We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Trojans & Worms! Are they gone? Need help please.
Titania777
Posts: 90 Forumite
in Techie Stuff
My PC got infected the other day (I think it was then) with Trojan and some worms (Malwarebytes found them).
I think I have got rid of them but as something was in the System32 bit I still am not 100% sure.
Using info from previous posts by others, I ran the Malwarebytes check, quarantined & deleted then did the Hijack This thingey (technical aren't I...) too.
My anti-virus is Avast and yesterday it was showing it was blocking malicious attacks (can't remember which bit showed it) every few minutes and one worm kept appearing throughout the day (which was quarantined and deleted). Last night I couldn't find anything untoward via Avast, Ad-aware or Malwarebytes.
Today I've run CCleaner & Malwarebytes and looks like no problems. I also ran the Combofix thing too which deleted a few bits.
I can find anything infected today but my PC still seems very slow (and I do my 'housekeeping' regularly).
Please can anyone help, as I really don't have a clue what to do to make sure my PC is 'clean'?
This is my latest Malwarebytes log;
Malwarebytes' Anti-Malware 1.36
Database version: 2063
Windows 5.1.2600 Service Pack 2
01/05/2009 09:14:49
mbam-log-2009-05-01 (09-14-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 97107
Time elapsed: 18 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is my latest 'Hijack This' log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:05, on 01/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicknow.org.uk/DogsTrust
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5381 bytes
I think I have got rid of them but as something was in the System32 bit I still am not 100% sure.
Using info from previous posts by others, I ran the Malwarebytes check, quarantined & deleted then did the Hijack This thingey (technical aren't I...) too.
My anti-virus is Avast and yesterday it was showing it was blocking malicious attacks (can't remember which bit showed it) every few minutes and one worm kept appearing throughout the day (which was quarantined and deleted). Last night I couldn't find anything untoward via Avast, Ad-aware or Malwarebytes.
Today I've run CCleaner & Malwarebytes and looks like no problems. I also ran the Combofix thing too which deleted a few bits.
I can find anything infected today but my PC still seems very slow (and I do my 'housekeeping' regularly).
Please can anyone help, as I really don't have a clue what to do to make sure my PC is 'clean'?
This is my latest Malwarebytes log;
Malwarebytes' Anti-Malware 1.36
Database version: 2063
Windows 5.1.2600 Service Pack 2
01/05/2009 09:14:49
mbam-log-2009-05-01 (09-14-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 97107
Time elapsed: 18 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
This is my latest 'Hijack This' log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:16:05, on 01/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicknow.org.uk/DogsTrust
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
--
End of file - 5381 bytes
0
Comments
-
Would help if you can pull up logs on what AVAST found and specifically exactly WHERE.
eg ~ C\WINDOWS\SYSTEM 32 etc etc
You should only ever QUARANTINE files by the way if you really dont know what they are
Clearly if your computers still slow then your either still infected or youve removed something you shouldnt have
Your HIJACK logs clean
Please run COMBOFIX
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe'):idea:0 -
Oh dear - a little knowledge and all that!
This is where the System32 thing and other stuff shows on the Malwarebytes log;
Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 2
28/04/2009 23:04:27
mbam-log-2009-04-28 (23-04-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 80630
Time elapsed: 1 hour(s), 17 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\dmloader32.dll (Trojan.Agent) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\301281ae583 (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\dmloader32.dll -> No action taken.
Folders Infected:
C:\WINDOWS\system32\SystemService32 (Worm.Archive) -> No action taken.
Files Infected:
C:\WINDOWS\system32\SystemService32\1.tmp (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\SystemService32\192.tmp (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\DMLOADER32.DLL (Trojan.Agent) -> No action taken.
Will run Combofix again but it did say before to disable Avast which I didn't do. Please can you tell me should I disable it this time?0 -
It can possibly effect it if you leave it running. But try running combofix with avast still scanning if you wish:idea:0
-
By the way. You said AVAST had found some and thats the program I was talking about ~ you should quarantine using AVAST
Malwarebytes seems to be completely safe to remove whatever it finds:idea:0 -
I have got myself all of a dither and after looking at Malwarebytes log I think it they were found there and not Avast.
I disconnected internet and disabled Avast and this is the Combofix log I got;
ComboFix 09-04-30.05 - Dark Angel 01/05/2009 10:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.512.195 [GMT 1:00]
Running from: c:\downloads\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090430-0] *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.
2009-04-29 14:31 . 2009-04-29 14:31
d
w c:\program files\CCleaner
2009-04-29 13:41 . 2009-04-29 13:41
d
w c:\program files\Trend Micro
2009-04-28 18:46 . 2009-04-28 18:46 615 ----a-w c:\windows\system32\L7jSDOCkj6pvo.vbs
2009-04-28 18:40 . 2009-04-28 18:40 615 ----a-w c:\windows\system32\0NHxn.vbs
2009-04-28 18:38 . 2009-04-28 18:38 615 ----a-w c:\windows\system32\8DwQLx9iYzxMIPJ.vbs
2009-04-28 18:37 . 2009-04-28 18:37 615 ----a-w c:\windows\system32\YsrBn6wJQni7ROF.vbs
2009-04-28 18:35 . 2009-04-28 18:35 615 ----a-w c:\windows\system32\vF369TI.vbs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 18:35 . 2009-04-28 18:35 0 ----a-w c:\windows\system32\16B.tmp
2009-04-28 16:42 . 2008-11-25 14:40
d
w c:\program files\DVD Region+CSS Free
2009-04-26 08:16 . 2009-01-30 21:55 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 22:47 . 2008-12-16 07:27
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 14:32 . 2008-12-16 07:27 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-16 07:28 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 12:21 . 2008-11-26 20:43
d
w c:\program files\Java
2009-03-09 04:19 . 2008-11-26 20:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 12:55 . 2009-02-10 19:44 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Common Files\xing shared
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Common Files\Real
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Real
2009-02-20 20:42 . 2009-02-20 20:42 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-02-20 20:42 . 2009-02-20 20:42 225280 ----a-w c:\windows\system32\CSInstru.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-05-01_07.31.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 07:42 . 2009-05-01 07:42 16384 c:\windows\Temp\Perflib_Perfdata_760.dat
+ 2009-05-01 07:42 . 2009-05-01 07:42 16384 c:\windows\Temp\Perflib_Perfdata_6c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-02-19 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-04-28 1560816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2001-09-21 622592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-26 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-05 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
R3 UtilNT;UtilNT;c:\windows\system32\drivers\UtilNT.sys [2000-04-17 5533]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-26 64160]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-20 266240]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-26 953168]
S3 G550DH;G550DH;c:\windows\system32\DRIVERS\g550dhm.sys [2001-09-28 324747]
.
Contents of the 'Scheduled Tasks' folder
2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:16]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.clicknow.org.uk/DogsTrust
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dark Angel\Application Data\Mozilla\Firefox\Profiles\unk5cs5d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.clicknow.org.uk/DogsTrust
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScope42.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 10:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\msi.dll
c:\windows\system32\PDesk\PDKERNEL.DLL
c:\windows\system32\PDesk\PDTOOLS.DLL
c:\windows\system32\PDesk\PDRESENG.DLL
.
Completion time: 2009-05-01 10:24
ComboFix-quarantined-files.txt 2009-05-01 09:24
ComboFix2.txt 2009-05-01 07:33
Pre-Run: 71,127,007,232 bytes free
Post-Run: 71,125,909,504 bytes free
1110 -
Your definitely still infected
The log seems a lot shorter than normal too so when you rerun below your going to have to turn avast off (Disconnect from the net too before running)
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\L7jSDOCkj6pvo.vbs
c:\windows\system32\0NHxn.vbs
c:\windows\system32\8DwQLx9iYzxMIPJ.vbs
c:\windows\system32\YsrBn6wJQni7ROF.vbs
c:\windows\system32\vF369TI.vbs
c:\windows\system32\16B.tmp
c:\windows\Temp\Perflib_Perfdata_760.dat
c:\windows\Temp\Perflib_Perfdata_6c4.dat
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan (UNTICK 'cookies')
Then run the REGISTRY scan (Backup the registry when it asks)
Im off to gym now (Even though I dont feel like it!)
So please run this ~
then run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.co.uk/virusscanner
Please post the complete log it creates
Ill check when im back in
ps ~ dont panic
:idea:0 -
Panic - panic - oooh an understatement!
I have printed your post and will set about it now.
Thank you for helping me and have a wonderful time at the gym - he he.x0 -
Here is the Combofix.txt
ComboFix 09-04-30.05 - Dark Angel 01/05/2009 11:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.512.265 [GMT 1:00]
Running from: c:\downloads\ComboFix.exe
Command switches used :: c:\downloads\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090430-0] *On-access scanning disabled* (Updated)
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
c:\windows\system32\0NHxn.vbs
c:\windows\system32\16B.tmp
c:\windows\system32\8DwQLx9iYzxMIPJ.vbs
c:\windows\system32\L7jSDOCkj6pvo.vbs
c:\windows\system32\vF369TI.vbs
c:\windows\system32\YsrBn6wJQni7ROF.vbs
c:\windows\Temp\Perflib_Perfdata_6c4.dat
c:\windows\Temp\Perflib_Perfdata_760.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\0NHxn.vbs
c:\windows\system32\16B.tmp
c:\windows\system32\8DwQLx9iYzxMIPJ.vbs
c:\windows\system32\L7jSDOCkj6pvo.vbs
c:\windows\system32\vF369TI.vbs
c:\windows\system32\YsrBn6wJQni7ROF.vbs
c:\windows\Temp\Perflib_Perfdata_6c4.dat
c:\windows\Temp\Perflib_Perfdata_760.dat
.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.
2009-04-29 14:31 . 2009-04-29 14:31
d
w c:\program files\CCleaner
2009-04-29 13:41 . 2009-04-29 13:41
d
w c:\program files\Trend Micro
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 16:42 . 2008-11-25 14:40
d
w c:\program files\DVD Region+CSS Free
2009-04-26 08:16 . 2009-01-30 21:55 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 22:47 . 2008-12-16 07:27
d
w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 14:32 . 2008-12-16 07:27 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-16 07:28 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 12:21 . 2008-11-26 20:43
d
w c:\program files\Java
2009-03-09 04:19 . 2008-11-26 20:43 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 12:55 . 2009-02-10 19:44 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Common Files\xing shared
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Common Files\Real
2009-03-05 00:15 . 2009-03-05 00:15
d
w c:\program files\Real
2009-02-20 20:42 . 2009-02-20 20:42 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-02-20 20:42 . 2009-02-20 20:42 225280 ----a-w c:\windows\system32\CSInstru.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-05-01_07.31.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 10:12 . 2009-05-01 10:12 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2009-05-01 10:12 . 2009-05-01 10:12 16384 c:\windows\Temp\Perflib_Perfdata_5f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-02-19 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-04-28 1560816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2002-11-08 98304]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2001-09-21 622592]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-26 516440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-05 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL
"wave1"= serwvdrv.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
R3 UtilNT;UtilNT;c:\windows\system32\drivers\UtilNT.sys [2000-04-17 5533]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-26 64160]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-02-20 266240]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-04-26 953168]
S3 G550DH;G550DH;c:\windows\system32\DRIVERS\g550dhm.sys [2001-09-28 324747]
.
Contents of the 'Scheduled Tasks' folder
2009-04-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 08:16]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.clicknow.org.uk/DogsTrust
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dark Angel\Application Data\Mozilla\Firefox\Profiles\unk5cs5d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.clicknow.org.uk/DogsTrust
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npArtistScope42.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 11:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(2912)
c:\windows\system32\msi.dll
c:\windows\system32\PDesk\PDKERNEL.DLL
c:\windows\system32\PDesk\PDTOOLS.DLL
c:\windows\system32\PDesk\PDRESENG.DLL
.
Other Running Processes
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\brss01a.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\mgabg.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-01 11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 10:15
ComboFix2.txt 2009-05-01 09:24
ComboFix3.txt 2009-05-01 07:33
Pre-Run: 71,132,045,312 bytes free
Post-Run: 71,128,010,752 bytes free
1400 -
Well - the Kapersky download took ages - the scan took about 50 minutes (just finished) and there are no threats reported, so it doesn't give you a log.
Still feel 'unclean' so would be grateful if you have any more ideas please.0 -
Yeah ~ im not convinced myself either (Though 50 mins on a FULL scan is very good actually. They can take hours depending on drive size etc)
Download DR WEBS CURE IT
It will auto scan a QUICK scan. Once thats finished then set it to run a FULL scan:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.4K Spending & Discounts
- 245.4K Work, Benefits & Business
- 601.2K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards