We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Pages in History not been visited??
Comments
-
Think we spoke to soon we left the Internet on last night and although it's taking longer to appear and not opening as many pages it still there
any other things we can try?
Thanks0 -
Go here and read through the instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial- Ensure you temporarily turn off AVG before running. Instructions here
- Double click combofix.exe & follow the prompts closely.
- When it's finished, it'll produce a log. Post the contents of that log.
- I'll be found on your C:\ drive named combofix.txt
0 -
Thank you, I am away for the wkd and need to pack tonight but will try and run it tomorrow before I go if not will do it Sunday when I get back. Didn't want you to think I'd just disappeared lol. Do you think it's ok to use the Internet just to check emails etc nothing will hack into any secure details? Thanks0
-
It's hard to say at this point. Both AVG & Avast (aswMBR) have detected malware.
There are variants of some rootkits that are very hard to detect without taking a look at things offline.
Once infected, your computer could be being used to generate revenue for botmasters by mimicking user behaviour & visiting sites, clicking adverts etc. This might explain the presence of the sites in your history.
It's all ifs buts & maybes at the minute though - but better to err on the side of caution until we find out exactly what the cause is. There could be a perfectly plausible explanation for it.
Of course, to be totally sure you could wipe the drive clean and start again with a fresh install - it's up to you.0 -
Waddler has said it is up to you, but you could of course download and write a CD/USB with either Hirens Boot Disk, or a Linux Live CD and use that to access the Internet in the mean time .... just a suggestion. Have a good weekend anywayThank you, I am away for the wkd and need to pack tonight but will try and run it tomorrow before I go if not will do it Sunday when I get back. Didn't want you to think I'd just disappeared lol. Do you think it's ok to use the Internet just to check emails etc nothing will hack into any secure details? Thanks
Edit: Hirens would be best since I noticed you are Xp http://www.hiren.info/4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0 -
Hi Waddler back from my weekend away and have just run the combo fix as instructed here is the log:-
ComboFix 12-03-29.02 - Windows XP 01/04/2012 19:03:41.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.620 [GMT 1:00]
Running from: c:\documents and settings\Windows XP\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Windows XP\My Documents\~WRL0002.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-01 to 2012-04-01 )))))))))))))))))))))))))))))))
.
.
2012-03-28 20:16 . 2012-03-28 20:16
d
w- c:\program files\Common Files\Java
2012-03-28 20:16 . 2012-03-28 20:15 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-25 11:18 . 2012-03-25 12:04
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-25 11:18 . 2012-03-25 11:26
d
w- c:\program files\Spybot - Search & Destroy
2012-03-25 11:03 . 2012-03-25 11:03
d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-03-25 10:46 . 2012-03-26 17:13
d
w- c:\documents and settings\All Users\Application Data\PC Tools
2012-03-25 10:03 . 2012-03-25 10:05
d
w- c:\documents and settings\Windows XP\Application Data\GetRightToGo
2012-03-24 17:29 . 2012-03-27 17:57
d
w- c:\documents and settings\Windows XP\Local Settings\Application Data\LogMeIn Rescue Applet
2012-03-22 08:03 . 2012-03-22 08:03
d
w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-28 20:15 . 2011-02-21 23:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2008-04-14 00:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:29 3072
w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2011-02-21 18:20 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
Sigcheck
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-02-20 . 9F42478360E9B053A6703DEF39B4CE33 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-05-03 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2004-03-26 14:40 794624 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-04-01 10:52 1368064 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 13:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
2005-03-08 19:33 53248 ----a-r- c:\windows\system32\VTTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
2005-03-12 09:33 147456 ----a-r- c:\windows\system32\VTTrayp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"fsssvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [22/02/2011 8:13 am 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [16/03/2011 4:03 pm 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07/01/2011 6:41 am 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [05/04/2011 12:59 am 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02/08/2011 6:09 am 192776]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [13/10/2011 6:21 pm 249648]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [14/04/2011 9:28 pm 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [10/02/2011 7:53 am 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/02/2011 7:53 am 16720]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12/10/2011 7:25 am 4433248]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [21/10/2011 4:23 pm 196176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 2:16 pm 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [03/05/2011 6:41 pm 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [03/05/2011 6:41 pm 136176]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [17/05/2011 10:55 pm 27064]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [14/04/2008 5:42 am 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 2:16 pm 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-03 17:41]
.
2012-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-03 17:41]
.
2012-04-01 c:\windows\Tasks\User_Feed_Synchronization-{19045B50-7E40-4791-B855-65B71BC20626}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
Supplementary Scan
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 19:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-04-01 19:09:31
ComboFix-quarantined-files.txt 2012-04-01 18:09
.
Pre-Run: 129,693,818,880 bytes free
Post-Run: 129,712,926,720 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 77A29FB0306B373B6D023C5BA4FAF73F0 -
Any improvement?
If you're still seeing the unknown history, try running IE without add-ons for a while and see if you still have the problem - Just right click the desktop icon and choose start without add-ons.
Do you recognise this entry in your hosts file?Hosts: 10.33.16.140 ldnhwccha01
If not, reset your hosts file.
http://support.microsoft.com/kb/972034#FixItForMeAlways0 -
Ooh will log back on and have a look I thought it best to shut down til you'd had a look at the log. Does that program fix things straightaway if it finds anything.
I don't recognise the above so will follow your steps and see what happens. Thanks ever so much for all your help.0 -
Ok, let me know.0
-
Hi waddler fingers crossed it all seems to be ok. Had it on last night for about 15 minutes and this morning for half an hour and fastlah didnt appear in the history and no other pages came up either.
will try it again after work but this is definitely looking good! Thanks Wen0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.6K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.6K Work, Benefits & Business
- 600K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards