We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Advice,pls,Have Trojan but Kaspersky not identifying it
Comments
-
Trying to install an anti virus on an infected computer is a bad idea
I would ask again that you run as per my original advice:idea:0 -
Does sound very suspect this
Please run COMBOFIX
Shut down your anti virus
Follow the simple instructions it gives
Post the COMPLETE log it creates here (Split into sections if need be)
If it comes up with a RENAMING error then RIGHT click the exe file and RENAME and call it QWERTY (Making the complete file name 'QWERTY.exe') Or SAVE as 'QWERTY' on download
Hi, aliEnRIK
Finally got around to working on the laptop. Have managed to download Combofix and saved on the desktop as Qwerty. Just in the process of running it now. It needed to connect to the internet to download a missing microsoft file. It is now saying
please wait
The system cannot find the file whitedir01
Yippee - it is now saying preparing log report.
Best Wishes
Kailua£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
oh dear - combofix says do not run any programs until combofix has finished but of course Kaspersky started on restart and the came up with a warning about a file with the usual choices of allow, deny etc but before I could decide what to do the warning box disappeared. I have managed to exit Kaspersky but not sure if it has messed up combofix.
Was I supposed to stop everything running on start up???
Best Wishes
Kailua£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
ComboFix 10-01-16.03 - sandra 17/01/2010 11:39:57.1.1 - x86
Running from: c:\documents and settings\sandra\Desktop\qwerty.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\recycler\S-1-5-21-1144363573-458748354-2883004415-1003
c:\recycler\S-1-5-21-1645522239-1303643608-725345543-1003
c:\recycler\S-1-5-21-1783537388-1812318774-132927450-1003
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 11:20 . 2010-01-17 11:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-17 09:27 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-10 19:32 . 2010-01-10 20:00 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-10 19:32 . 2010-01-10 20:00 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-10 15:51 . 2010-01-10 15:51
d
w- c:\windows\system32\wbem\Repository
2010-01-10 15:50 . 2010-01-10 15:50
d
w- c:\documents and settings\All Users\Application Data\NOS
2010-01-10 15:49 . 2010-01-17 12:04
d
w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-10 15:24 . 2010-01-17 12:01 204832 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-01-10 15:24 . 2010-01-17 11:52 2064416 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-10 15:23 . 2010-01-10 15:49
d
w- c:\documents and settings\All Users\Application Data\Kaspersky Lab(2)
2009-12-31 21:32 . 2009-12-31 21:32
d
w- c:\documents and settings\All Users\Application Data\Adobe(2)
2009-12-31 21:02 . 2009-12-31 21:02
d
w- c:\program files\Common Files\Adobe AIR
2009-12-31 20:56 . 2009-12-31 20:56
d
w- c:\documents and settings\sandra\Local Settings\Application Data\Adobe
2009-12-31 20:42 . 2010-01-10 15:50
d
w- c:\documents and settings\All Users\Application Data\NOS(2)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 11:52 . 2010-01-10 15:24 2060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-01-17 11:52 . 2010-01-10 15:24 17208 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-17 11:16 . 2009-12-14 10:59 152576 ----a-w- c:\documents and settings\sandra\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-17 11:15 . 2009-12-14 10:58 79488 ----a-w- c:\documents and settings\sandra\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-10 19:33 . 2008-05-11 09:47
d
w- c:\program files\Kaspersky Lab
2010-01-10 19:21 . 2008-05-11 09:37
d
w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-12-14 11:44 . 2004-12-27 18:32
d
w- c:\documents and settings\sandra\Application Data\AdobeUM
2009-12-14 11:02 . 2004-08-23 08:30
d
w- c:\program files\Java
2009-12-13 16:01 . 2009-12-13 16:01 388096 ----a-r- c:\documents and settings\sandra\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-13 16:00 . 2009-12-13 16:00
d
w- c:\program files\TrendMicro
2009-12-02 20:07 . 2009-12-02 20:07
d
w- c:\documents and settings\sandra\Application Data\Malwarebytes
2009-12-02 20:07 . 2009-12-02 20:06
d
w- c:\program files\Malwarebytes' Anti-Malware
2009-12-02 20:06 . 2009-12-02 20:06
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-26 09:22 . 2009-11-26 09:22
d
w- c:\documents and settings\sandra\Application Data\IObit
2009-11-26 09:22 . 2009-11-26 09:22
d
w- c:\program files\IObit
2009-11-21 15:51 . 2004-08-23 06:59 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-23 07:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-23 07:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-23 07:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 23:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-17 149280]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-08-27 208616]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin F5D8053 N Wireless USB Adapter Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin F5D8053 N Wireless USB Adapter Utility.lnk
backup=c:\windows\pss\Belkin F5D8053 N Wireless USB Adapter Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2009-04-30 21:22 2329936 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-02-20 14:00 88363 ----a-w- c:\windows\agrsmmsg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
2001-09-04 13:24 28672 ----a-w- c:\windows\system32\Ati2mdxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-03-09 20:10 335872 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2006-03-28 14:48 622592
r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-04-10 13:58 61440
w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360
w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-07-20 01:04 122939 ----a-w- c:\windows\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 14:45 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2004-02-12 10:02 1019904 ----a-w- c:\program files\Toshiba\PadTouch\PadExe.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 14:25 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-05-10 20:37 77824 ----a-w- c:\program files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2005-01-26 17:02 49152 ----a-w- c:\program files\Brother\Brmfl06a\BrStDvPt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2004-04-27 08:02 118784 ----a-w- c:\program files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2004-04-22 15:23 507904 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2004-04-22 15:23 98304 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THotkey]
2004-08-16 15:08 430080 ----a-w- c:\program files\Toshiba\TOSHIBA Applet\THotkey.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
2003-09-05 02:24 65536 ----a-w- c:\program files\Toshiba\TOSCDSPD\TOSCDSPD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2004-08-11 16:28 266240 ----a-w- c:\windows\system32\TPSMain.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [23/08/2004 10:49 5632]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [15/12/2008 20:41 33808]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\system32\drivers\AWISp50.sys [15/03/2006 15:35 17664]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [13/03/2008 19:02 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [04/04/2007 13:58 31760]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [28/09/2008 21:16 517632]
.
Contents of the 'Scheduled Tasks' folder
2004-12-27 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-23 00:12]
2004-12-27 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-23 00:12]
2004-12-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-23 00:12]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.moneysavingexpert.com/
uInternet Settings,ProxyOverride = localhost
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-AVP - c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-TFncKy - TFncKy.exe
MSConfigStartUp-URLLSTCK - c:\program files\Norton Internet Security\UrlLstCk.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 12:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1036D5BA-CA0B-6EFB-A816166A3C4364C2}\{9AB25E74-55C5-EF48-A2C588CFA5A2438C}\{DC8259A3-8AE9-348D-2F7CC1007F2DBE93}*]
"5ZF3MXAQ4GXKJQIKQ2TJ6P5XLF1"=hex:01,00,01,00,00,00,00,00,e0,92,fd,62,05,19,43,
a9,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1208)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Other Running Processes
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\ScsiAccess.EXE
.
**************************************************************************
.
Completion time: 2010-01-17 12:12:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-17 12:12
Pre-Run: 3,086,295,040 bytes free
Post-Run: 5,888,966,656 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - DAD644289BD7639D17FE0A4658DEBB77£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
That is the whole log - It let me post the whole thing in one go.£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
Bumping for help with combofix log, please, as thread has dropped to next page.
Best Wishes
Kailua£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
Cant see anything bad in the log, but ive just realised that malwarebytes is WAY old
UPDATE it to version 1.44 and the database should be way higher than it is, then runa FULL scan:idea:0 -
Also TICK this in hijack this and click to FIX it ~
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
As part of nortons stll trying to run, use the norton removal tool
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039:idea:0 -
Cant see anything bad in the log, but ive just realised that malwarebytes is WAY old
UPDATE it to version 1.44 and the database should be way higher than it is, then runa FULL scan
I updated Malwarebytes' Anti-Malware to versoin 1.44. It found something - here is the log
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
17/01/2010 18:47:58
mbam-log-2010-01-17 (18-47-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 162322
Time elapsed: 1 hour(s), 37 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{F8411AA7-B414-4A71-9478-DDCDFDE56440}\RP94\A0052984.sys (Malware.Trace) -> No action taken.£279/£2016 (13.8%)
£1137/2015 (56%)
£1833/2014 (91%)0 -
It says "No action taken."
Did you definitely remove it?:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.3K Banking & Borrowing
- 253.7K Reduce Debt & Boost Income
- 454.4K Spending & Discounts
- 245.3K Work, Benefits & Business
- 601.1K Mortgages, Homes & Bills
- 177.6K Life & Family
- 259.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards