We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Trojan horse help
Comments
-
I've now disabled resident shield and link scanner but I'm still getting a warning about AVG anti virus scanner still running. Do I need to reboot maybe?0
-
tylerjaffa wrote: »I've now disabled resident shield and link scanner but I'm still getting a warning about AVG anti virus scanner still running. Do I need to reboot maybe?
So long as youve disabled them, run combofix anyways:idea:0 -
Here you go then!
Let me know what's next! And all this is before I advise my Mum what to do with her pc...can't wait!
ComboFix 10-03-11.02 - Cheekies 11/03/2010 21:23:17.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.44.1033.18.1918.1123 [GMT 0:00]
Running from: c:\users\Cheekies\Music\iTunes\iTunes Media\Music\QWERTY.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\$recycle.bin\S-1-5-21-3313465291-2379380652-488507202-500
c:\windows\system32\AutoRun.inf
\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-02-11 to 2010-03-11 )))))))))))))))))))))))))))))))
.
2010-03-11 21:30 . 2010-03-11 21:30
d
w- c:\users\Default\AppData\Local\temp
2010-03-11 21:30 . 2010-03-11 21:30
d
w- c:\users\Changes\AppData\Local\temp
2010-03-11 21:30 . 2010-03-11 21:30
d
w- c:\users\Vicki\AppData\Local\temp
2010-03-11 21:07 . 2010-03-11 21:21
d
w- C:\32788R22FWJFW
2010-03-11 17:49 . 2010-03-11 17:49
d
w- c:\users\Changes\AppData\Local\Adobe
2010-03-11 17:49 . 2010-03-11 17:49
d
w- c:\users\Changes\AppData\Roaming\PC Suite
2010-03-11 17:44 . 2010-03-11 17:44 388096 ----a-r- c:\users\Cheekies\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-11 17:44 . 2010-03-11 17:44
d
w- c:\program files\TrendMicro
2010-03-11 09:12 . 2010-03-11 09:17
d
w- C:\a916165cfd5e517c8f49
2010-03-10 18:47 . 2010-03-10 18:47
d
w- c:\users\Cheekies\AppData\Roaming\Malwarebytes
2010-03-10 18:47 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-10 18:47 . 2010-03-10 22:05
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-03-10 18:47 . 2010-03-10 18:47
d
w- c:\programdata\Malwarebytes
2010-03-10 18:47 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 10:24 . 2010-03-10 10:24
d
w- C:\$AVG
2010-03-10 10:22 . 2010-03-10 10:22
d
w- c:\programdata\avg9
2010-03-09 00:11 . 2010-03-09 00:11
d
w- c:\users\Vicki\AppData\Roaming\PC Tools
2010-03-09 00:04 . 2010-03-09 00:04
d
w- c:\users\Louise\AppData\Roaming\PC Tools
2010-03-05 09:29 . 2010-03-05 09:29 439816 ----a-w- c:\users\Cheekies\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-03-02 20:10 . 2009-03-08 11:32 72704 ----a-w- c:\windows\system32\admparse.dll
2010-02-26 02:05 . 2010-02-12 10:49 293376 ----a-w- c:\windows\system32\browserchoice.exe
2010-02-24 09:34 . 2010-01-23 08:05 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-24 09:33 . 2010-01-25 12:58 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 09:33 . 2010-01-25 12:58 472576 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 09:33 . 2010-01-25 08:36 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 09:33 . 2010-01-25 08:36 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 09:33 . 2010-01-25 08:36 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 09:33 . 2010-01-25 08:35 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 09:33 . 2010-01-25 12:58 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 09:33 . 2010-01-25 12:58 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 09:33 . 2010-01-25 12:56 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-02-11 11:43 . 2010-02-11 11:43
d
w- c:\users\Vicki\AppData\Local\CutePDF Writer
2010-02-10 09:05 . 2009-12-11 12:15 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 09:05 . 2009-12-11 12:15 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-11 17:50 . 2008-01-05 13:35 105144 ----a-w- c:\users\Changes\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-11 09:17 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-03-10 10:23 . 2009-02-18 22:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-10 10:23 . 2008-07-06 16:49 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-10 10:23 . 2007-12-09 23:54 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-10 10:22 . 2008-07-06 16:50 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-10 10:22 . 2008-07-06 16:49
d
w- c:\program files\AVG
2010-02-25 11:15 . 2007-12-16 23:12 105144 ----a-w- c:\users\Vicki\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-25 09:34 . 2007-12-16 22:11 105144 ----a-w- c:\users\Louise\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-25 09:01 . 2007-12-09 22:39 105144 ----a-w- c:\users\Cheekies\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 09:16 . 2009-10-03 08:59 181632
w- c:\windows\system32\MpSigStub.exe
2010-02-06 23:11 . 2009-01-10 15:03 1004 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-02-06 10:51 . 2009-11-29 18:35
d
w- c:\program files\iTunes
2010-02-06 10:50 . 2010-02-06 10:50
d
w- c:\program files\iPod
2010-02-06 10:50 . 2009-11-29 18:27
d
w- c:\program files\Common Files\Apple
2010-02-06 10:41 . 2010-02-06 10:41 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-27 12:11 . 2010-01-27 12:11
d
w- c:\programdata\Nokia
2010-01-02 06:38 . 2010-03-02 20:14 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32 . 2010-03-02 20:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32 . 2010-03-02 20:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57 . 2010-03-02 20:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-28 12:36 . 2010-02-10 09:04 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35 . 2010-02-10 09:04 1327616 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:34 . 2010-02-10 09:04 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:34 . 2010-02-10 09:04 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:34 . 2010-02-10 09:04 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:34 . 2010-02-10 09:04 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:33 . 2010-02-10 09:04 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:32 . 2010-02-10 09:04 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:30 . 2010-02-10 09:04 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:30 . 2010-02-10 09:04 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-23 10:25 . 2009-12-23 10:25 36864 ----a-w- c:\programdata\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-12-23 10:25 . 2009-12-23 10:25 3351812 ----a-w- c:\programdata\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-12-23 10:25 . 2009-12-23 10:25 3203453 ----a-w- c:\programdata\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-12-23 10:22 . 2009-12-23 10:26 24403616 ----a-w- c:\programdata\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en[1].exe
2009-12-18 12:48 . 2010-01-22 09:26 52736 ----a-w- c:\windows\AppPatch\iebrshim.dll
2007-09-26 08:14 . 2007-09-26 08:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-09 1232896]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-11-11 1451520]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-09-26 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-03-13 77824]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-30 16200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-22 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-08 44168]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [x]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-03-10 216200]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-03-10 242696]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-10 308064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
Supplementary Scan
.
uStart Page = hxxp://www.nectar.com/dynamic/estores/nectar/home
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Corel Photo Downloader - c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-11 21:52
Windows 6.0.6000 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{6afe9933-7a53-493a-916d-398cb7c3c6f5}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c001871
"Dhcpv6State"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{7880e700-d96c-4c9a-a967-61f81fe443ca}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0f001517
"Dhcpv6State"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{7b660857-26ab-4576-ab08-4f94103d9a68}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0e020054
"Dhcpv6State"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{8063b8bf-e98a-4896-b59a-0ac70752649b}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{a05b30d8-c495-4e5e-8621-3228279817e7}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0d0019db
"Dhcpv6State"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba9e677f-0ef8-4bb2-a3e5-3ba5c63d1e87}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000
.
Completion time: 2010-03-11 21:55:22
ComboFix-quarantined-files.txt 2010-03-11 21:55
Pre-Run: 168,824,430,592 bytes free
Post-Run: 170,806,210,560 bytes free
- - End Of File - - F18E67978630FE6F3924F397B75D72B90 -
Log looks fine
Get your mum to post the logfile to you via email and you can post it here:idea:0 -
Good idea! Or I might get hold of her laptop and do it for her!
Thanks so much for all your help. 0 -
Just so your aware, I WASNT aware this was entirely your computer. You shouldnt run combofix unless epecifically asked to by someone who knows what theyre looking for:idea:0
-
Hi again. I didn't think to check to see your reply...sorry...I've been away but am about to start helping my Mum with her laptop...(it is the one AVG picked up had a trojan horse)...are you saying I shouldn't have run combofix on my PC or are you saying not to run combofix on the laptop unless specifically advised to do so?
Should I start with malwarebytes and take it from there? I'll get her to e-mail me the results so I can post them here.0 -
not to run it unless advised to:idea:0
-
Here's the first log from my Mum's pc...let me know what's best to advise her to do next...thanks.
Malwarebytes' Anti-Malware 1.44
Database version: 3900
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
3/22/2010 6:54:03 PM
mbam-log-2010-03-22 (18-54-03).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 255221
Time elapsed: 1 hour(s), 53 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\phil&jill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHD9LE0N\rondll32[1].exe (Malware.Packer) -> Quarantined and deleted successfully.0 -
Doesnt look too bad. If you can, get a hijack log of the computer:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards