We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Trojan Horse Problem on PC Help!
Comments
-
Part 4 of log
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-04 17:50 . 2004-08-03 21:59 1033728 ----a-w- c:\windows\explorer.exe
2009-11-03 20:45 . 2008-07-12 10:56
d
w- c:\program files\Spybot - Search & Destroy
2009-11-03 20:45 . 2008-07-12 10:56
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-03 15:47 . 2007-11-05 18:32
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-24 12:13 . 2007-06-11 14:35
d
w- c:\program files\Common Files\Symantec Shared
2009-10-24 06:34 . 2009-08-01 07:54 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-24 06:34 . 2009-08-01 07:54 138056 ----a-w- c:\documents and settings\Ave\Application Data\PnkBstrK.sys
2009-10-24 06:34 . 2009-08-01 07:54 138056 ----a-w- c:\documents and settings\Ave\Application Data\PnkBstrK.sys
2009-10-24 06:34 . 2009-08-01 07:53 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-22 16:15 . 2009-07-18 05:50 28660 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-13 15:14 . 2007-06-30 18:56 1961720 ----a-w- c:\documents and settings\Ave\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-10-10 14:17 . 2007-06-14 12:28 34208 ----a-w- c:\documents and settings\Ave\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-09 15:36 . 2009-03-21 18:01
d
w- c:\program files\Windows Live
2009-10-09 15:28 . 2007-07-12 11:41
d
w- c:\documents and settings\Ave\Application Data\Image Zone Express
2009-10-01 09:29 . 2009-10-03 07:45 195440
w- c:\windows\system32\MpSigStub.exe
2009-09-26 06:50 . 2009-06-20 18:30
d
w- c:\documents and settings\Ave\Application Data\Apple Computer
2009-09-25 05:49 . 2004-08-10 11:51 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-20 16:18 . 2008-07-02 06:19 37 ----a-w- c:\documents and settings\Ave\jagex_runescape_preferences.dat
2009-09-20 15:23 . 2009-09-06 08:36 45 ----a-w- c:\documents and settings\Ave\jagex_runescape_preferences2.dat
2009-09-19 15:53 . 2009-07-18 05:32
d
w- c:\program files\Safari
2009-09-19 15:50 . 2009-09-19 15:49
d
w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-19 15:50 . 2009-09-19 15:49
d
w- c:\program files\iTunes
2009-09-19 15:49 . 2009-09-19 15:49
d
w- c:\program files\iPod
2009-09-19 15:49 . 2009-06-20 18:27
d
w- c:\program files\Common Files\Apple
2009-09-19 15:45 . 2009-09-19 15:44
d
w- c:\program files\QuickTime
2009-09-19 15:28 . 2009-09-19 15:28 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:03 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-10 11:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-28 18:42 . 2009-06-20 18:27 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 18:42 . 2009-06-20 18:27 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-26 08:16 . 2004-08-10 11:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 07:49 . 2009-05-21 19:38 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 07:49 . 2009-05-21 19:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 07:49 . 2007-06-14 13:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2008-01-31 20:03 . 2007-07-20 21:53 131584 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
Sigcheck
[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kbdclass.sys
[-] 2004-08-03 . 8DA2123636964A352630C1A7518F3D6A . 24704 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\kbdclass.sys
[-] 2004-08-03 . 8DA2123636964A352630C1A7518F3D6A . 24704 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys
[-] 2009-11-04 . 826A7F1AFEDB271D2349ED1949046E35 . 1033728 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[-] 2009-11-04 . 826A7F1AFEDB271D2349ED1949046E35 . 1033728 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2009-05-20 177464]
[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-11 68856]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-09-16 3399727]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2009-09-28 155648]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-03 2028312]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-23 1617920]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
c:\documents and settings\Ave\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-6-22 95744]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-16 51984]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-6-22 82026]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-424UB\WlanCU.exe [2007-7-10 634880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 07:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [21/05/2009 19:38 108552]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [24/10/2009 06:12 28672]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [21/05/2009 19:38 335240]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [21/05/2009 19:38 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [21/05/2009 19:38 297752]
S2 gupdate1c9a733665b963e;Google Update Service (gupdate1c9a733665b963e);c:\program files\Google\Update\GoogleUpdate.exe [17/03/2009 19:05 133104]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/06/2007 14:36 29744]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\RTL8187B.sys [21/03/2009 15:22 264576]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-06-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-17 19:05]
2009-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-17 19:05]
2009-11-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} - hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_4.0.27.0.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {59511B4C-9214-4DDD-9605-B1BF05768ABD} - c:\documents and settings\Ave\Local Settings\Application Data\{59511B4C-9214-4DDD-9605-B1BF05768ABD}
FF - HiddenExtension: XULRunner: {88D183CA-44F6-4241-BEBC-8666EE86FF18} - c:\documents and settings\Ave\Local Settings\Application Data\{88D183CA-44F6-4241-BEBC-8666EE86FF18}
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
HKCU-Run-MsgCenterExe - c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
AddRemove-dngpfw - c:\documents and settings\ave\local settings\application data\dngpfw.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 21:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\comctl32.dll:_rc_db_5.1.2600 62464 bytes executable
c:\windows\system32\comctl32.dll:_rc_db_sec_obj 203264 bytes executable
scan completed successfully
hidden files: 2
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Symantec\Norton Ghost\SecurityInfo]
@Denied: (Full) (Administrators)
.
DLLs Loaded Under Running Processes
- - - - - - - > 'explorer.exe'(1860)
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
Completion time: 2009-11-04 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 21:06
Pre-Run: 81,737,097,216 bytes free
Post-Run: 81,696,321,536 bytes free
This is all of it
So sorry it is soooo long
Any help would be really appreciated
When it rebooted it still came up in that black screen asking if you want to use safe mode or normal
I chose normal and it just looped back to the black page agan asking the same thing! Doh
So currently using Safe mode with networking
Thanks0 -
Can you please post the WHOLE of the beginning of the log please?
"-- Previous Run --
c:\windows\explorer.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot"
The fact that explorer.exe is infected is really bad
At this point I would seriously advise formatting and reinstalling the operating system from scratch:idea:0 -
I think this is too big for me to do so do you think I should take it in somewhere to sort out for me?0
-
Upto you jelly
Its possible that combifix can sort it ~ but bear in mind it could make the computer unbootable if it goes wrong so you do so *at your own risk*
(On the other hand, its surely worth a try as your going to take it in anyways)
Rerun combofix. Assuming it finds explorer.exe is infected again it will reboot
Select 'SAFE MODE' and (Hopefully) it will continue and remove the infection from explorer.exe:idea:0 -
Ok first of all a BIG BIG thank you for all your hard work.I ran Combofix again but still going do dally...Decided that it was doing my head in so took it to computer hospital who fixed it up nicely.Now I have the task of re-installiing everything again.At least I haven't got all the Dell stuff on there it's like all clean and newMany thanks againOff to get some Jelly 8-)0
-
Make sure you put some half decent security on it
Id recommend ~
PC TOOLS FIREWALL in place of windows
AVIRA anti virus
MALWAREBYTES as a secondary scanner
SPYBOT to scan for infections and use its 'immunise' feature to protect yourself from certain links
FIREFOX with the NOSCRIPT plugin to make browsing the web bulletproof (So long as you dont unlock everything willy nilly):idea:0 -
Hi thanks for thatI currently have AVG v9 the free one as it was recommened on here a while ago when i had 7.5.Would you recommend anything else to go with this then?0
-
jellyspots wrote: »Hi thanks for thatI currently have AVG v9 the free one as it was recommened on here a while ago when i had 7.5.Would you recommend anything else to go with this then?
All the ones I posted save Avira:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.2K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.3K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.9K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards