42 trojan threats??/please help!!

Sunshine12 · 23 January 2010 at 4:25AM

Hi Rik, herewith contents of latest combofix thing.... i havent done the last thing you said in your last message yet as not sure if you need to see this first. Feel like i should be sending you a box of milk tray shortly. let me know when suits.....

ComboFix 10-01-21.08 - Claire 23/01/2010 3:12.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2037.1137 [GMT 0:00]
Running from: c:\users\Claire\Documents\ComboFix.exe
Command switches used :: c:\users\Claire\Documents\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FILE ::
"c:\users\Claire\AppData\Local\~pootle01.tmp"
"c:\windows\CT4CET.bin"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Claire\AppData\Local\~pootle01.tmp
c:\windows\CT4CET.bin
.
((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.
2010-01-23 03:18 . 2010-01-23 03:19

d

w- c:\users\Claire\AppData\Local\temp
2010-01-23 03:18 . 2010-01-23 03:18

d

w- c:\users\Public\AppData\Local\temp
2010-01-21 15:03 . 2010-01-21 15:03 388096 ----a-r- c:\users\Claire\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-21 15:02 . 2010-01-21 15:02

d

w- c:\program files\TrendMicro
2010-01-21 14:28 . 2010-01-21 14:28

d

w- c:\users\Claire\AppData\Roaming\Malwarebytes
2010-01-21 14:28 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-21 14:28 . 2010-01-21 14:28

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-21 14:28 . 2010-01-21 14:28

d

w- c:\programdata\Malwarebytes
2010-01-21 14:28 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-21 10:37 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2010-01-19 22:28 . 2009-06-15 14:53 270848 ----a-w- c:\windows\system32\schannel.dll
2010-01-19 22:28 . 2009-06-15 14:52 499712 ----a-w- c:\windows\system32\kerberos.dll
2010-01-16 12:11 . 2010-01-16 12:11

d

w- c:\program files\Tesco
2010-01-13 07:52 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 07:52 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-22 17:45 . 2009-10-03 21:14

d

w- c:\program files\Full Tilt Poker
2010-01-22 11:07 . 2010-01-22 11:07

d

w- c:\programdata\Alwil Software
2010-01-22 11:07 . 2010-01-22 11:07

d

w- c:\program files\Alwil Software
2010-01-19 13:13 . 2010-01-22 11:08 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-01-19 11:57 . 2010-01-22 11:07 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-01-19 11:57 . 2010-01-22 11:07 152672 ----a-w- c:\windows\system32\aswBoot.exe
2010-01-19 11:46 . 2010-01-22 11:08 46544 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-01-19 11:43 . 2010-01-22 11:08 23248 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-01-19 11:43 . 2010-01-22 11:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-01-19 11:42 . 2010-01-22 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-01-14 11:12 . 2009-10-04 08:24 181120

w- c:\windows\system32\MpSigStub.exe
2010-01-13 11:10 . 2009-10-03 20:50 596 ----a-w- c:\users\Claire\AppData\Roaming\wklnhst.dat
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Calendar
2009-12-22 14:31 . 2006-11-02 11:18

d

w- c:\program files\Windows Mail
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Sidebar
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Journal
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Collaboration
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Photo Gallery
2009-12-22 14:31 . 2006-11-02 12:37

d

w- c:\program files\Windows Defender
2009-12-22 14:28 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-12-22 14:27 . 2009-12-22 14:27 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-12-11 18:18 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-12-11 18:18 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-12-01 11:41 . 2009-12-01 11:39

d

w- c:\users\Claire\AppData\Roaming\Apple Computer
2009-12-01 11:38 . 2009-12-01 11:37

d

w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-01 11:38 . 2009-12-01 11:37

d

w- c:\program files\iTunes
2009-12-01 11:37 . 2009-12-01 11:37

d

w- c:\program files\iPod
2009-12-01 11:37 . 2009-12-01 11:30

d

w- c:\program files\Common Files\Apple
2009-12-01 11:37 . 2009-12-01 11:36

d

w- c:\programdata\Apple Computer
2009-12-01 11:37 . 2009-12-01 11:37

d

w- c:\program files\Bonjour
2009-12-01 11:36 . 2009-12-01 11:36

d

w- c:\program files\QuickTime
2009-12-01 11:33 . 2009-12-01 11:33

d

w- c:\program files\Apple Software Update
2009-11-21 06:40 . 2009-12-09 12:03 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 12:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 12:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 12:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-12 17:07 . 2009-11-12 17:07 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-09 12:31 . 2009-12-09 14:09 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 14:09 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 14:09 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-29 09:17 . 2009-11-26 15:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-09 09:23 . 2008-04-09 09:05 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-09 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-01-18 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-15 149280]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-01-19 2743104]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-9 50688]
PHOTOfunSTUDIO HD Edition.lnk - c:\program files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe [2009-10-4 44176]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):70,57,22,39,14,83,ca,01
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1282973671-518452640-972364111-1000]
"EnableNotificationsRef"=dword:00000001
R1 aswSP;aswSP;c:\windows\System32\drivers\aswSP.sys [22/01/2010 11:08 162640]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [09/04/2008 01:29 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [22/01/2010 11:08 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [22/01/2010 11:08 51792]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [09/04/2008 09:24 111616]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 03:19
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

LOCKED REGISTRY KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-23 03:21:51
ComboFix-quarantined-files.txt 2010-01-23 03:21
ComboFix2.txt 2010-01-22 10:59
Pre-Run: 45,435,977,728 bytes free
Post-Run: 45,428,109,312 bytes free
- - End Of File - - 69F730884FFA19F6B11226B184820849

p.s i noticed the whole pootle01 thing was coming up. i only use this when playing poker on full tilt poker.com so thought id add this just incase you think that is where the problem is....

aliEnRIK · 23 January 2010 at 11:04AM

Run Dr Web now

aliEnRIK · 23 January 2010 at 11:04AM

hostertlady wrote: »

i had the same!!! personal security wanting details of credit card etc!!! god i was so scared, all my icons went off and i couldnt get into add/remove programmes either.. very scary... 42 trojans etc etc..

i did a system restore and also updated my virus things and managed to sort it.

very worried tho at the time

You can class yourself as quite lucky as restoring can sometimes make things far worse

Sunshine12 · 23 January 2010 at 4:41PM

Hi RIK,
Ran the quick one, nothing detected. Ran full one and when it was over 3/4 done (with nothing found) it crashed again. Keeps doing that for some reason. Here are the details from when it crashed...should i try and run again? I have a feeling will crash again like it did earlier and like it does everytime i tried to run the big malware scan. (see edits 1 and 2 below)

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
Additional information about the problem:
BCCode: 77
BCP1: C0000056
BCP2: C0000056
BCP3: 00000000
BCP4: 200CA000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini012310-01.dmp
C:\Users\Claire\AppData\Local\temp\WER-34944-0.sysdata.xml
C:\Users\Claire\AppData\Local\temp\WERAA04.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

EDIT 1: It was "installing important updates" and came up with error code 800706BA then crashed again, details below. This happened ages ago and did something to my machine and eventually couldnt even log in. Its also just came up on screen with an iexplorer.exe error saying it had to terminate and my screen has gone all weird then came up with fdrw.exe (it might not be those exactly letters as i didnt have time to write them down - came up with big red cross saying it had to terminate as there had been an I/O error.)

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
Additional information about the problem:
BCCode: 7a
BCP1: A7A019C8
BCP2: C0000056
BCP3: 0D1868C4
BCP4: B2CD42AC
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini012310-02.dmp
C:\Users\Claire\AppData\Local\temp\WER-53258-0.sysdata.xml
C:\Users\Claire\AppData\Local\temp\WER952.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

EDIT 2; This is the update (below) that failed. Tried again and computer just froze. Has crashed 3 times in last ten minutes (internet explorer just keeps saying not responding then machine conks out then keeps saying something about checkdisk when i try and switch it on again.

Cumulative Security Update for Internet Explorer 8 for Windows Vista (KB978207)

Installation date: ‎22/‎01/‎2010 10:11
Installation status: Failed
Error details: Code 80004004
Update type: Important
Security issues have been identified that could allow an attacker to compromise a system that is running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft. After you install this item, you may have to restart your computer.
More information:
http://go.microsoft.com/fwlink/?LinkId=179104
Help and Support:
http://support.microsoft.com

aliEnRIK · 23 January 2010 at 7:04PM

Try malwarebytes again but disable any other anti virus programs (AVAST)

Sunshine12 · 23 January 2010 at 7:53PM

Tried to run Malware again with virus off (as per last time), crashed again. Checkdisk thing again. Went into find a solution when it popped up and it came up with the bit at the bottom of this. Ive had this before and it had something to do with the upgrade not working but not sure if same this time. Thanks again.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6002.2.2.0.768.3
Locale ID: 2057
Additional information about the problem:
BCCode: 77
BCP1: C0000056
BCP2: C0000056
BCP3: 00000000
BCP4: 02682000
OS Version: 6_0_6002
Service Pack: 2_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\Mini012310-03.dmp
C:\Users\Claire\AppData\Local\temp\WER-90340-0.sysdata.xml
C:\Users\Claire\AppData\Local\temp\WER974F.tmp.version.txt
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Files that help describe the problem:
C:\Windows\MEMORY.DMP
Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

aliEnRIK · 23 January 2010 at 10:13PM

You could try this solution ~
http://www.instantvista.com/800706ba.html

Sunshine12 · 24 January 2010 at 7:10PM

Hi RIK
Tried that. Crashed when trying to install then said it wasnt required when i tried it the other way. Went into microsoft updates and now saying ive never updated anything ever. Hit the check for updates button and crashed again. Keeps saying not responding. Got a big red cross in a box saying the instruction at Ox696d7064 referenced memory and Ox696d7064. The required data was not placed in memory because of an I/O error then screen went blank and restarted with yet another CHKDSK. its now crashing every 5 minutes or so so seems to be getting worse.....

aliEnRIK · 24 January 2010 at 7:12PM

Bad luck mate

Looks like its a format and reinstall of the operating system

Browntoa · 24 January 2010 at 7:18PM

try this program to see if it sorts out this windows update problem (ignore the offered download screen , just wait for the yellow "allow download" bar to appear)

MajorGeeks

42 trojan threats??/please help!!

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free