We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
We're aware that dates on the Forum are not currently showing correctly. Please bear with us while we get this fixed, and see Site feedback for updates.

TR/downloader.gen

Hi all,
I go away for a fortnight and come back to my missus complaining that the PC was slow.
I find thousands, and I mean thousands, of instances of TR/downloader.gen on her account in temp files. Trend micro missed the lot and I'm currently using antivir to get rid of them.
How on earth did she manage so many trojan infections? She assures me she hasn't been anywhere naughty!
Her account is now 'limited' until I can identify the source.
Any ideas?

Zahc
«1

Comments

  • Run combofix as instructed below;

    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Marty_J
    Marty_J Posts: 6,594 Forumite
    Is there anything out of the ordinary she does online?

    Outspark was causing Avira to go nuts recently.
  • She could have a Vundo Downloader - all you need is one infection and that will then call the rest in -
  • Zahc
    Zahc Posts: 986 Forumite
    Thanks all.

    Reluctant spender, here's the log file.....
    ComboFix 09-03-02.03 - Chaz 2009-03-03 22:39:40.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1472 [GMT 0:00]
    Running from: c:\documents and settings\Chaz\Desktop\ComboFix.exe
    AV: Avira Premium Security Suite *On-access scanning disabled* (Updated)
    FW: Avira Firewall *disabled*
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    D:\resycled
    d:\resycled\boot.com

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))
    .

    2009-03-03 21:25 . 2009-03-03 21:25 <DIR> d
    c:\program files\Avira
    2009-03-03 21:25 . 2009-03-03 21:25 <DIR> d
    c:\documents and settings\All Users\Application Data\Avira
    2009-03-03 21:25 . 2008-05-07 13:20 71,592 --a
    c:\windows\system32\drivers\avfwot.sys
    2009-03-03 21:25 . 2008-05-07 09:51 71,464 --a
    c:\windows\system32\drivers\avfwim.sys
    2009-03-03 21:15 . 2009-03-03 21:15 <DIR> d
    c:\documents and settings\Administrator\Application Data\URSoft
    2009-03-03 21:08 . 2009-03-03 21:08 <DIR> d
    c:\documents and settings\Lindsey.PRIVATE-13F54F6\Application Data\URSoft
    2009-03-03 21:00 . 2009-03-03 21:00 <DIR> d
    c:\documents and settings\Lindsey.PRIVATE-13F54F6\Application Data\Local Settings
    2009-03-03 20:59 . 2009-03-03 20:59 <DIR> d
    c:\documents and settings\Lindsey.PRIVATE-13F54F6
    2009-03-03 18:16 . 2009-03-03 18:16 <DIR> d
    c:\documents and settings\Administrator\Application Data\Webroot
    2009-03-03 18:16 . 2009-03-03 18:16 <DIR> d
    c:\documents and settings\Administrator\Application Data\Local Settings
    2009-03-03 18:09 . 2009-03-03 18:09 <DIR> d
    c:\documents and settings\Lindsey\Application Data\Webroot
    2009-03-03 16:52 . 2009-03-03 17:41 <DIR> d
    C:\Hijackthis
    2009-03-03 16:43 . 2009-03-03 16:43 <DIR> d
    c:\documents and settings\Lindsey\Application Data\Malwarebytes
    2009-02-17 00:27 . 2009-02-17 00:27 <DIR> d
    c:\documents and settings\Chaz\Application Data\Windows Search
    2009-02-16 18:52 . 2009-02-16 18:52 <DIR> d
    c:\documents and settings\Lindsey\Application Data\Nero
    2009-02-14 12:19 . 2009-02-14 12:19 <DIR> d
    c:\program files\Rosetta Stone
    2009-02-14 12:19 . 2009-02-15 15:52 <DIR> d
    c:\documents and settings\All Users\Application Data\Rosetta Stone
    2009-02-10 16:35 . 2009-02-10 16:35 <DIR> d
    c:\documents and settings\Chaz\Application Data\WinCare2008
    2009-02-09 16:35 . 2009-02-09 16:40 9,662 --a
    c:\windows\EPISME00.SWB
    2009-02-09 16:03 . 2009-02-09 16:03 <DIR> d
    c:\documents and settings\Lindsey\Application Data\Local Settings
    2009-02-09 15:59 . 2009-02-09 15:59 <DIR> d
    c:\documents and settings\Lindsey\Application Data\Samsung
    2009-02-09 14:30 . 2006-05-03 22:53 174,592 --a
    c:\windows\system32\framedyn.dll
    2009-02-09 14:29 . 2009-02-09 14:30 <DIR> d
    c:\windows\system32\Samsung_USB_Drivers
    2009-02-09 14:29 . 2009-02-09 14:29 <DIR> d
    c:\program files\Samsung
    2009-02-09 14:29 . 2005-08-30 17:59 94,000 --a
    c:\windows\system32\drivers\ss_mdm.sys
    2009-02-09 14:29 . 2005-08-30 17:57 58,320 --a
    c:\windows\system32\drivers\ss_bus.sys
    2009-02-09 14:29 . 2005-08-30 17:58 8,304 --a
    c:\windows\system32\drivers\ss_mdfl.sys
    2009-02-09 14:29 . 2005-08-30 17:58 6,144 --a
    c:\windows\system32\drivers\ss_cmnt.sys
    2009-02-09 14:29 . 2005-08-30 17:58 6,144 --a
    c:\windows\system32\drivers\ss_cm.sys
    2009-02-09 14:29 . 2005-08-30 17:57 5,808 --a
    c:\windows\system32\drivers\ss_whnt.sys
    2009-02-09 14:29 . 2005-08-30 17:57 5,808 --a
    c:\windows\system32\drivers\ss_wh.sys
    2009-02-09 14:29 . 2009-02-09 14:55 5,632 --a
    c:\windows\system32\drivers\StarOpen.sys
    2009-02-09 14:29 . 2005-08-28 20:51 766 --a
    c:\windows\system32\Uninstall.ico
    2009-02-09 12:15 . 2009-02-09 12:15 <DIR> d
    c:\documents and settings\Chaz\Incomplete
    2009-02-09 12:15 . 2009-02-09 12:45 <DIR> d
    c:\documents and settings\Chaz\Application Data\LimeWireTurbo
    2009-02-09 11:25 . 2009-02-09 11:25 <DIR> d
    c:\documents and settings\Lindsey\Application Data\PC Suite
    2009-02-08 15:45 . 2009-02-08 15:45 <DIR> d
    c:\documents and settings\All Users\Application Data\FLEXnet
    2009-02-08 15:42 . 2009-02-08 15:42 <DIR> d
    c:\program files\Common Files\Macrovision Shared
    2009-02-07 17:22 . 2009-02-20 22:26 <DIR> d
    c:\windows\system32\Service
    2009-02-07 13:11 . 2009-02-07 13:11 <DIR> d
    c:\documents and settings\Chaz\dwhelper
    2009-02-06 19:18 . 2009-02-06 19:18 <DIR> d
    c:\program files\PIXresizer
    2009-02-06 19:18 . 2002-08-29 19:00 1,703,936 --a
    c:\windows\system32\gdiplus.dll
    2009-02-06 19:18 . 2007-04-15 00:05 991,232 --a
    c:\windows\system32\imageviewer2.ocx
    2009-02-06 19:18 . 1996-01-12 00:00 200,704 --a
    c:\windows\system32\threed32.ocx
    2009-02-06 19:18 . 1998-06-24 00:00 164,144 --a
    c:\windows\system32\comct232.ocx
    2009-02-06 19:18 . 1999-09-16 09:04 151,552 --a
    c:\windows\system32\ccrpfd6.ocx
    2009-02-06 19:18 . 2000-05-01 23:02 110,592 --a
    c:\windows\system32\ccrpbds6.dll
    2009-02-06 19:18 . 2000-07-09 18:15 106,496 --a
    c:\windows\system32\mbprgbar.ocx
    2009-02-05 15:29 . 2009-02-05 15:35 <DIR> d
    c:\program files\Mayoko

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-03 22:33 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
    2009-03-03 22:33 0 ----a-w c:\windows\system32\drivers\logiflt.iad
    2009-03-03 21:15
    d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-03-03 08:37
    d
    w c:\documents and settings\Chaz\Application Data\Skype
    2009-03-03 08:35
    d
    w c:\documents and settings\Chaz\Application Data\skypePM
    2009-02-26 11:28
    d
    w c:\program files\Microsoft Silverlight
    2009-02-16 09:40
    d
    w c:\documents and settings\Lindsey\Application Data\vlc
    2009-02-11 19:16
    d
    w c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-02-09 14:29
    d--h--w c:\program files\InstallShield Installation Information
    2009-02-08 15:44
    d
    w c:\program files\Common Files\Adobe
    2009-02-07 17:26
    d
    w c:\program files\PopCap Games
    2009-02-07 13:34
    d
    w c:\program files\Malwarebytes' Anti-Malware
    2009-02-05 16:18
    d
    w c:\documents and settings\Chaz\Application Data\vlc
    2009-02-05 15:23
    d
    w c:\documents and settings\Chaz\Application Data\FileZilla
    2009-02-05 10:25
    d
    w c:\documents and settings\Chaz\Application Data\Nero
    2009-02-01 18:26
    d
    w c:\program files\Common Files\Nero
    2009-02-01 17:59
    d
    w c:\program files\Nero
    2009-02-01 17:56
    d
    w c:\program files\Windows Sidebar
    2009-02-01 17:44
    d
    w c:\documents and settings\All Users\Application Data\Nero
    2009-02-01 14:25
    d
    w c:\program files\Team JPN
    2009-02-01 14:09
    d
    w c:\documents and settings\Chaz\Application Data\PC Suite
    2009-02-01 14:09
    d
    w c:\documents and settings\Chaz\Application Data\Nokia
    2009-02-01 14:09
    d
    w c:\documents and settings\All Users\Application Data\PC Suite
    2009-02-01 14:08 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
    2009-02-01 14:08 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
    2009-02-01 14:06
    d
    w c:\program files\Nokia
    2009-02-01 14:06
    d
    w c:\program files\DIFX
    2009-02-01 14:06
    d
    w c:\program files\Common Files\PCSuite
    2009-02-01 14:06
    d
    w c:\program files\Common Files\Nokia
    2009-02-01 14:05
    d
    w c:\program files\PC Connectivity Solution
    2009-02-01 14:04
    d
    w c:\documents and settings\All Users\Application Data\Installations
    2009-01-30 17:09
    d
    w c:\documents and settings\Guest\Application Data\Skype
    2009-01-30 16:09
    d
    w c:\documents and settings\Guest\Application Data\skypePM
    2009-01-30 13:50
    d
    w c:\documents and settings\Chaz\Application Data\Malwarebytes
    2009-01-30 13:49
    d
    w c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-30 12:14
    d
    w c:\program files\HistoryKill 2009
    2009-01-29 23:53
    d
    w c:\documents and settings\All Users\Application Data\ElectricSheep
    2009-01-29 22:56
    d
    w c:\program files\Britannica 9.0
    2009-01-29 22:47
    d--h--w c:\program files\Zero G Registry
    2009-01-29 18:20
    d
    w c:\documents and settings\Guest\Application Data\WinCare2008
    2009-01-29 18:20
    d
    w c:\documents and settings\Guest\Application Data\Local Settings
    2009-01-29 17:47 37,376 ----a-w c:\windows\system32\drivers\WMDrive.sys
    2009-01-29 17:47
    d
    w c:\program files\WinMount3
    2009-01-29 14:35
    d
    w c:\documents and settings\Chaz\Application Data\dvdcss
    2009-01-28 19:40
    dc-h--w c:\documents and settings\All Users\Application Data\!!51019853-129C-4EDE-9030-D5FD7BBD9AD0}
    2009-01-28 19:40
    d
    w c:\program files\Scrabble_Complete
    2009-01-28 19:40
    d
    w c:\documents and settings\Chaz\Application Data\uTorrent
    2009-01-28 19:39
    d
    w c:\program files\Uniblue
    2009-01-28 19:39
    d
    w c:\program files\Tweak-XP Pro 4
    2009-01-28 15:20
    d
    w c:\program files\Atari
    2009-01-28 14:58
    d
    w c:\program files\Eidos Interactive
    2009-01-28 14:47
    d
    w c:\documents and settings\Chaz\Application Data\Local Settings
    2009-01-28 13:58
    d
    w c:\documents and settings\All Users\Application Data\DAEMON Tools Pro
    2009-01-28 12:12
    d
    w c:\program files\AnswersThatWork
    2009-01-27 22:04
    d
    w c:\documents and settings\Chaz\Application Data\uniblue
    2009-01-27 21:23
    d
    w c:\program files\Reference Assemblies
    2009-01-27 21:23
    d
    w c:\program files\MSBuild
    2009-01-27 19:42
    d
    w c:\documents and settings\Chaz\Application Data\iWin
    2009-01-27 19:42
    d
    w c:\documents and settings\All Users\Application Data\Trymedia
    2009-01-27 19:38
    d
    w c:\program files\BFG
    2009-01-27 18:41
    d
    w c:\program files\Startup Faster
    2009-01-27 16:31
    d
    w c:\documents and settings\Lindsey\Application Data\URSoft
    2009-01-27 12:23
    d
    w c:\documents and settings\Chaz\Application Data\URSoft
    2009-01-27 11:56
    d
    w c:\documents and settings\Administrator\Application Data\WinCare2008
    2009-01-27 11:36 98,304 ----a-w c:\windows\system32CmdLineExt.dll
    2009-01-27 11:25
    d
    w c:\program files\Ubisoft
    2009-01-27 11:25
    d
    w c:\program files\Common Files\InstallShield
    2009-01-27 00:08 410,984 ----a-w c:\windows\system32\deploytk.dll
    2009-01-27 00:08
    d
    w c:\program files\Java
    2009-01-26 23:15
    d
    w c:\program files\Windows Live SkyDrive
    2009-01-26 23:15
    d
    w c:\program files\Windows Live
    2009-01-26 23:15
    d
    w c:\program files\Microsoft
    2009-01-26 23:11
    d
    w c:\program files\Common Files\Windows Live
    2009-01-26 11:31
    d
    w c:\program files\Common Files\Ahead
    2009-01-26 11:25
    d
    w c:\program files\DriverGuide Toolkit
    2009-01-26 11:23
    d
    w c:\documents and settings\Chaz\Application Data\Configuration
    2009-01-23 17:25
    d
    w c:\program files\Seagate
    2009-01-23 17:22
    d
    w c:\documents and settings\All Users\Application Data\Seagate
    2009-01-22 20:17
    d
    w c:\documents and settings\Lindsey\Application Data\WinCare2008
    2009-01-22 20:01
    d
    w c:\program files\Western Digital Technologies
    2009-01-21 16:45
    d
    w c:\program files\HDDGURU LLF Tool
    2009-01-21 16:37
    d
    w c:\program files\Western Digital Corp
    2009-01-21 11:41
    d
    w c:\program files\Lavalys
    2009-01-21 11:39
    d
    w c:\program files\CaptureWiz
    2009-01-21 11:39
    d
    w c:\documents and settings\Chaz\Application Data\PixelMetrics
    2009-01-21 11:20
    d
    w c:\program files\Simpli Software
    2009-01-20 13:34
    d
    w c:\program files\Allok Video Joiner
    2009-01-20 10:38
    d
    w c:\documents and settings\Chaz\Application Data\NASA
    2009-01-20 10:36
    d
    w c:\program files\NASA
    2009-01-20 10:27
    d
    w c:\program files\Steganos Privacy Suite 2008
    2009-01-20 00:24
    d
    w c:\program files\Webroot
    2009-01-20 00:24
    d
    w c:\program files\Common Files\Webroot Shared
    2009-01-20 00:24
    d
    w c:\documents and settings\Chaz\Application Data\Webroot
    2009-01-20 00:24
    d
    w c:\documents and settings\All Users\Application Data\Webroot
    2009-01-17 13:03
    d
    w c:\documents and settings\All Users\Application Data\NOS
    2009-01-16 20:58
    d
    w c:\documents and settings\Chaz\Application Data\Ahead
    2009-01-16 19:20
    d
    w c:\program files\Common Files\Adobe AIR
    2009-01-16 18:25
    d
    w c:\program files\uTorrent
    2009-01-16 15:01
    d
    w c:\program files\FileZilla FTP Client
    2009-01-16 13:13
    d
    w c:\program files\Common Files\LogiShrd
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
    "avgnt"="c:\program files\Avira\Avira Premium Security Suite\avgnt.exe" [2008-06-12 266497]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\Lindsey\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "!!56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "d:\\Program Files\\Rosetta Stone\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "d:\\Program Files\\Rosetta Stone\\RosettaStoneVersion3.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [2009-03-03 71592]
    R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];c:\windows\system32\drivers\sleen16.sys [2007-10-11 11:24:00 79104]
    R2 AntiVirFirewallService;Avira Premium Security Suite Firewall;c:\program files\Avira\Avira Premium Security Suite\avfwsvc.exe [2009-03-03 344321]
    R2 AntiVirMailService;Avira Premium Security Suite MailGuard;c:\program files\Avira\Avira Premium Security Suite\avmailc.exe [2009-03-03 164097]
    R2 antivirwebservice;Avira Premium Security Suite WebGuard;c:\program files\Avira\Avira Premium Security Suite\avwebgrd.exe [2009-03-03 258305]
    R2 AVEService;Avira Premium Security Suite MailGuard helper service;c:\program files\Avira\Avira Premium Security Suite\avesvc.exe [2009-03-03 41217]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-09-10 156968]
    R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\EDIMAX\Common\RalinkRegistryWriter.exe [2009-01-14 69632]
    R2 SatSrv;Steganos AntiTheft;c:\windows\system32\SatSrv.exe [2006-12-05 184320]
    R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2009-01-29 37376]
    R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2009-01-20 598856]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [2009-03-03 71464]
    R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-01-14 619136]
    S3 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys [2008-12-11 16256]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\!!5d8fb3dc-edff-11dd-9536-001f1f2d235d}]
    \Shell\AutoRun\command - InstallTomTomHOME.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-03 c:\windows\Tasks\SyncBackSE Action Sync.job
    - c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe []

    2009-03-03 c:\windows\Tasks\SyncBackSE Comedy Sync.job
    - c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe []

    2009-03-03 c:\windows\Tasks\SyncBackSE Family Sync.job
    - c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe []

    2009-03-03 c:\windows\Tasks\SyncBackSE Network Drama Sync.job
    - c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe []

    2009-03-03 c:\windows\Tasks\SyncBackSE Thriller Sync.job
    - c:\program files\2BrightSparks\SyncBackSE\SyncBackSE.exe []
    .
    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-!!2bae58c2-79f9-45d1-a286-81f911301c3a} - (no file)
    HKCU-Run-OE - c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe


    .
    Supplementary Scan
    .
    uStart Page = hxxp://uk.yahoo.com/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    LSP: avsda.dll
    FF - ProfilePath - c:\documents and settings\Chaz\Application Data\Mozilla\Firefox\Profiles\u31nntjo.default\
    FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/?p=us
    FF - component: c:\documents and settings\Chaz\Application Data\Mozilla\Firefox\Profiles\u31nntjo.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
    FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-03 22:40:55
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'lsass.exe'(1304)
    c:\windows\system32\avsda.dll
    .
    Completion time: 2009-03-03 22:42:12
    ComboFix-quarantined-files.txt 2009-03-03 22:42:10

    Pre-Run: 9,999,527,936 bytes free
    Post-Run: 10,000,941,056 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    271 --- E O F --- 2009-02-25 19:15:49
  • I am seeing uTorrent and Limewire present in your log - if they are not on your system they have been and I would suggest they are the cause of your problem.

    Nothing obvious in that log - although my eyes are very tired.

    I would run the following program - WARNING IT WILL TAKE AGES TO COMPLETE;
    Please go to Eset Onlinescan (NOD32)
    (You need to use InternetExplorer or enable IEView in Firefox)
    • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
    • Now click Start
    • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
    • Click Start (the Onlinescanner will now prepare itself for running on your pc)
    • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
    • Press Scan
      The Onlinescan will now start and scan your pc (please let it run to completion)
    • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
    • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
      The Scan results will now open in Notepad
    • Click into the text area, right-click and chose "select all"
    • Right-click again and chose "copy"
    • Close Notepad

    Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

    Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.
  • Zahc
    Zahc Posts: 986 Forumite
    I am seeing uTorrent and Limewire present in your log - if they are not on your system they have been and I would suggest they are the cause of your problem.

    Nothing obvious in that log - although my eyes are very tired.

    I would run the following program - WARNING IT WILL TAKE AGES TO COMPLETE;
    Please go to Eset Onlinescan (NOD32)
    (You need to use InternetExplorer or enable IEView in Firefox)
    • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
    • Now click Start
    • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
    • Click Start (the Onlinescanner will now prepare itself for running on your pc)
    • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
    • Press Scan
      The Onlinescan will now start and scan your pc (please let it run to completion)
    • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
    • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
      The Scan results will now open in Notepad
    • Click into the text area, right-click and chose "select all"
    • Right-click again and chose "copy"
    • Close Notepad
    Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

    Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.

    OK, thanks reluctant spender. uTorrent and limewire haven't been used in ages, in fact I thought I'd uninstalled them (pesky kids).
    I reckon I'll set the scanner going and go to bed.

    Zahc
  • Zahc
    Zahc Posts: 986 Forumite
    Marty_J wrote: »
    Is there anything out of the ordinary she does online?

    Outspark was causing Avira to go nuts recently.

    My beloved tells me that she's been playing games on facebook; not sure what to make of that!! Is that outspark based?

    Zahc
  • Marty_J
    Marty_J Posts: 6,594 Forumite
    Zahc wrote: »
    My beloved tells me that she's been playing games on facebook; not sure what to make of that!! Is that outspark based?

    Zahc

    I don't think so...it's possible that how you picked it up though I guess.
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Zahc wrote: »
    My beloved tells me that she's been playing games on facebook; not sure what to make of that!! Is that outspark based?

    Zahc

    Some games on facebook are dodgy as hell


    Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
    http://www.filehippo.com/download_ccleaner/
    Run the CLEANER scan (UNTICK 'cookies'). This one will remove the temp files
    Then run the REGISTRY scan (Backup the registry when it asks)

    Download MALWAREBYTES (Make sure you click 'DOWNLOAD NOW')
    http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
    UPDATE and FULL SCAN
    Post the log here AFTER youve deleted everything it finds
    :idea:
  • Zahc
    Zahc Posts: 986 Forumite
    aliEnRIK wrote: »
    Some games on facebook are dodgy as hell


    Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
    http://www.filehippo.com/download_ccleaner/
    Run the CLEANER scan (UNTICK 'cookies'). This one will remove the temp files
    Then run the REGISTRY scan (Backup the registry when it asks)

    Download MALWAREBYTES (Make sure you click 'DOWNLOAD NOW')
    http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
    UPDATE and FULL SCAN
    Post the log here AFTER youve deleted everything it finds

    Thanks for that. I do that as a matter of course. Antivir appears to have done the trick. I can only imagine it's something to do with facebook.
    What really ticks me off is that it got past trend micro internet security. Last time I use that. Back to Kaspersky for me after I trial antivir.

    Zahc
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 348.3K Banking & Borrowing
  • 252.1K Reduce Debt & Boost Income
  • 452.4K Spending & Discounts
  • 240.9K Work, Benefits & Business
  • 617.2K Mortgages, Homes & Bills
  • 175.7K Life & Family
  • 254.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.