pc plodder Posted October 4, 2009 Posted October 4, 2009 Morning guys Sorry to bother you again but Nicky has problems with her P.C again. Last thursday when we were away at a tournement her banks fraud dept rang her telling her that attemps had been made to log into her account. They have put a stop on her account and are issuing new sign on details and changing the way she has to sign on. When we got back I went over and did Eset scan.....nothing found We did Superantispyware scan .......nothing found When we did Malwarebytes scan the following report appeared, i searched the net and sophos site said it was a password stealer that also steal bank and credit card details. Log: Malwarebytes' Anti-Malware 1.41 Database version: 2899 Windows 5.1.2600 Service Pack 3 03/10/2009 14:03:45 mbam-log-2009-10-03 (14-03-45).txt Scan type: Full Scan (C:\|) Objects scanned: 220355 Time elapsed: 26 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 6 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Trojan.Ambler) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Trojan.Ambler) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS.0\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully. We then did a Pandascan online and it reported the following: ;************************************************* ************************************************** ************************************************** ****************************** ANALYSIS: 2009-10-03 17:57:47 PROTECTIONS: 1 MALWARE: 1 SUSPECTS: 0 ;************************************************* ************************************************** ************************************************** ****************************** PROTECTIONS Description Version Active Updated ;================================================= ================================================== ================================================== ============================== ESET Smart Security 3.0 3.0 Yes Yes ;================================================= ================================================== ================================================== ============================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;================================================= ================================================== ================================================== ============================== 03541233 HackTool/Rebooter HackTools No 0 Yes No C:\System Volume Information\_restore{BF655994-9F05-499A-8826-E96E91DC74D8}\RP121\A0058327.exe ;================================================= ================================================== ================================================== ============================== SUSPECTS Sent Location ;================================================= ================================================== ================================================== ============================== ;================================================= ================================================== ================================================== ============================== Today she has done another Malwarebytes scan and it reveals the following: Nicky Malwarebytes' Anti-Malware 1.41 Database version: 2903 Windows 5.1.2600 Service Pack 3 04/10/2009 10:08:27 mbam-log-2009-10-04 (10-08-27).txt Scan type: Full Scan (C:\|) Objects scanned: 220632 Time elapsed: 26 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ab53a71-2ab1-4289-9dc7-ec30eef8b35c} (Password.Stealer) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) She is also getting intermittent BSOD when she boots the P.C up but when she reboots it starts o.k We have both got the same security (Eset, Superantispyware and Malwarebytes) and they're all set up the same way but she keeps hgetting these infections and i don't. Is this because my isp is Aohell and apparently have a "netwask" (whatever that is) and she is with Virgin.net cable. We both use I.E 7 and all windows are updated with latest security updates, we both also do all scans 3 times a week and the security systems are updated daily (when we're at home. Any idea what the problem is here guys? At the moment she ios getting very frustrated with it all, which is why i'm doing the post and not her. Regards Steve Quote
RandyL Posted October 4, 2009 Posted October 4, 2009 Hi again pc plodder. Your related thread is here. Please wait for the security team to look at this. I think this is a serious issue in that the Trojan.Ambler is designed to do exactly what you have said. I can only guess that the reason that you don't have it and she does even though your security is the same is because it was allowed to bypass security. Perhaps by an installed program. In any case you did the right thing by having her account details changed and running the scans that you did. As for a full cleanup and stopping this computer from being constantly reinfected I would ask that you do this for the Security Team. Please download the latest version of HijackThis from Trend Micro and save it to your desktop. Download HJTInstall.exe to your desktop. Doubleclick HJTInstall.exe to install HijackThis. By default it will install to C:\Program Files\Trend Micro\HijackThis . Click on Install. It will create a HijackThis icon on the desktop. Once installed, it will launch Hijackthis. Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply. Notes: Do not use the AnalyseThis button, its findings are dangerous if misinterpreted. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
pc plodder Posted October 4, 2009 Author Posted October 4, 2009 O.K Randy, i'll get her to do it asap, think it's still on the P.C from last time Thanks Quote
nickyprout Posted October 4, 2009 Posted October 4, 2009 Hi Guys, Here is the requested hijackthis log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:20:33, on 04/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16876) Boot mode: Normal Running processes: C:\WINDOWS.0\System32\smss.exe C:\WINDOWS.0\system32\winlogon.exe C:\WINDOWS.0\system32\services.exe C:\WINDOWS.0\system32\lsass.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\svchost.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\system32\spoolsv.exe C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\dldnserv.exe C:\WINDOWS.0\system32\dldncoms.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS.0\system32\nvsvc32.exe C:\WINDOWS.0\system32\svchost.exe C:\WINDOWS.0\System32\TUProgSt.exe C:\Program Files\Webroot\Washer\WasherSvc.exe C:\WINDOWS.0\Explorer.EXE C:\WINDOWS.0\system32\SearchIndexer.exe C:\WINDOWS.0\RTHDCPL.EXE C:\WINDOWS.0\system32\RUNDLL32.EXE C:\Program Files\Dell V105\dldnmon.exe C:\Program Files\ESET\ESET Smart Security\egui.exe C:\Program Files\Dell V105\dldnMsdMon.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Webroot\Washer\wwDisp.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\WINDOWS.0\system32\ctfmon.exe C:\Program Files\FinePixViewerS\QuickDCF2.exe C:\WINDOWS.0\STK02N\STK02NM.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [skyTel] SkyTel.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [dldnmon.exe] "C:\Program Files\Dell V105\dldnmon.exe" O4 - HKLM\..\Run: [dldnamon] "C:\Program Files\Dell V105\dldnamon.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Exif Launcher S.lnk = C:\Program Files\FinePixViewerS\QuickDCF2.exe O4 - Global Startup: STK02N 2.3 PNP Monitor.lnk = ? O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?AuthParam=1236265810_6d2cb8bf9032a5183a54abf82d9813b9&GroupName=JSC&FilePath=/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab&File=jinstall-6u12-windows-i586-jc.cab&BHost=javadl.sun.com O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://gameadvisor.futuremark.com/global/msc3121.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: dldnCATSCustConnectService - Unknown owner - C:\WINDOWS.0\System32\spool\DRIVERS\W32X86\3\\dldnserv.exe O23 - Service: dldn_device - - C:\WINDOWS.0\system32\dldncoms.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS.0\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS.0\System32\TUProgSt.exe O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe -- End of file - 8063 bytes Nicky Quote
chiaz Posted October 4, 2009 Posted October 4, 2009 Hey Nicky and Steve, Sorry to see you back here so fast. But let's try to get this solved shall we. OK as the guys suggested, if you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers. From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to. DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information. Take any other steps you think appropriate for an attempted identity theft. While all the above steps may help in some way, the surest way you can make sure your PC is clean is a complete format, especially since you engage in financial transactions using the PC. Not saying that we can't attempt to clean the PC though - let me know your decision and we will proceed according to both your wishes. :) Quote
nickyprout Posted October 4, 2009 Posted October 4, 2009 Hi Chiaz, Here we are again then!!!! I presume you mean we "can" attempt to clean my pc. I have had to reformat before and I did not enjoy losing everything that I had stored, so if it is at all possible to re-clean this pc then I will do as advised and change all of my personal details on my accounts. Sorry to be a pain. If you say it is too difficult (I have every faith in you) then I will have to re format. Nicky Quote
Tootech Posted October 4, 2009 Posted October 4, 2009 Have a read of this - certainly my opinion you should rebuild this one When should I re-format? How should I reinstall? Security - dslreports.com Quote
chiaz Posted October 5, 2009 Posted October 5, 2009 Hey Nicky, That article by Tootech is a good read. OK since you intend for us to clean this PC up, let's have you download ComboFix.exe. This shouldn't be foreign to you, I believe. Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include C:\ComboFix.txt for further review, so that we may continue cleansing the system. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems. Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Hi Chiaz/Tootech, Have read the article given by Tootech and have understood it. My computer is mainly used for surfing the net and games. I do, however use online banking, so yes I do have personal banking infor on my pc. Having said that, when I had to re-instal windows in the past, I lost all the sites that I had put onto my favorites (I am not the only user of this pc). Is there some way to back these up? j Chiaz, like Tootech, do you recomend a re-instal?. If your answer is yes then I will follow that advice. If you think you can cleanse my pc AGAIN! then I'll proceed to download Combofix Thanks for your help Nicky Quote
RandyL Posted October 5, 2009 Posted October 5, 2009 Since you say you do online banking I'm going to guess that you are using Internet Explorer as most banks require that browser. If so open IE and click file. (press the Alt key if you don't see file) Use the import export wizard to export your favorites as a file. Do the same for every user account. Whichever way you decide to go you should periodically backup things like favorites, address books if you use an email client and calendars as well as data files. Not only is this useful should you need to reinstall it can also be used to transfer to another computer. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
chiaz Posted October 5, 2009 Posted October 5, 2009 Nicky, One benefit I think you will get out of formatting (besides the assurance) is that once you have formatted and re-installed all your favourite programs and documents, you can make a back-up of the PC's current state. That way, you don't have to worry much if a situation warrants similar treatment again. With that said, I think your PC can still be cleaned up, since I don't think the problem here is a rootkit or anything too nasty. So it's really your choice. Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Hi Chiaz. ok, I think I'd rather clean than re-install, so I'll download Combofix and post the log. Nicky Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Will have to put log in seperate posts as too big for one. ComboFix 09-10-04.01 - The Prout Family 05/10/2009 15:00.4.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3519.3029 [GMT 1:00] Running from: c:\documents and settings\The Prout Family.ELONEX\Desktop\ComboFix.exe AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 ))))))))))))))))))))))))))))))) . 2009-10-03 14:57 . 2008-06-19 16:24 28544 ----a-w- c:\windows.0\system32\drivers\pavboot.sys 2009-09-23 19:45 . 2009-09-23 19:46 -------- d-----w- c:\program files\Ballance 2009-09-22 22:40 . 2009-09-22 22:40 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\Merscom 2009-09-22 22:40 . 2009-09-22 22:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Merscom 2009-09-22 22:33 . 2009-09-22 22:39 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Brainiversity2 2009-09-22 22:27 . 2009-09-22 22:27 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Becky Brogan 2009-09-22 22:24 . 2009-09-22 22:24 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\MA 2009-09-14 15:14 . 2009-09-14 15:14 604416 ----a-w- c:\windows.0\system32\TUProgSt.exe 2009-09-14 15:14 . 2009-04-27 12:21 28928 ----a-w- c:\windows.0\system32\uxtuneup.dll 2009-09-14 15:14 . 2009-09-14 15:14 361216 ----a-w- c:\windows.0\system32\TuneUpDefragService.exe 2009-09-09 21:36 . 2009-09-09 21:36 -------- d-----w- c:\windows.0\system32\wbem\Repository 2009-09-09 20:22 . 2009-06-21 21:44 153088 -c----w- c:\windows.0\system32\dllcache\triedit.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-04 20:30 . 2009-08-18 19:26 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\dvdcss 2009-10-04 08:37 . 2008-04-16 14:15 -------- d---a-w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP 2009-10-04 08:37 . 2008-06-30 16:10 -------- d-----w- c:\program files\SpywareBlaster 2009-09-28 20:52 . 2008-11-29 12:56 16 ----a-w- c:\windows.0\popcinfo.dat 2009-09-23 19:45 . 2007-07-25 20:17 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-09-22 22:25 . 2008-10-10 21:49 -------- d-----w- c:\program files\LeeGTs Games 2009-09-19 15:28 . 2008-02-09 12:01 -------- d-----w- c:\program files\FinePixViewerS 2009-09-18 10:28 . 2009-02-25 20:10 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-09-14 15:14 . 2009-08-14 13:53 -------- d-----w- c:\program files\TuneUp Utilities 2009 2009-09-14 13:46 . 2009-03-16 11:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-10 13:54 . 2009-03-16 11:59 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys 2009-09-10 13:53 . 2009-03-16 11:59 19160 ----a-w- c:\windows.0\system32\drivers\mbam.sys 2009-09-06 16:37 . 2009-08-18 15:05 24 ----a-w- c:\windows.0\popcinfot.dat 2009-08-29 15:05 . 2009-08-29 15:05 -------- d-----w- c:\program files\3Planesoft Screensaver Manager 2009-08-29 15:05 . 2009-08-29 15:05 -------- d-----w- c:\program files\Cuckoo Clock 3D Screensaver 2009-08-24 18:53 . 2008-07-30 18:38 -------- d-----w- c:\program files\Ricochet Xtreme 2009-08-22 10:43 . 2009-08-22 10:43 -------- d-----w- c:\program files\Legjendat 2009-08-18 16:11 . 2009-08-18 15:19 -------- d-----w- c:\program files\Auran 2009-08-18 15:03 . 2009-08-18 15:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\PopCap Games 2009-08-18 15:03 . 2009-08-18 14:49 -------- d-----w- c:\program files\PopCap Games 2009-08-18 14:47 . 2009-08-18 14:47 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\HipSoft 2009-08-15 13:31 . 2009-08-15 09:57 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\Candy Factory 2009-08-14 13:53 . 2008-04-16 14:27 -------- d-----w- c:\documents and settings\The Prout Family.ELONEX\Application Data\TuneUp Software 2009-08-14 13:53 . 2009-08-14 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\TuneUp Software 2009-08-14 13:52 . 2009-08-14 13:52 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS.0\Application Data\{55A29068-F2CE-456C-9148-C869879E2357} 2009-08-09 12:58 . 2009-08-09 12:58 -------- d-----w- c:\program files\Google 2009-08-09 12:58 . 2009-08-09 11:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0\Application Data\BigFishGamesCache 2009-08-09 12:58 . 2009-08-09 12:58 -------- d-----w- c:\program files\BFG 2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows.0\system32\mswebdvd.dll 2009-07-18 16:20 . 2008-04-16 15:34 27272 ----a-w- c:\documents and settings\The Prout Family.ELONEX\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows.0\system32\atl.dll 2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows.0\system32\wmpdxm.dll 2007-10-26 13:14 . 2007-10-26 13:14 774144 ----a-w- c:\program files\RngInterstitial.dll Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-18 1998576] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows.0\system32\NvMcTray.dll" [2008-09-17 86016] "dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-06-24 668912] "dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-06-24 16624] "NvCplDaemon"="c:\windows.0\system32\NvCpl.dll" [2008-09-17 13574144] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-24 1451264] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 148888] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] "RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2006-08-14 16050176] "SkyTel"="SkyTel.EXE" - c:\windows.0\SkyTel.exe [2006-05-16 2879488] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows.0\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\ Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-9 303104] STK02N 2.3 PNP Monitor.lnk - c:\windows.0\STK02N\STK02NM.exe [2009-2-12 163840] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 19:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-05 19:42 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "ctfmon.exe"=c:\windows.0\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS.0\\system32\\dldncoms.exe"= "c:\\Program Files\\Dell V105\\dldnmon.exe"= "c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnpswx.exe"= "c:\\WINDOWS.0\\system32\\spool\\drivers\\w32x86\\3\\dldnjswx.exe"= "c:\\Program Files\\Dell V105\\dldnlscn.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"= "c:\\Program Files\\Dell V105\\frun.exe"= R0 pavboot;pavboot;c:\windows.0\system32\drivers\pavboot.sys [03/10/2009 15:57 28544] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 12:43 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 12:43 74480] R2 dldn_device;dldn_device;c:\windows.0\system32\dldncoms.exe -service --> c:\windows.0\system32\dldncoms.exe -service [?] R2 dldnCATSCustConnectService;dldnCATSCustConnectService;c:\windows.0\system32\spool\drivers\w32x86\3\dldnserv.exe [11/01/2009 20:56 99568] R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [24/10/2008 21:51 468224] R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows.0\system32\TUProgSt.exe [14/09/2009 16:14 604416] R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [16/04/2008 15:56 598856] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 12:43 7408] S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows.0\system32\drivers\WebSTAR.sys [16/04/2008 16:05 15417] S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;c:\windows.0\system32\drivers\SACMXP1.sys [20/11/2003 16:01 14848] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Contents of the 'Scheduled Tasks' folder 2009-10-05 c:\windows.0\Tasks\1-Click Maintenance.job - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37] . . ------- Supplementary Scan ------- . uStart Page = hxxp://uk.yahoo.com/ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2009-10-05 15:04 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\ESET\ESET Security\CurrentVersion\Info] @Denied: (3) (LocalSystem) "AppDataDir"="c:\\Documents and Settings\\All Users.WINDOWS.0\\Application Data\\ESET\\ESET Smart Security\\" "DataDir"="ESET\\ESET Smart Security\\" "EditionName"="Student Edition" "InstallDir"="c:\\Program Files\\ESET\\ESET Smart Security\\" "LanguageId"=dword:00000409 "ProductBase"=dword:00000001 "ProductCode"="{4CEBE5E6-D1FD-4BDF-8C9C-29A9A3CC2B7C}" "ProductName"="ESET Smart Security" "ProductType"="ess" "ProductVersion"="3.0.684.0" "UniqueId"="0006AC9E49ABC1A1" "ScannerBuild"=dword:00000ed0 "ScannerVersionId"=dword:00000de1 "ScannerVersion"="" "FixId"=dword:00000005 Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Last Bit [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "NoChange"="1" "Installed"="1" @="" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" @="" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1616) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows.0\system32\WININET.dll - - - - - - - > 'explorer.exe'(3076) c:\windows.0\system32\WININET.dll c:\windows.0\system32\ieframe.dll c:\windows.0\system32\WPDShServiceObj.dll c:\windows.0\system32\PortableDeviceTypes.dll c:\windows.0\system32\PortableDeviceApi.dll . Completion time: 2009-10-05 15:05 ComboFix-quarantined-files.txt 2009-10-05 14:05 ComboFix2.txt 2009-09-19 12:36 Pre-Run: 220,480,217,088 bytes free Post-Run: 220,438,691,840 bytes free 206 --- E O F --- 2009-09-09 21:02 Quote
nickyprout Posted October 5, 2009 Posted October 5, 2009 Chiaz, I've been told by someone that I should "Disable Administrative Shares". What does that mean? Nicky Quote
chiaz Posted October 6, 2009 Posted October 6, 2009 I've been told by someone that I should "Disable Administrative Shares". What does that mean? Put simply, Administrative Shares is something you don't usually use outside a corporate environment. They are designed for remote access support. Disabling Administrative Shares do mitigate some security risks. Disabling Administrative Shares is usually done via registry editing, but that can be dangerous if you are not familiar with the registry. This tool should do the trick: Enable/Disable Automatic Administrative Shares =========== I don't see anything malicious in your ComboFix log. Download: CCleaner (freeware) |MG| CCleaner Slim 2.24.1010 Download Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar). Once installed, run CCleaner click the Windows [tab] The following should be selected by default, if not, please select: http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png Next: click Options click the Settings tab Uncheck: "Only delete files older than 48 hrs.", click Ok Then click Run Cleaner (bottom right) then Exit Now, run a full scan with MBAM and post the new log here. Quote
pc plodder Posted October 6, 2009 Author Posted October 6, 2009 chiaz Nicky will have to get back to you with the results tomorrow (wed) as she has practice and training all day today. Thanks for your help BTW. Side note. Do you know of any key encription programmes that are worth investing in. I asked for opinions about Keyscrambler from QFX software but Goku didn't seem to rate it. Any thoughts/recommendations appreciated. Regards Steve Quote
chiaz Posted October 6, 2009 Posted October 6, 2009 That's not my area of expertise, but I have heard good reviews on TrueCrypt. It is free. Quote
nickyprout Posted October 7, 2009 Posted October 7, 2009 Hi Chiaz, Have done as requested. Here is the MBAM log. Malwarebytes' Anti-Malware 1.41 Database version: 2917 Windows 5.1.2600 Service Pack 3 07/10/2009 08:47:45 mbam-log-2009-10-07 (08-47-45).txt Scan type: Full Scan (C:\|) Objects scanned: 218789 Time elapsed: 26 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{DDFC0DDF-04B9-4FC9-9CF2-71A6304CF328}\RP24\A0027400.sys (Worm.Agent) -> Quarantined Do I now have to uninstall Combofix? Nicky Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.