
  • closed
    closed Posts: 10,886 Forumite
    no, once infected you can never be sure what damage has been done.
    !!
    > . !!!! ----> .
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    The last combofix log was clean and if Avast & MBAM are not detecting anything and you're not having problems then you're as clean as you can be judging by the logs you've posted - No guarantees though.

    You had quite a collection, undoubtably due in part to your sons p2p use. 2 rootkits along with other various malware. One thing to be aware of is TDSS in particular (also known as Alureon) is a family of data-stealing trojans
    These trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. It may also allow an attacker to transmit malicious data to the infected computer.
  • samdd
    samdd Posts: 1,344 Forumite
    waddler_8 wrote: »
    The last combofix log was clean and if Avast & MBAM are not detecting anything and you're not having problems then you're as clean as you can be judging by the logs you've posted - No guarantees though.

    You had quite a collection, undoubtably due in part to your sons p2p use. 2 rootkits along with other various malware. One thing to be aware of is TDSS in particular (also known as Alureon) is a family of data-stealing trojans

    tbh i fell out with my son big time over this infection.. he's got his own laptop but chooses to use mine when he comes round sometime. If i have anything illegal on my system id like it gone asap.

    Should i change my PW on the websites i use and also inform the bank as i cant remeber if i logged into my account or not to transfer some funds from one account to another. what do you think?
  • waddler_8
    waddler_8 Posts: 3,588 Forumite
    Yes. I would.
  • samdd
    samdd Posts: 1,344 Forumite
    edited 29 September 2011 at 2:03PM
    waddler_8 wrote: »
    Yes. I would.

    Thnks to all or their help.. be pretty much up the shoot without the help of this forum.. Nice 1 guys..
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 351.1K Banking & Borrowing
  • 253.2K Reduce Debt & Boost Income
  • 453.6K Spending & Discounts
  • 244.1K Work, Benefits & Business
  • 599.1K Mortgages, Homes & Bills
  • 177K Life & Family
  • 257.5K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.