Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Stubborn Garda virus

245

Comments

  • Registered Users, Registered Users 2 Posts: 1,391 ✭✭✭red bull


    I really dont know much abou computers. I have that virus but I got past it by clicking fast internet explorer unfortunately when I switched of the computer and restarted it was there again but got past it the same way after a few restarts. I have McAfee running but it does not seem to catch it. now that I have computer running again what should I do. Not good at computer jargon sorry


  • Registered Users, Registered Users 2 Posts: 3,267 ✭✭✭rino87


    This popped up on my computer last night. Immedatley shut down restarted and ran avg. It caught something anyway because my computer is no longer locked. Its still acting dodgy however. For example if i go to the facebook homepage my browser will flicker and in the history I can see that its been to two pages named bgpage and smartbar. Obviouly i didnt log in. Any ideas whats going on?? Bit worried because this happened a few hours after i was trying to insure my car, no bank details entered though.


  • Posts: 31,828 ✭✭✭✭ [Deleted User]


    A neighbour came around this evening with the laptop that was locked with the garda virus,
    I just rebooted in safe mode and I rolled back to a previous restore point and that fixed it.
    I put on AVG for her as well and hopefully that will stop it.


  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    A neighbour came around this evening with the laptop that was locked with the garda virus,
    I just rebooted in safe mode and I rolled back to a previous restore point and that fixed it.
    I put on AVG for her as well and hopefully that will stop it.

    Luckily that was the older version of the virus..she was lucky (-;


  • Registered Users, Registered Users 2 Posts: 1,331 ✭✭✭SparkySpitfire


    ...Can I ask how people are getting this virus? And I'm assuming it's nicknamed the Garda virus? As in, surely it didn't come from the guards? :confused:

    Pardon my ignorance but I'm genuinely curious.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    I've cleaned 5 machines in last week...most of them were from the free film sites and one from free soccer channel...nothing is free in this life (-;


  • Posts: 31,828 ✭✭✭✭ [Deleted User]


    HelpWithIT wrote: »
    Newest version of the virus locks down the computer in Safe Mode as well...only way is to make a bootable USB or CD/DVD from either Kaspersky (v good) or AVG site, This virus can come from reputable sites which have been hijacked but I find that once this Garda Virus is cleared I usually find lots of other spyware etc on the infected computers and laptops, if the owner is used to looking up "alternative sites" or using torrents etc then there will always be other spyware etc to be removed. Run command was also disabled in Safe Mode with this new strain of the Virus.. tough one(-;
    That ties up with what my friend had been doing, watching "free" streaming video sites.


  • Moderators, Business & Finance Moderators, Regional South Moderators Posts: 6,854 Mod ✭✭✭✭mp22


    ...Can I ask how people are getting this virus? And I'm assuming it's nicknamed the Garda virus? As in, surely it didn't come from the guards? :confused:

    Pardon my ignorance but I'm genuinely curious.

    Its called the ukash virus.(scam)


  • Registered Users, Registered Users 2 Posts: 8 Nijinksky


    If by any chance, MBam doesn't run (virus stops it) go to

    http://www.malwarebytes.org/products/chameleon/

    and download chameleon



    Unzip the contents to a folder in a convenient location.
    Follow the instructions in the included Chameleon CHM Help File or, if the help file will not open, simply try to run the files by double-clicking on them one by one until one of them remains open, then follow the onscreen instructions.

    It registers MBam under different dll - ie, as a doc, png, txt etc. That way your visiting virus won't know its an actual exe.

    Another way is to rename mbam.exe to mbam.doc from the desktop.

    As a matter of interest , "System Restore" will nearly always have a copy of everything - so when you're finished cleaning up - turn off system restore, and then turn it back on again after 5 minutes.


    I believe its far better to pay for MBam PRO (although the free version is just as good) than to have to pay a MR Fixit 80 euros -



    Oh for those that pick up these kinds of viruses too easily - download Win Patrol, its better than Msconfig - and when attacked by these scams, Go offline and immediately go to startups and untick the virus launcher. .... remember if you are off line the virus is half-helpless :-))


    PM me if anyone wants walk throughs - for freeee :-)

    Cheers
    Tommy


  • Registered Users, Registered Users 2 Posts: 196 ✭✭lockers55


    HitmanPro 3 free trial Worked like a charm

    http://www.surfright.nl/en/hitmanpro


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    Nijinksky wrote: »
    If by any chance, MBam doesn't run (virus stops it) go to

    http://www.malwarebytes.org/products/chameleon/

    and download chameleon



    Unzip the contents to a folder in a convenient location.
    Follow the instructions in the included Chameleon CHM Help File or, if the help file will not open, simply try to run the files by double-clicking on them one by one until one of them remains open, then follow the onscreen instructions.

    It registers MBam under different dll - ie, as a doc, png, txt etc. That way your visiting virus won't know its an actual exe.

    Another way is to rename mbam.exe to mbam.doc from the desktop.

    As a matter of interest , "System Restore" will nearly always have a copy of everything - so when you're finished cleaning up - turn off system restore, and then turn it back on again after 5 minutes.


    I believe its far better to pay for MBam PRO (although the free version is just as good) than to have to pay a MR Fixit 80 euros -



    Oh for those that pick up these kinds of viruses too easily - download Win Patrol, its better than Msconfig - and when attacked by these scams, Go offline and immediately go to startups and untick the virus launcher. .... remember if you are off line the virus is half-helpless :-))


    PM me if anyone wants walk throughs - for freeee :-)

    Cheers
    Tommy

    Helpful link Tommy...but if computer is locked out in Safe mode (as new version of Ukash does) How do you get onto internet and download Chamelon?? Curious (-;


  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    I believe its far better to pay for MBam PRO (although the free version is just as good) than to have to pay a MR Fixit 80 euros

    In realtion to Malwarebytes Pro...it is an excellent programme but way too difficult for the average user to know the effects of registry change warnings that it pops up constantly.. it reminds me of the paid version of Spybot Search And Destroy...people were finding their computers/laptops were slowing to a crawl because they were clocking legitimate registry changes...


  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    Just a comment on another Garda Virus thread....if posters can't advertise their services or expertise...why are the moderators allowed to do it?? If, as I am told, they do it voluntarily ... for the good of the users..why don't the same rules apply..hmmmmmm


  • Registered Users, Registered Users 2 Posts: 8 Nijinksky


    HelpWithIT wrote: »
    Helpful link Tommy...but if computer is locked out in Safe mode (as new version of Ukash does) How do you get onto internet and download Chamelon?? Curious

    Like all 'extra' programmes, I carry a usb stick with my cleaners on it.
    PS the idea is to download chameleon and store it - either in a folder that you set aside for that purpose, or on the desktop.

    One other failsafe I use is 'Trinity Rescue Kit'

    http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT____CPR_FOR_YOUR_COMPUTER&front_id=12&lang=en&locale=en

    Tiny url = http://preview.tinyurl.com/2965cae

    Trinity has 5 built in a/v and antimalware scanners and can be run from a disc (an iso) a usb stick, or from the desktop..

    I don't agree that programmes are too complicated or hard for everyday users to use. If people wait until they are struck by lightning to try to avoid strikes, they deserve to get hit :) Better to learn how to avoid strikes. Better to read the 'how to' and read me's first. Or prepare themselves by reading. I didn't have a teacher or someone to hold my hand, and I can assure folks I'm quite ordinary :)
    Cheers
    Tommy


  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    Nijinksky wrote: »
    HelpWithIT wrote: »
    Helpful link Tommy...but if computer is locked out in Safe mode (as new version of Ukash does) How do you get onto internet and download Chamelon?? Curious

    Like all 'extra' programmes, I carry a usb stick with my cleaners on it.
    PS the idea is to download chameleon and store it - either in a folder that you set aside for that purpose, or on the desktop.

    One other failsafe I use is 'Trinity Rescue Kit'

    http://trinityhome.org/Home/index.php?content=TRINITY_RESCUE_KIT____CPR_FOR_YOUR_COMPUTER&front_id=12&lang=en&locale=en

    Tiny url = http://preview.tinyurl.com/2965cae

    Trinity has 5 built in a/v and antimalware scanners and can be run from a disc (an iso) a usb stick, or from the desktop..

    I don't agree that programmes are too complicated or hard for everyday users to use. If people wait until they are struck by lightning to try to avoid strikes, they deserve to get hit :) Better to learn how to avoid strikes. Better to read the 'how to' and read me's first. Or prepare themselves by reading. I didn't have a teacher or someone to hold my hand, and I can assure folks I'm quite ordinary :)
    Cheers
    Tommy
    point is your original post presumed that windows was accessible.. not everybody has your knowledge to contact from USB.. That's why we tell them how to do it.. not diss someone for charging to do it for them (-;


  • Registered Users, Registered Users 2 Posts: 8 Nijinksky


    OK - I don't believe I was dissing anyone - if I left that impression - I never meant to.

    I firmly believe that users should read directions. Not to be overly cliched, but if a body can afford 7 or 800 to buy a box, they can learn to protect it, or at least ask from where they can get the most protection.
    (I'm a freebie user - if I like what it does, I'll donate)

    Much as I probably wouldn't admit it, I do far too much handholding.

    There's a certain satisfaction in getting one up on the bad guys, and if it means going searching for them, then so be it :)

    Unless someone needs help its EOD for me thanks

    Tommy


  • Registered Users, Registered Users 2 Posts: 4,314 ✭✭✭BOHtox


    Got done on my PC the other day. On the laptop now although my virus looks different to the one in the picture in this thread, possibly in the op. It looks a lot more legit and if I wasn't used to computers and viruses etc, studying computer science in college, I probably would have fallen for it. If it wasn't for my terrible work ethic I probably would have gotten rid of it by now. Hopefully get around to it at the weekend.


  • Registered Users, Registered Users 2 Posts: 143 ✭✭willciviceg5


    Hi, sorry if this question has already been answered, i am hopeless with computers. I have just got this virus, at first when i tried to start in safe mode it was just shutting down straight away. In the menu that comes up with f8 it gave me the option to repair problems and from there I was given the option to restore to an earlier date, I did that and it did not fully complete. I then went back into safe mode and it opened up fine, I then restored to an earlier date again which completed fully. I have now restarted the computer and it seems to be working ok, I have just downloaded superantispyware and its now scaning. What further action should I take ie. anti virus, anti malware. Any help greatly appricated.


  • Registered Users, Registered Users 2 Posts: 143 ✭✭willciviceg5


    Hi, sorry if this question has already been answered, i am hopeless with computers. I have just got this virus, at first when i tried to start in safe mode it was just shutting down straight away. In the menu that comes up with f8 it gave me the option to repair problems and from there I was given the option to restore to an earlier date, I did that and it did not fully complete. I then went back into safe mode and it opened up fine, I then restored to an earlier date again which completed fully. I have now restarted the computer and it seems to be working ok, I have just downloaded superantispyware and its now scaning. What further action should I take ie. anti virus, anti malware. Any help greatly appricated.

    Ok this may be just a coincidence but I received a call on the landline today from an Indian sounding guy called "Jim" calling from windows support in relation to the problem with my windows device, I said "I do not have a computer and do you know who you are calling and he hung up" advice please.


  • Posts: 31,828 ✭✭✭✭ [Deleted User]


    Ok this may be just a coincidence but I received a call on the landline today from an Indian sounding guy called "Jim" calling from windows support in relation to the problem with my windows device, I said "I do not have a computer and do you know who you are calling and he hung up" advice please.
    Windows support scam, just ignore them.
    If you have the time, waste their time, give them the runaround it reduces their chances of duping someone into downloading their malware.


  • Advertisement
  • Banned (with Prison Access) Posts: 153 ✭✭mark_79


    Ok this may be just a coincidence but I received a call on the landline today from an Indian sounding guy called "Jim" calling from windows support in relation to the problem with my windows device, I said "I do not have a computer and do you know who you are calling and he hung up" advice please.

    I've had that call three times this week. Just told them I have a mac and they hung up :D

    Anyway, this garda trojan. I'm after being infected four or five times since last Sunday. It tends to happen when I'm using Google search. Each time I just reboot to safe mode and kill it with Malwarebytes Anti Malware.

    Thing is though, are there remnants of this trojan on my machine? Surely I shouldn't be getting it on a repeated basis? Would anti-virus software with real time monitoring prevent it?


  • Registered Users, Registered Users 2 Posts: 10,283 ✭✭✭✭BloodBath


    Just install avast. It will stop you from getting infected in the first place in most cases.

    Internet browsers are from secure programs.


  • Registered Users, Registered Users 2 Posts: 276 ✭✭HelpWithIT


    mark_79 wrote: »

    I've had that call three times this week. Just told them I have a mac and they hung up :D

    Anyway, this garda trojan. I'm after being infected four or five times since last Sunday. It tends to happen when I'm using Google search. Each just reboot to safe mode and kill it with Malwarebytes Anti Malware.

    Thing is though, are there remnants of this trojan on my machine? Surely I shouldn't be getting it on a repeated basis? Would anti-virus software with real time monitoring prevent it?
    It seems obvious that you are not cleaning system fully each time,.your browser search may nobe corrupted.. I have found that 90% of the time this virus comes in from questionable free football sites or movie sites, follow previous guides to the letter.. also consider the possibility that your router maybe infected also


  • Registered Users, Registered Users 2 Posts: 1,270 ✭✭✭johnnykilo


    I got this virus on Sunday night. Managed to restart in safe mode with command prompt and restore the last System Restore point. I followed the instructions here http://malwaretips.com/blogs/an-garda-siochana-virus/

    The first MalwareBytes found 2 keygens which were on my laptop for years and a potentially unwanted program called Funworks (all of which I let MalwaeBytes remove). I restarted and ran MalwareBytes again and nothing was found. HitmanPro found 200 or so items but they were mostly just tracking cookies no malware or viruses.

    I'm currently running Avast Rootkit scanner currently, then I'm going to try ComboFix, then TDSSKiller. Just want to know should I be safe enough to start using my laptop again if nothing is found by the rest of the scans? Should some of the scans not have found something more substantial than the PUP and the 2 keygens that had been on my laptop for years or should I be ok? Thanks.


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    post the combofix log here when its done, cant answer your question without seeing it really.

    Although running that many programs should mean your ok if they don't find much


  • Registered Users, Registered Users 2 Posts: 1,270 ✭✭✭johnnykilo


    ComboFix 13-03-26.01 - John 26/03/2013 18:59:33.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.353.1033.18.3039.1686 [GMT 0:00]
    Running from: e:\virus\ComboFix.exe
    AV: ESET NOD32 Antivirus 4.2 *Disabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET NOD32 Antivirus 4.2 *Disabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\3307476.pad
    c:\windows\system32\URTTemp

    c:\windows\system32\URTTemp\regtlib.exe
    c:\windows\XSxS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-26 to 2013-03-26 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-26 19:18 . 2013-03-26 19:19
    d
    w- c:\users\John\AppData\Local\temp
    2013-03-26 19:18 . 2013-03-26 19:18
    d
    w- c:\users\Default\AppData\Local\temp
    2013-03-26 19:18 . 2013-03-26 19:18
    d
    w- c:\users\Home\AppData\Local\temp
    2013-03-26 16:35 . 2013-03-26 16:35
    d
    w- c:\program files\HitmanPro
    2013-03-26 16:28 . 2013-03-26 17:06
    d
    w- c:\programdata\HitmanPro
    2013-03-25 01:41 . 2013-03-25 01:41
    d
    w- c:\users\John\AppData\Roaming\Malwarebytes
    2013-03-25 01:41 . 2013-03-25 01:41
    d
    w- c:\programdata\Malwarebytes
    2013-03-25 01:41 . 2013-03-25 01:41
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2013-03-25 01:41 . 2012-12-14 16:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-03-25 01:41 . 2013-01-08 04:57 6991832 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{496C2CB3-53E7-4418-96F1-CBFC41AC3F42}\mpengine.dll
    2013-03-25 01:40 . 2013-03-25 01:40
    d
    w- c:\users\John\AppData\Local\Programs
    2013-03-02 16:56 . 2013-03-02 16:56
    d
    w- c:\users\Home\AppData\Local\Programs
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-02-14 15:52 . 2013-02-14 15:52 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-02-14 15:52 . 2011-10-25 21:50 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-01-17 01:28 . 2011-10-02 17:04 232336 ----a-w- c:\windows\system32\MpSigStub.exe
    2012-02-16 14:55 . 2012-02-25 23:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-11-13 23:32 129272 ----a-w- c:\users\John\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
    @="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
    [HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
    2011-07-11 22:01 1194008 ----a-w- c:\windows\System32\PGPfsshl.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2011-08-27 434960]
    "TouchFreeze"="c:\program files\TouchFreeze\TouchFreeze.exe" [2005-04-29 45056]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
    "Facebook Update"="c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-08-16 138096]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2011-01-12 2219184]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 499608]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5.5ServiceManager"="c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
    "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
    "HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]
    "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
    .
    c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\John\AppData\Roaming\Dropbox\bin\Dropbox.exe [2013-1-20 28539272]
    EvernoteClipper.lnk - c:\program files\Evernote\Evernote\EvernoteClipper.exe [2012-12-3 1044320]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    PGP Tray.lnk - c:\windows\Installer\{65F2F996-D86C-478E-896F-DC8EAA00B6E0}\Icon6560581611.exe [2011-10-2 55296]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\PGPmapih.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli PGPpwflt
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
    @=""
    .
    R2 apacheds-default;Apache Directory Server - default;c:\program files\Apache Directory Server\bin\apacheds.exe [x]
    R2 Redis;Redis;c:\program files\Redis\RedisService.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
    R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
    R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [x]
    R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
    S0 pgpfs;PGP File Sharing;c:\windows\System32\Drivers\PGPfsfd.sys [x]
    S0 Pgpwdefs;Pgpwdefs;c:\windows\system32\DRIVERS\Pgpwdefs.sys [x]
    S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [x]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
    S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
    S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
    S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [x]
    S2 PGP RDD Service;PGP RDD Service;c:\program files\PGP Corporation\PGP Desktop\RDDService.exe [x]
    S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
    S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-03-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000Core.job
    - c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-16 01:11]
    .
    2013-03-26 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000UA.job
    - c:\users\John\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-08-16 01:11]
    .
    2013-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000Core.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 17:28]
    .
    2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1000UA.job
    - c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-02 17:28]
    .
    2013-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1005Core.job
    - c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-15 03:25]
    .
    2013-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3895043083-1085522701-1804212246-1005UA.job
    - c:\users\Home\AppData\Local\Google\Update\GoogleUpdate.exe [2013-02-15 03:25]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.google.ie/
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
    LSP: c:\windows\system32\PGPlsp.dll
    TCP: DhcpNameServer = 89.101.160.5 89.101.160.4
    FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\orbfw897.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
    FF - prefs.js: network.proxy.ftp - localhost
    FF - prefs.js: network.proxy.ftp_port - 8008
    FF - prefs.js: network.proxy.http - localhost
    FF - prefs.js: network.proxy.http_port - 8008
    FF - prefs.js: network.proxy.socks - localhost
    FF - prefs.js: network.proxy.socks_port - 8008
    FF - prefs.js: network.proxy.ssl - localhost
    FF - prefs.js: network.proxy.ssl_port - 8008
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-AdobeBridge - (no file)
    .
    .
    .
    LOCKED REGISTRY KEYS
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2013-03-26 19:23:03
    ComboFix-quarantined-files.txt 2013-03-26 19:23
    .
    Pre-Run: 149,294,694,400 bytes free
    Post-Run: 153,223,897,088 bytes free
    .
    - - End Of File - - CF8CA99D57143F7BB3118FF6320CCCCC


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    looks ok, but run tdsskiller as this virus tends to infect the mbr too


  • Registered Users, Registered Users 2 Posts: 1,270 ✭✭✭johnnykilo


    Yep, ran tdsskiller too, and it didn't find anything.


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    good stuff, should be grand then. If you have any issues let us know.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 775 ✭✭✭simon360


    Hi just out of curiosity how does one end up getting this dastardly virus?


Advertisement