We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Help! My PC has picked up a trojan!

Options
2»

Comments

  • andy2004
    andy2004 Posts: 1,309 Forumite
    in hijackthis put a tick in the box, and click FIX,

    This spyware program is pretty much useless, malwarebytes is better
    O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe <using add/remove remove a-square
  • Juliav_2
    Juliav_2 Posts: 258 Forumite
    Hi Andy2004

    Thanks for your help.

    Is my computer now sorted? Is it safe to use? Has the virus gone?

    I am so happy that you and the other moneysavers have given your time to help me out.

    Julia :beer:
    No Unapproved or Personal links in signatures please - FT3
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Id say your good. But if you want a final check ~
    Please run COMBOFIX

    Follow the simple instructions it gives
    Post the COMPLETE log it creates here (Split into sections if need be)

    If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
    :idea:
  • Juliav_2
    Juliav_2 Posts: 258 Forumite
    Hi

    Here is the combo log

    ComboFix 09-07-29.04 - Owner 30/09/2009 18:01.1.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1535.1148 [GMT 0:00]
    Running from: c:\documents and settings\Owner\Desktop\qwerty.exe
    AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Outdated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Installer\13410.msi
    c:\windows\Installer\978ff.msp
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
    .

    2009-09-29 20:05 . 2009-09-29 20:05
    d
    w- c:\program files\Trend Micro
    2009-09-29 19:31 . 2009-09-29 19:31
    d
    w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2009-09-29 19:31 . 2009-07-13 13:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-29 19:31 . 2009-09-29 19:31
    d
    w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-09-29 19:31 . 2009-09-29 19:31
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2009-09-29 19:31 . 2009-07-13 13:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-29 09:19 . 2009-09-29 09:20
    d
    w- c:\documents and settings\All Users\Application Data\McAfee
    2009-09-29 09:18 . 2008-05-22 20:50 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-09-29 09:18 . 2008-05-22 20:50 64232 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2009-09-29 09:18 . 2008-05-22 20:50 72936 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-09-29 09:18 . 2008-05-22 20:50 52104 ----a-w- c:\windows\system32\drivers\mfetdik.sys
    2009-09-29 09:18 . 2008-05-22 20:50 174952 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-09-29 09:18 . 2009-09-29 09:19
    d
    w- c:\program files\McAfee
    2009-09-29 09:18 . 2009-09-29 09:18
    d
    w- c:\program files\Common Files\McAfee
    2009-09-28 18:57 . 2009-09-29 09:45
    d
    w- C:\QUARANTINE
    2009-09-28 18:50 . 2009-09-30 17:56
    d
    w- c:\program files\a-squared Free

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-07-18 09:15 . 2009-07-18 09:15 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
    2009-07-11 14:50 . 2009-02-19 18:48 10134 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
    2009-07-05 15:57 . 2005-07-11 10:18 47344 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-02 16:23 . 2008-08-02 13:30 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
    "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
    "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
    "IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-05-22 111952]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
    "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
    "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Help.lnk
    backup=c:\windows\pss\BT Broadband Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

    S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    HKLM-Run-VTTimer - VTTimer.exe
    ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll


    .
    Supplementary Scan
    .
    uStart Page = hxxp://bt.yahoo.com/
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q304&bd=pavilion&pf=desktop
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    uInternet Connection Wizard,ShellNext = hxxp://www.ntlhome.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\1ocr3p3o.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-30 18:11
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_USERS\S-1-5-21-3899863458-441928363-533936415-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-3899863458-441928363-533936415-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:69,48,59,f7,79,84,61,7f,f4,82,62,95,87,6d,ec,ed,2b,a9,ee,70,45,73,cb,
    29,86,0b,30,6c,29,69,00,0b,22,82,d4,7b,da,f6,70,b3,6c,86,df,c7,87,fd,33,a2,\
    "??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
    .
    Completion time: 2009-09-30 18:15
    ComboFix-quarantined-files.txt 2009-09-30 18:14

    Pre-Run: 17,531,973,632 bytes free
    Post-Run: 17,731,923,968 bytes free

    137 --- E O F --- 2009-09-29 16:25


    Thank you for sparing the time to look it over. Can you tell from this that the computer is back to being safe? Been so worried.
    No Unapproved or Personal links in signatures please - FT3
  • Browntoa
    Browntoa Posts: 49,602 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    I'd say thats safe now , combofix removed a couple of legacy files but no infections seemed to have been picked up
    Ex forum ambassador

    Long term forum member
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.9K Banking & Borrowing
  • 253.1K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.9K Work, Benefits & Business
  • 598.8K Mortgages, Homes & Bills
  • 176.9K Life & Family
  • 257.2K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.