We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
help removing trojans
Comments
-
TICK and FIX these in hijack ~
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\RazaWebHook32.dll
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\jacko\Program Files\DNA\btdna.exe"
Turn off Spybots 'TEA TIMER' mode (at least until weve sorted out the problem)~
Open Spybot
Change Mode (Top) to ADVANCED
Select TOOLS then RESIDENT
UNTICK 'Resident TEA TIMER' (Leave 'SD Helper' TICKED)
then run COMBOFIX as I originally posted:idea:0 -
Sorry to disturb this board - alienRIK, can you look at the combofix log
on the link below please? Thank you!
https://forums.moneysavingexpert.com/discussion/25803570 -
hi alienrik
ticked and fixed in hijackthis
here is the log from combofixComboFix 10-07-08.02 - jacko 09/07/2010 11:24:16.1.2 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1015.117 [GMT 1:00]
Running from: c:\users\jacko\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
F:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-06-09 to 2010-07-09 )))))))))))))))))))))))))))))))
.
2010-07-09 10:40 . 2010-07-09 10:41
d
w- c:\users\jacko\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\tich\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\peter\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\mum\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\fusty\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\Default\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\dad\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\ADMINI~1\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\josh\AppData\Local\temp
2010-07-09 10:40 . 2010-07-09 10:40
d
w- c:\users\tracy\AppData\Local\temp
2010-07-07 10:36 . 2010-07-07 10:36
d
w- c:\program files\Trend Micro
2010-07-04 20:49 . 2010-07-09 09:25
d
w- c:\programdata\Spybot - Search & Destroy
2010-07-04 20:49 . 2010-07-04 20:50
d
w- c:\program files\Spybot - Search & Destroy
2010-07-04 18:46 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-07-04 18:45 . 2010-07-04 18:45
d
w- c:\program files\Panda Security
2010-07-04 12:23 . 2010-07-04 12:23
d
w- c:\users\jacko\AppData\Roaming\Malwarebytes
2010-07-04 12:23 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 12:23 . 2010-07-04 12:23
d
w- c:\programdata\Malwarebytes
2010-07-04 12:23 . 2010-07-04 12:23
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 12:23 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-02 19:00 . 2010-07-02 19:00 262144 ----a-w- C:\ntuser.dat
2010-06-24 17:37 . 2009-11-08 09:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 17:37 . 2009-11-08 09:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 17:37 . 2009-11-08 09:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 17:37 . 2009-11-08 09:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 17:37 . 2009-11-08 09:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 17:45 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 17:45 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-22 20:49 . 2010-06-22 20:49
d
w- c:\program files\iPod
2010-06-22 20:49 . 2010-06-22 20:50
d
w- c:\program files\iTunes
2010-06-22 20:39 . 2010-06-22 20:39
d
w- c:\program files\Bonjour
2010-06-09 16:02 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-09 16:02 . 2010-05-26 14:47 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-09 16:02 . 2010-05-26 17:06 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-09 16:01 . 2010-05-04 19:15 834048 ----a-w- c:\windows\system32\wininet.dll
2010-06-09 16:01 . 2010-05-04 18:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-09 16:01 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 10:15 . 2008-02-07 16:25
d
w- c:\programdata\Kaspersky Lab
2010-07-09 09:22 . 2009-10-04 17:42
d
w- c:\program files\Shareaza
2010-07-08 12:33 . 2006-11-09 21:16 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-02 19:00 . 2007-09-26 19:41
d--h--w- c:\program files\InstallShield Installation Information
2010-07-02 19:00 . 2007-12-26 23:56
d
w- c:\program files\InterVideo
2010-07-02 18:59 . 2008-08-07 19:00
d
w- c:\program files\Mozilla Thunderbird
2010-07-02 18:58 . 2008-03-12 11:09
d
w- c:\program files\Yahoo!
2010-07-02 18:56 . 2008-08-12 16:48
d
w- c:\users\jacko\AppData\Roaming\Shareaza
2010-06-27 09:36 . 2007-09-26 19:48
d
w- c:\program files\Microsoft.NET
2010-06-22 20:49 . 2008-06-12 19:07
d
w- c:\program files\Common Files\Apple
2010-06-22 20:32 . 2008-08-12 17:02
d
w- c:\program files\Safari
2010-06-10 09:05 . 2006-11-02 11:18
d
w- c:\program files\Windows Mail
2010-06-09 18:49 . 2007-09-26 19:46
d
w- c:\programdata\Microsoft Help
2010-05-21 13:14 . 2009-10-03 07:39 221568
w- c:\windows\system32\MpSigStub.exe
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-17 15:14 . 2008-09-10 15:34
d
w- c:\users\tracy\AppData\Roaming\Shareaza
2010-05-17 15:10 . 2008-08-13 12:54 106824 ----a-w- c:\users\tracy\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-17 15:03 . 2010-05-17 14:58
d
w- c:\users\tracy\AppData\Roaming\Apple Computer
2010-05-08 13:42 . 2008-08-13 12:59 106824 ----a-w- c:\users\peter\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-05 07:33 . 2010-01-13 16:36 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-05 07:33 . 2010-01-13 16:36 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-23 14:13 . 2010-05-26 10:59 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 07:33 . 2010-04-16 07:33 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-04-16 07:33 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 16:29 . 2010-04-29 14:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 71176]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-07 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-12 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-12 129560]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-02 2327840]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Canon LBP2900 Status Window.lnk - c:\windows\System32\spool\drivers\w32x86\3\CNAB4LAK.EXE [2007-1-11 50848]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):7f,b5,02,31,90,6b,ca,01
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2006-11-02 167936]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2009-11-03 21520]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-10-02 19472]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
Supplementary Scan
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=smb&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: Download with &Shareaza - c:\program files\Shareaza\RazaWebHook32.dll/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\jacko\AppData\Roaming\Mozilla\Firefox\Profiles\vjqisvne.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\jacko\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
AddRemove-BitTorrent DNA - c:\users\jacko\Program Files\DNA\btdna.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-09 11:41
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-09 11:53:13
ComboFix-quarantined-files.txt 2010-07-09 10:53
Pre-Run: 23,971,586,048 bytes free
Post-Run: 26,024,353,792 bytes free
- - End Of File - - CD5A83332F056F32957CC3045723EF130 -
I cant find anything bad in the log:idea:0
-
thanks alienerik
kaspersky is still listing 3 trojans but these look like links to web pages.does this mean just the webpage was infected rather than my computer,and kaspersky has already dealt with it.they have a blue i at the start of each line.
many thanks pete0 -
Sounds to me like it was just warning you not to visit those webpages in advance. ie ~ your computer was never infected in the 1st place:idea:0
-
sorry alienerik have caused you a lot of work for no reason feel very guilty.:(:(:(0
-
No worries.
Better safe than sorry
:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards