We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Can someone help me? Trojan
Comments
-
combofix is a one off so you can delete it, if its needed again just download a fresh copy
I run Mbam about once a month (unless I think I've done something stupid !!)Ex forum ambassador
Long term forum member0 -
Download CCLEANER (Make sure you click 'DOWNLOAD LATEST VERSION' ~ make sure YAHOO TOOLBAR is unticked on installation)
http://www.filehippo.com/download_ccleaner/
Run the CLEANER scan
Then run the REGISTRY scan (Backup the registry when it asks)
Open notepad and copy/paste the text in RED below
File::
c:\windows\system32\ezsidmv.dat
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
I would then advise a scan with kaspersky as a precaution (Your call)
KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1245225406761
Please post the complete log it creates (This only SCANS it DOESNT delete anything, so we'd need to see anything it finds)
The scan will likely take anywhere from 5 to 12 hours to complete!:idea:0 -
Thanks alienrik.
Will hopefully get that done tomorrow as haven't got much spare time this evening. What does dragging the notebook file onto Combofix do?0 -
yummymsmummy wrote: »Thanks alienrik.
Will hopefully get that done tomorrow as haven't got much spare time this evening. What does dragging the notebook file onto Combofix do?
removes the file ive highlighted in red which is part of a trojan:idea:0 -
ComboFix 09-06-29.01 - Clare 29/06/2009 18:39.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.223.70 [GMT 1:00]
Running from: c:\documents and settings\Clare_2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Clare\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090628-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FILE ::
"c:\windows\system32\ezsidmv.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\ezsidmv.dat
BITS: Possible infected sites
hxxp://assist.talktalk.net
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.
2009-06-29 17:21 . 2009-06-29 17:22
d
w- c:\program files\CCleaner
2009-06-28 06:49 . 2009-06-28 08:24 117760 ----a-w- c:\documents and settings\Clare\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-28 06:48 . 2009-06-28 06:48
d
w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-28 06:48 . 2009-06-28 08:32
d
w- c:\program files\SUPERAntiSpyware
2009-06-28 06:48 . 2009-06-28 06:48
d
w- c:\documents and settings\Clare\Application Data\SUPERAntiSpyware.com
2009-06-27 17:29 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-27 17:29 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-27 17:29 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-27 17:29 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-27 17:29 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-27 17:29 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-06-27 17:29 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-27 17:29 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-27 17:29 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-27 17:28 . 2009-06-27 17:28
d
w- c:\program files\Alwil Software
2009-06-27 12:48 . 2009-06-27 12:48
d
w- c:\documents and settings\Clare\Application Data\Malwarebytes
2009-06-27 12:48 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 12:48 . 2009-06-27 12:48
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-27 12:48 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-27 12:48 . 2009-06-27 12:48
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-06-25 05:42 . 2009-06-25 05:42
d
w- c:\windows\system32\Adobe
2009-06-03 10:50 . 2009-06-03 10:50
d
w- c:\documents and settings\All Users\Application Data\PopCap
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 07:34 . 2005-05-12 19:33 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-28 16:43 . 2009-06-28 16:43
d
w- c:\documents and settings\Clare_2\Application Data\Teleca
2009-06-28 16:42 . 2009-06-28 16:42
d
w- c:\documents and settings\Clare_2\Application Data\Sony Ericsson
2009-06-28 16:28 . 2006-12-17 08:37
d
w- c:\program files\Yahoo!
2009-06-28 16:27 . 2008-06-04 17:34
d
w- c:\documents and settings\All Users\Application Data\Tesco Photobook Creator
2009-06-28 06:47 . 2006-10-23 11:19
d
w- c:\program files\Common Files\Wise Installation Wizard
2009-06-25 07:22 . 2009-05-18 08:17
d
w- c:\documents and settings\Chris\Application Data\Skype
2009-06-25 07:01 . 2009-05-18 08:27
d
w- c:\documents and settings\Chris\Application Data\skypePM
2009-05-24 08:53 . 2009-05-24 06:33
d
w- c:\program files\Zylom Games
2009-05-24 06:33 . 2009-05-24 06:33
d
w- c:\documents and settings\Chris\Application Data\Zylom
2009-05-24 06:33 . 2009-05-24 06:33
d
w- c:\documents and settings\All Users\Application Data\Zylom
2009-05-21 10:57 . 2006-12-01 20:25
d
w- c:\program files\Common Files\Adobe
2009-05-19 17:38 . 2005-05-02 18:27
d
w- c:\documents and settings\Clare\Application Data\AdobeUM
2009-05-18 08:15 . 2009-05-18 08:15
d
w- c:\program files\Common Files\Skype
2009-05-18 08:15 . 2009-05-18 08:15
d
r- c:\program files\Skype
2009-05-18 08:15 . 2009-05-18 08:14
d
w- c:\documents and settings\All Users\Application Data\Skype
2009-05-07 15:32 . 2004-10-31 13:21 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-10-31 20:22 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-10-31 13:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-10-31 13:22 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:08 . 2009-04-15 15:08 152576 ----a-w- c:\documents and settings\Clare\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2004-10-31 13:22 585216 ----a-w- c:\windows\system32\rpcrt4.dll0 -
.
((((((((((((((((((((((((((((( SnapShot@2009-06-28_09.01.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-29 14:17 . 2009-06-29 14:17 16384 c:\windows\Temp\Perflib_Perfdata_714.dat
+ 2009-06-29 14:17 . 2009-06-29 14:17 16384 c:\windows\Temp\Perflib_Perfdata_564.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 1207080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2005-08-15 192512]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-12-26 98304]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 487424]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Power2GoExpress"="c:\program files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-11-06 1359967]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-5-12 65588]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 viaide1;viaide1;c:\windows\system32\drivers\viaidexp.sys [11/02/2005 14:36 6144]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [27/06/2009 18:29 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [27/06/2009 18:29 20560]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [28/02/2009 19:38 266240]
S2 CADopia License Manager;CADopia License Manager;c:\progra~1\CADopia\CADOPI~1\LicenseManager\lmgrd.exe --> c:\progra~1\CADopia\CADOPI~1\LicenseManager\lmgrd.exe [?]
S3 iadusb;MT882;c:\windows\system32\drivers\glauiad.sys [26/03/2008 19:39 30336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [11/05/2008 19:13 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [10/08/2008 20:32 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [10/08/2008 20:32 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se46mgmt.sys [08/04/2009 19:36 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se46nd5.sys [16/04/2009 18:49 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\drivers\se46obex.sys [08/04/2009 19:25 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se46unic.sys [16/04/2009 18:49 90800]
S3 U2KG54L;BUFFALO WLI-U2-KG54L Wireless LAN Driver;c:\windows\system32\drivers\U2KG54L.SYS [24/08/2006 05:44 477696]
.
Contents of the 'Scheduled Tasks' folder
2005-08-31 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-08-31 16:26]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.yahoo.co.uk/
mStart Page = hxxp://uk.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
DPF: Bootstrap - hxxp://www.myfujiprints.co.uk/media/site/kiosk/Myfujiprints.CAB
DPF: NTLSignup - hxxps://register.tesco.net/tesco/NTLSignup.cab
DPF: {0CFA086E-6336-4D95-B6AA-90F564E99631} - hxxp://www.shopandscan.com/TNSClicker.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 18:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(624)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-29 18:55
ComboFix-quarantined-files.txt 2009-06-29 17:54
ComboFix2.txt 2009-06-28 09:08
Pre-Run: 55,575,986,176 bytes free
Post-Run: 55,561,764,864 bytes free
178 --- E O F --- 2009-06-11 20:480 -
run a KASPERSKY ONLINE SCAN (click to scan 'MY COMPUTER')
http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1245225406761
Please post the complete log it creates (This only SCANS it DOESNT delete anything, so we'd need to see anything it finds)
The scan will likely take anywhere from 5 to 12 hours to complete!:idea:0 -
aliEnRik there is a Slim CCleaner people can download that doesnt contain the yahoo toolbar.
http://www.ccleaner.com/download/builds/
using the following link will automatically download the latest SLIM version
http://www.ccleaner.com/download/builds/downloading-slim0 -
aliEnRik there is a Slim CCleaner people can download that doesnt contain the yahoo toolbar.
http://www.ccleaner.com/download/builds/
using the following link will automatically download the latest SLIM version
http://www.ccleaner.com/download/builds/downloading-slim
Is it EXACTLY the same?:idea:0 -
they release the same version one with and one without the toolbar, same date, same build,
easy way to find out would be to download both, extract from the installer and run an binary compare.
believe they use NSIS at the installer, so that can be extracted with 7zip. no need to install the software.
I'll download the one with the toolbar and run a comparison.
The 2 links i provided, top one takes you to the download page, so you can download the one you want.
the bottom link is the direct / automatic download of the slim version.
let you know.
Just tested, both CCleaner and CCLeaner slim, are exactly the same, only difference is toolbar. the main CCleaner.exe is exactly the same in both installers
CCLeanerSlim doesnt contain the toolbar so therefore it doesnt get installed.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.7K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.7K Work, Benefits & Business
- 603.2K Mortgages, Homes & Bills
- 178.2K Life & Family
- 260.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards