pc plodder

Hi guys A friend of mine who has had problems with her P.C before and has come on to the forums to post has had her bank login details hacked again and we don't know how. We ran every scan today (malwarebytes, superantispyware,eset as well as a panda online scan. All came back showing the P.C was clean. The bank fraud dept have now taken over the case as the "hacker" tried to transfer the entire amount in her account to another named account at another bank. Now my question I have found that she has 2 copies of windows XP on her hard drive. The one she operates with at present and anopther which she had problems with booting the p.c and numerous other perminant glitches. A P.C "tech" came to her home and solved the problem, however it looks to me as though he just stuck another copy of XP on and didn't reformat the disc or whatever. She now has Windows and Windows0 on her p.c and i wondered if there was an infection in there that would "jump" across and then hide itself back in the unused copy of XP. Is it possible to remove the old copy of XP without much trouble or is it a major job. When we start the machine we get a 3 second delay so we can open the other one if needed. I don't think this is partitioned on the drive as when i defrag it everything bunches up together. The only other problem which is minor is that it won't restart when asked to do so but shuts down and has to be restarted so i don't know if that's a symptom of something. Hope i've posted this on the right forum, your thoughts on this would be appreciated Regards Steve

Hi guys Don't know if this is the right section to post this but i thought i'd share it with the members. Found this on my travels today, i've been told it's genuine so be warned. This one is pretty slick since they provide YOU with all the information, except the one piece they want. Note, the callers do not ask for your card number; they already have it. This information is worth reading. By understanding how the VISA & MasterCard Telephone Credit Card Scam works, you'll be better prepared to protect yourself. One of our employees was called on Wednesday from "VISA", and I was called on Thursday from "MasterCard". The scam works like this: Person calling says, "This is (name), and I'm calling from the Security and Fraud Department at VISA. My badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by (name of bank) did you purchase an Anti-Telemarketing Device for £497.99 from a Marketing company based in London?" When you say "No", the caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from £297 to £497, just under the £500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?" You say "yes". The caller continues - "I will be starting a fraud investigation. If you have any questions, you should call the 0800 number listed on the back of your card (0800-VISA) and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6 digit number. "Do you need me to read it again?" Here's the IMPORTANT part on how the scam works the caller then says, "I need to verify you are in possession of your card." He'll ask you to "turn your card over and look for some numbers." There are 7 numbers; the first 4 are part of your card number, the next 3 are the security numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he'll say, "That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any otherquestions?" After you say, "No," the caller then thanks you and states, "Don't hesitate to call back if you do", and hangs up. You actually say very little, and they never ask for or tell you the Card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of £497.99 was charged to our card. Long story - short - we made a real fraud report and closed the VISA account. VISA is reissuing us a new number. What the scammers want is the 3-digit PIN number on the back of the card. Don't give it to them. Instead, tell them you'll call VISA or MasterCard directly for verification of their conversation. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you're receiving a credit. However, by the time you get your statement you'll see charges for purchases you didn't make, and by then it's almost too late and/or more difficult to actually file a fraud report. What makes this more remarkable is that on Thursday, I got a call from a "Jason Richardson of MasterCard" with a word-for-word repeat of the VISA scam. This time I didn't let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening. Please pass this on to all your family and friends. By informing each other, we protect each other. Mods please move if i've posted in the wrong section (sorry) Regards Steve

chiaz Nicky will have to get back to you with the results tomorrow (wed) as she has practice and training all day today. Thanks for your help BTW. Side note. Do you know of any key encription programmes that are worth investing in. I asked for opinions about Keyscrambler from QFX software but Goku didn't seem to rate it. Any thoughts/recommendations appreciated. Regards Steve

O.K Randy, i'll get her to do it asap, think it's still on the P.C from last time Thanks

Thanks tooltech, i'll put that forward to Nicky. Thanks for your time. Regards Steve

Morning guys Sorry to bother you again but Nicky has problems with her P.C again. Last thursday when we were away at a tournement her banks fraud dept rang her telling her that attemps had been made to log into her account. They have put a stop on her account and are issuing new sign on details and changing the way she has to sign on. When we got back I went over and did Eset scan.....nothing found We did Superantispyware scan .......nothing found When we did Malwarebytes scan the following report appeared, i searched the net and sophos site said it was a password stealer that also steal bank and credit card details. Log: Malwarebytes' Anti-Malware 1.41 Database version: 2899 Windows 5.1.2600 Service Pack 3 03/10/2009 14:03:45 mbam-log-2009-10-03 (14-03-45).txt Scan type: Full Scan (C:\|) Objects scanned: 220355 Time elapsed: 26 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS.0\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully. We then did a Pandascan online and it reported the following: ;************************************************* ************************************************** ************************************************** ****************************** ANALYSIS: 2009-10-03 17:57:47 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 0 ;************************************************* ************************************************** ************************************************** ****************************** PROTECTIONS Description Version Active Updated ;================================================= ================================================== ================================================== ============================== ESET Smart Security 3.0 3.0 Yes Yes ;================================================= ================================================== ================================================== ============================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;================================================= ================================================== ================================================== ============================== 03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{BF655994-9F05-499A-8826-E96E91DC74D8}\RP121\A0058327.exe ;================================================= ================================================== ================================================== ============================== SUSPECTS Sent Location ;================================================= ================================================== ================================================== ============================== ;================================================= ================================================== ================================================== ============================== Today she has done another Malwarebytes scan and it reveals the following: Nicky Malwarebytes' Anti-Malware 1.41 Database version: 2903 Windows 5.1.2600 Service Pack 3 04/10/2009 10:08:27 mbam-log-2009-10-04 (10-08-27).txt Scan type: Full Scan (C:\|) Objects scanned: 220632 Time elapsed: 26 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Password.Stealer) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) She is also getting intermittent BSOD when she boots the P.C up but when she reboots it starts o.k We have both got the same security (Eset, Superantispyware and Malwarebytes) and they're all set up the same way but she keeps hgetting these infections and i don't. Is this because my isp is Aohell and apparently have a "netwask" (whatever that is) and she is with Virgin.net cable. We both use I.E 7 and all windows are updated with latest security updates, we both also do all scans 3 times a week and the security systems are updated daily (when we're at home. Any idea what the problem is here guys? At the moment she ios getting very frustrated with it all, which is why i'm doing the post and not her. Regards Steve

Thanks Goku I'll place this in the security sub forum then Thanks for the info re: software. They do a free version apparently. Thansk again Regards Steve

Hi guys A few weeks ago you greatly helped my friend Nicky to clear her infected P.C of a lot of suspicious stuff. Since then she has had the fraud office of her bank on the phone advising her that atempts were made to log into her bank account last thursday while we were away at a tournement. I've been over and we've done scans with Eset which showed nothing. Superantispyware which showed nothing. However Malwarebytes showed the following log and this is where we thing her details have been compromised. Malwarebytes' Anti-Malware 1.41 Database version: 2899 Windows 5.1.2600 Service Pack 3 03/10/2009 14:03:45 mbam-log-2009-10-03 (14-03-45).txt Scan type: Full Scan (C:\|) Objects scanned: 220355 Time elapsed: 26 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS.0\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully. Now the question. I found a free piece of software from QFX software called keyscrambler. Can you guys give me feedback on weather you think this would be of use to her as it would probably defeat heyloggers. It's suposed to encrypt keystrokes and therefore defeat hackers trying to steal bank and credit card details. Thoughts please guys. P.S After we did all the scans above we also did an online pandascan and it found this which showed up the last time we had problems so maybe it's replicating itself from somewhere? ;*********************************************************************************************************************************************************************************** ANALYSIS: 2009-10-03 17:57:47 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 0 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== ESET Smart Security 3.0 3.0 Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{BF655994-9F05-499A-8826-E96E91DC74D8}\RP121\A0058327.exe ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== Sorry if i've posted this in the wrong section. Regards Steve

Well, it appears to have only happened once so we'll carry out your last set of instructions chiaz. BTW would it be prudent to run a disc check to repair any errors etc. (won't do that yet until you give the o.k)

Chiaz I'm helping Nicky with all your instructions via phone. Last night her p.c shut down and when she started it up again she had this warning (see photo) Anything to worry about before we carry out the instructions in your last post? Sorry but i can't copy the picture to here so i'll write the text Blue screen error caused by device or driver You received this message because a hardware device,it's driver or software device has caused a blue screen error. This type of error means the computer has shut down abruptly to protect itself from potential data coruption or loss. In this case we were unable to detect the specific device or driver that caused the problem. The following might prevent the blue screen error from recurring. Steps to solve this problem Download and install the latest updates and drivers for your computer Check your computer for viruses Check your hard disc for errors Steps to work around this problem Warining!! These steps are designed to address a particular problem but might do so by temporarily disabling or removing some functionality on your computer Remove any new hardware or software to isolate the cause of the blue screen Restore your computer to an earlier state That's what's on the screen chiaz, it looks genuine as it has Microsoft error reporting headed on it. Nicky doesn't want to mess her p.c up so she's asked me to post this on her behalf for your comments as to what she should do. When you reply i will relay the info to Nicky and we maybe can then carry out the instructions in your last post. Regards Steve

Extra info to Nickys post. I ran the HTLog for her after she became infected. After installing Firefox browser she immediately became infected with BankerFox A trojan. Superantispyware seemed to get rid of it and we ran scans with Eset and Malwarebytes to see if she was clean. The last Maleware bytes scan she ran had 286 infections, some in the registry. As i am not a "techie" i asked her to post it as there seemed to be suspicious entries to me. P.C is Elonex with dual core AMD processor, windows Xp home edition fully updated 4Gb ram Security is Eset firewall and antivirus, Superantispyware and Malwarebytes. She runs full scans 3 times a week Hopethis helps

Docs tales If you think we have it tough in the IT industry, try these for size - Doctors' tales - 1. A man comes into the ER and yells, "My wife's going to have her baby in the cab!" I grabbed my stuff, rushed out to the cab, lifted the lady's dress, and began to take off her under-wear. Suddenly I noticed that there were several cabs --- and I was in the wrong one. Submitted by Dr. Mark MacDonald, San Francisco 2. At the beginning of my shift I placed a stethoscope on an elderly and slightly deaf female patient's anterior chest wall. "Big breaths," I instructed. "Yes, they used to be," replied the patient. Submitted by Dr. Richard Byrnes, Seattle , WA 3. One day I had to be the bearer of bad news when I told a wife that her husband had died of a massive "myocardial infarct". Not more than five minutes later, I heard her reporting to the rest of the family that he had died of a "massive internal fart." Submitted by Dr. Susan Steinberg 4. During a patient's two week follow-up appointment with his cardiologist, he informed me, his doctor, that he was having trouble with one of his medications. "Which one?" I asked. "The patch. The nurse told me to put on a new one every six hours and now I'm running out of places to put it!" I had him quickly undress and discovered what I hoped I wouldn't see. Yes, the man had over fifty patches on his body! Now, the instructions include 'removal of the old patch' before applying a new one. Submitted by Dr. Rebecca St Clair, Norfolk , VA 5. While acquainting myself with a new elderly patient, I asked, "How long have you been bedridden?" After a look of complete confusion she answered, "Why, not for about twenty years - last time was when my husband was still alive." Submitted by Dr. Steven Swanson-Corvallis , OR 6. I was performing rounds at the hospital one morning and while checking up on a woman I asked, "So how's your breakfast this morning?" "It's very good, except for the Kentucky Jelly. I can't seem to get used to the taste", the patient replied. I then asked to see the jelly and the woman produced a foil packet labelled "KY Jelly." Submitted by Dr. Leonard Kransdorf, Detroit , MI 7. A nurse was on duty in the Emergency Room when a young woman with purple hair styled into a punk rocker Mohawk, sporting a variety of tattoos, and wearing strange clothing, entered. It was quickly determined that the patient had acute appendicitis, so she was scheduled for immediate surgery. When she was completely disrobed on the operating table, the staff noticed that her pubic hair had been dyed green, and above it there was a tattoo that read, "Keep off the grass." Once the surgery was completed, the surgeon wrote a short note on the patient's dressing, which said, "Sorry, had to mow the lawn." Submitted by RN no name AND FINALLY!!!.. ......... ..... 8. As a new, young MD doing his residency in OB , I was quite embarrassed when performing female pelvic exams. To cover my embarrassment I had unconsciously formed a habit of whistling softly. The middle-aged lady upon whom I was performing this exam suddenly burst out laughing and further embarrassing me I looked up from my work and sheepishly said, "I'm sorry. Was I tickling you?" She replied, "No, doctor, but the song you were whistling was, "I wish I was in Dixie ........ and my name's Dixie !" Dr. wouldn't submit his name

Randy,Dalo & John Thanks for the feedback guys. For the reasons you've stated i will steer well clear of it. Can't say that for my mate as he really rates it so that's his problem. Thanks for the input guys, appreciate it Regards Steve

Hi Guys Not been around for a while, must say I do like the new forum design:cool: Just a quickie. A mate of mine who I chat to online recommended to me this software programme. The programme name is "Tune Up Utilities". Now before I go out and purchase it I thought I'd run it by you guys to see what you thought. You've not steered me wrongly in the past so if you think it's a pile of junk then please say so. The guy I talk to seems to be well pleased with his and assures me that it hasn't screwed anything up on his P.C (he's been running it for 5-6 months) Your input/thoughts are welcome Regards Steve

Gotta be Metallica for me, closely followed by Def Leopard,Bon Jovi and Aerosmith:cool: