We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
FBI Ransome virus- Desktop taken over!
Comments
-
OOPs..
Getting ahead of myself
Here is the txt log
ComboFix 12-10-21.02 - New User 21/10/2012 16:15:47.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1790.882 [GMT 1:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\New User\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
\Service_nflviuqa
\Service_qhwxidei
\Service_rpekojj
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-17 19:00 . 2012-10-18 11:28
dc----w- c:\documents and settings\New User\Local Settings\Application Data\Google
2012-10-17 19:00 . 2012-08-21 09:13 355632 -c--a-w- c:\windows\system32\drivers\aswSP.sys
2012-10-17 19:00 . 2012-08-21 09:13 21256 -c--a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-10-17 19:00 . 2012-08-21 09:13 35928 -c--a-w- c:\windows\system32\drivers\aswRdr.sys
2012-10-17 19:00 . 2012-08-21 09:13 54232 -c--a-w- c:\windows\system32\drivers\aswTdi.sys
2012-10-17 19:00 . 2012-08-21 09:13 729752 -c--a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-17 19:00 . 2012-08-21 09:13 97608 -c--a-w- c:\windows\system32\drivers\aswmon2.sys
2012-10-17 19:00 . 2012-08-21 09:13 89624 -c--a-w- c:\windows\system32\drivers\aswmon.sys
2012-10-17 19:00 . 2012-08-21 09:13 25256 -c--a-w- c:\windows\system32\drivers\aavmker4.sys
2012-10-17 18:59 . 2012-08-21 09:12 41224 -c--a-w- c:\windows\avastSS.scr
2012-10-17 18:59 . 2012-08-21 09:12 227648 -c--a-w- c:\windows\system32\aswBoot.exe
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\program files\AVAST Software
2012-10-17 18:58 . 2012-10-17 18:58
dc----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-10-16 19:54 . 2012-10-17 00:34
d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-10-09 14:04 . 2012-10-09 14:04
dc----w- c:\documents and settings\New User\Local Settings\Application Data\PCHealth
2012-09-23 11:01 . 2008-07-04 13:33 101120 -c--a-r- c:\windows\system32\drivers\ewusbmdm.sys
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\New User\Application Data\Vodafone
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\All Users\Application Data\InstallShield
2012-09-23 11:01 . 2012-09-23 11:01
dc----w- c:\documents and settings\LocalService\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\All Users\Application Data\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\program files\Vodafone
2012-09-23 11:00 . 2012-09-23 11:00
dc----w- c:\documents and settings\New User\Local Settings\Application Data\{3B8B09B1-BF28-4F18-9905-7E5CA2899C01}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 17:02 . 2012-03-30 07:38 696760 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 17:02 . 2011-05-15 12:06 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-29 18:54 . 2012-02-29 22:19 22856 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-08-30 19:05 . 2012-08-30 19:05 13816 -c--a-w- c:\windows\system32\unikey.sys
2012-08-28 15:14 . 2008-04-14 12:00 916992 -c--a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2008-04-14 12:00 43520 -c----w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2008-04-14 12:00 1469440 -c----w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2008-04-14 12:00 385024 -c----w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2008-04-14 12:00 177664 -c--a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:29 . 2008-04-14 12:00 2192896 -c--a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2008-04-14 00:01 2069632 -c--a-w- c:\windows\system32\ntkrnlpa.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 -c--a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13545472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-04-15 417792]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 15:20 57344 -c----r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-30 19:06 59280 -c--a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-26 18:36 30040 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 18:33 421776 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-09-29 18:54 766536 -c--a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileConnect]
2008-10-09 14:33 2086912 -c--a-w- c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 04:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 14:24 13545472 -c--a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-17 14:24 1630208 -c--a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-04-15 16:23 417792 -c--a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2008-07-31 14:05 16806912
w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 13:06 254696 -c--a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [17/10/2012 20:00 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [17/10/2012 20:00 355632]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\New User\Desktop\VCdRom.sys [19/12/2001 11:45 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [17/10/2012 20:00 21256]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [14/09/2012 17:22 399432]
R2 VMCService;Vodafone Mobile Connect Service;c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [09/10/2008 15:32 14336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [29/02/2012 23:19 22856]
R3 mtc0303;BIOS Service Provider;c:\windows\system32\drivers\Mtc0303.sys [04/07/2007 08:52 32896]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [24/09/2009 17:03 59264]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [29/02/2012 23:19 676936]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [13/07/2012 13:28 160944]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [30/03/2012 08:38 250808]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys --> c:\windows\system32\DRIVERS\ew_hwusbdev.sys [?]
S3 filtertdidriver;filtertdidriver;c:\windows\system32\drivers\ewfiltertdidriver.sys --> c:\windows\system32\drivers\ewfiltertdidriver.sys [?]
S3 flashusb;flashusb;c:\windows\system32\drivers\flashusb.sys [03/06/2012 13:19 16384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [22/10/2009 16:35 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [01/10/2009 01:44 133104]
S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys --> c:\windows\system32\DRIVERS\ew_jucdcacm.sys [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys --> c:\windows\system32\DRIVERS\ew_jubusenum.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys --> c:\windows\system32\drivers\massfilter.sys [?]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [03/06/2012 13:20 15896]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys --> c:\windows\system32\DRIVERS\ZTEusbnet.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:02]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job0 -
Looks good so far but there's a bit missing - repost the bit from "Contents of the 'Scheduled Tasks' folder" to the end of the log.
How's it all running now?0 -
Thanks....Seems to be running ok.
Here is remainder of the log
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 17:02]
.
2012-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-10-21 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-10-17 09:12]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc12f45672ead6.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
2012-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc12f456b0e7fa.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-01 00:44]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-21 16:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
LOCKED REGISTRY KEYS
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\M*i*c*r*o*-*B*o*x* *"!\Micro-Box A.I.0\RestorePointInfo]
"SequenceNumber"="322"
.
DLLs Loaded Under Running Processes
.
- - - - - - - > 'lsass.exe'(928)
c:\windows\system32\nvLsp.dll
.
- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\RALINK\Common\RalinkRegistryWriter.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-10-21 16:26:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-21 15:26
ComboFix2.txt 2012-10-21 10:07
ComboFix3.txt 2012-10-18 11:36
.
Pre-Run: 124,368,379,904 bytes free
Post-Run: 124,578,353,152 bytes free
.
- - End Of File - - 430D509F656C2950A45E2B0D57B985120 -
Looks & sounds good - you're in the home straight now.
Uninstall these:
Adobe Reader 7.0
Java Auto Updater
Java(TM) 6 Update 30
jZip (<- Bandoo crapware)
Install the latest version of Adobe Reader - keep it updated.
http://get.adobe.com/reader/ (Uncheck the Mcafee Security Scan - you don't want it.)
Reason: http://www.securelist.com/en/analysis/204792239/IT_Threat_Evolution_Q2_2012#10
Install the latest Java - Keep it updated.
http://www.java.com/en/download/index.jsp
Reason: http://blogs.technet.com/b/security/archive/2011/11/28/millions-of-java-exploit-attempts-the-importance-of-keeping-all-software-up-to-date.aspx
Download 7-zip if you need a file archiver.
http://www.7-zip.org/
RE: Frostwire
P2P filesharing applications are always going to be a potential vector for infection of this kind.
Update Malwarebytes and run a quick scan - post the log if it detects anything.0 -
Thanks Waddler_8.
Seems to be running OK, fingers crossed.
:T :beer:0 -
Nice one.
When you're satisfied all's running well, it's important to uninstall combofix.
Open a Run command box. (Start > Run or Windows key + R on your keyboard) and copy/paste this command in:
ComboFix /uninstall
Note the space between ComboFix and /uninstall , it needs to be there.
Click OK
let combofix uninstall itself.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards