We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack this log - after trojans and spyware - please take a look
Options
Comments
-
Yup, avira's one of the top couple
combofix will prob remove the dregs, remember to post the full log.... ......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
Will do it's running now, estimates about 10 minutes depending on how bad it is.The birds of sadness may fly overhead but don't let them nest in your hair0
-
dcm's right, no AV running on there...do you have it installed but turned off ?????
Thanks GJ sad old blind git 'til tomorrow then the blind bit can disappear. Fed up with CTRL++ for reading today. Mind you if i use my desktop instead of Phone/Netbook who knows 4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0 -
ComboFix 10-11-30.02 - Nick 30/11/2010 23:06:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2303.1974 [GMT 0:00]
Running from: c:\documents and settings\Nick\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\admin\Local Settings\Application Data\{313B22FA-E1C5-4567-8949-ABD15F34C654}
c:\documents and settings\admin\Local Settings\Application Data\{313B22FA-E1C5-4567-8949-ABD15F34C654}\chrome.manifest
c:\documents and settings\admin\Local Settings\Application Data\{313B22FA-E1C5-4567-8949-ABD15F34C654}\chrome\content\_cfg.js
c:\documents and settings\admin\Local Settings\Application Data\{313B22FA-E1C5-4567-8949-ABD15F34C654}\chrome\content\overlay.xul
c:\documents and settings\admin\Local Settings\Application Data\{313B22FA-E1C5-4567-8949-ABD15F34C654}\install.rdf
c:\documents and settings\Nick\Application Data\Ifbyb\apoh.exe
c:\documents and settings\Nick\Local Settings\Application Data\{B10BB798-FC97-4E08-A448-9FF91484A91A}
c:\documents and settings\Nick\Local Settings\Application Data\{B10BB798-FC97-4E08-A448-9FF91484A91A}\chrome.manifest
c:\documents and settings\Nick\Local Settings\Application Data\{B10BB798-FC97-4E08-A448-9FF91484A91A}\chrome\content\_cfg.js
c:\documents and settings\Nick\Local Settings\Application Data\{B10BB798-FC97-4E08-A448-9FF91484A91A}\chrome\content\overlay.xul
c:\documents and settings\Nick\Local Settings\Application Data\{B10BB798-FC97-4E08-A448-9FF91484A91A}\install.rdf
c:\documents and settings\Nick\Start Menu\Programs\System Tool
c:\documents and settings\Nick\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\SET489.tmp
c:\program files\Internet Explorer\SET48E.tmp
c:\windows\agidijibazove.dll
c:\windows\system32\config\systemprofile\Application Data\pnmfzy.dat
c:\windows\system32\Desktop_.ini
.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
.
2010-11-30 22:28 . 2010-11-30 22:28
d
w- c:\documents and settings\admin\Application Data\Avira
2010-11-30 21:31 . 2010-11-30 21:31
d
w- c:\documents and settings\Nick\Application Data\Avira
2010-11-30 21:08 . 2010-11-30 22:07
d
w- c:\windows\system32\NtmsData
2010-11-30 21:02 . 2010-08-02 16:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-30 21:02 . 2010-08-02 16:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-30 21:02 . 2010-06-17 15:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-30 21:02 . 2010-11-30 21:02
d
w- c:\program files\Avira
2010-11-30 21:02 . 2010-11-30 21:02
d
w- c:\documents and settings\All Users\Application Data\Avira
2010-11-30 21:02 . 2010-06-17 15:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-30 20:44 . 2010-11-30 20:44
d
w- c:\program files\Trend Micro
2010-11-30 20:32 . 2010-11-30 20:32
d
w- c:\program files\MSN Toolbar
2010-11-30 20:32 . 2010-11-30 20:33
d
w- c:\program files\Bing Bar Installer
2010-11-30 18:45 . 2010-11-30 23:04
d
w- c:\documents and settings\Nick\Application Data\Ifbyb
2010-11-30 18:45 . 2010-11-30 20:26
d
w- c:\documents and settings\Nick\Application Data\Luyrr
2010-11-30 13:40 . 2010-11-30 16:53
d
w- c:\documents and settings\All Users\Application Data\gOfHm02900
2010-11-29 18:42 . 2010-11-30 00:12 0 ----a-w- c:\windows\Kbezuxunakamik.bin
2010-11-26 22:01 . 2010-11-26 22:01
d
r- c:\documents and settings\Nick\Application Data\Brother
2010-11-26 21:46 . 2001-08-17 13:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-11-26 21:46 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-11-26 21:45 . 2010-11-26 21:45
d
w- c:\program files\Brother
2010-11-26 21:45 . 2005-09-16 18:21 54784
w- c:\windows\system32\BrNetSti.dll
2010-11-26 21:45 . 2005-06-02 01:09 86016
w- c:\windows\system32\BrWebIns.dll
2010-11-26 21:45 . 2005-06-02 01:08 69632
w- c:\windows\system32\BRWEBUP.EXE
2010-11-26 21:45 . 2005-04-14 17:01 34816
w- c:\windows\system32\BrWiaNCp.dll
2010-11-26 21:45 . 2005-04-14 17:00 31744
w- c:\windows\system32\Brnsplg.dll
2010-11-26 21:45 . 2004-12-03 01:26 188416
w- c:\windows\system32\PDRVINST.DLL
2010-11-26 21:45 . 2010-11-26 21:45
d
w- C:\Brother
2010-11-26 21:45 . 2005-03-02 11:35 121856 ----a-w- c:\windows\system32\BrWia05a.dll
2010-11-26 21:45 . 2005-04-08 15:48 163840
w- c:\windows\system32\NSSearch.dll
2010-11-26 21:45 . 2004-12-10 16:35 147456
w- c:\windows\brunin03.dll
2010-11-26 21:45 . 2002-11-26 13:43 106496
w- c:\windows\system32\BrMuSNMP.dll
2010-11-26 21:37 . 2010-11-26 21:37 282756
w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2010-11-26 21:37 . 2010-11-26 21:37 163972
w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2010-11-26 21:37 . 2002-12-02 15:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2010-11-26 21:36 . 2010-11-26 21:36
d
w- c:\documents and settings\All Users\Application Data\InstallShield
2010-11-26 21:36 . 2010-11-30 21:22
d
w- c:\program files\Common Files\ScanSoft Shared
2010-11-26 21:36 . 2010-11-26 21:36
d
w- c:\documents and settings\All Users\Application Data\ScanSoft
2010-11-26 21:36 . 2010-11-26 21:36
d
w- c:\program files\ScanSoft
2010-11-26 21:34 . 2010-11-26 21:34
d
w- c:\documents and settings\All Users\Application Data\Brother
2010-11-21 17:12 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Caxu
2010-11-21 17:12 . 2010-11-21 17:12
d
w- c:\documents and settings\Nick\Application Data\Agekwy
2010-11-21 10:03 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Qyot
2010-11-21 10:03 . 2010-11-21 10:03
d
w- c:\documents and settings\Nick\Application Data\Fyqoel
2010-11-20 18:04 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Iqovzi
2010-11-20 18:04 . 2010-11-20 18:04
d
w- c:\documents and settings\Nick\Application Data\Kabee
2010-11-20 09:54 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Xuur
2010-11-20 09:54 . 2010-11-20 09:54
d
w- c:\documents and settings\Nick\Application Data\Ashi
2010-11-19 23:37 . 2010-11-30 17:17
d
w- c:\documents and settings\Nick\Application Data\Ypet
2010-11-19 23:37 . 2010-11-19 23:37
d
w- c:\documents and settings\Nick\Application Data\Opwib
2010-11-19 15:14 . 2010-11-30 17:17
d
w- c:\documents and settings\Nick\Application Data\Vadohy
2010-11-19 15:14 . 2010-11-19 15:14
d
w- c:\documents and settings\Nick\Application Data\Ycud
2010-11-18 22:32 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Ybileh
2010-11-18 22:32 . 2010-11-18 22:32
d
w- c:\documents and settings\Nick\Application Data\Inib
2010-11-18 17:28 . 2010-11-30 17:17
d
w- c:\documents and settings\Nick\Application Data\Kaulp
2010-11-18 17:28 . 2010-11-18 17:28
d
w- c:\documents and settings\Nick\Application Data\Zyimy
2010-11-18 12:24 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Vato
2010-11-18 12:24 . 2010-11-18 12:24
d
w- c:\documents and settings\Nick\Application Data\Ifhil
2010-11-17 18:22 . 2010-11-30 21:13
d
w- c:\documents and settings\Nick\Application Data\Efkuob
2010-11-17 18:22 . 2010-11-30 15:43
d
w- c:\documents and settings\Nick\Application Data\Ucyba
2010-11-17 18:22 . 2010-11-30 21:09
d
w- c:\program files\win
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-10-03 21:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-10-03 21:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-03 18:58 . 2010-10-03 18:58 315392 ----a-w- c:\windows\HideWin.exe
2010-09-18 11:23 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2002-08-29 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2002-08-29 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2002-08-29 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2002-08-29 12:00 1469440
w- c:\windows\system32\inetcpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-03 136176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2009-01-31 8433664]
"nwiz"="nwiz.exe" [2009-01-31 1626112]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2009-01-31 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-23 16342528]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\system32\\lsass.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/11/2010 21:02 135336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 12:16 130384]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [29/08/2002 12:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 12:16 753504]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
2010-11-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-926492609-682003330-1003Core.job
- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 18:33]
2010-11-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-926492609-682003330-1003UA.job
- c:\documents and settings\Nick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-03 18:33]
.
.
Supplementary Scan
.
uInternet Settings,ProxyServer = http=127.0.0.1:50370
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-{E1C02D5A-3BF7-65F9-9708-478240DC3612} - c:\documents and settings\Nick\Application Data\Ifbyb\apoh.exe
HKLM-Run-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
HKLM-Run-IndexSearch - c:\program files\ScanSoft\PaperPort\IndexSearch.exe
HKLM-Run-ControlCenter2.0 - c:\program files\Brother\ControlCenter2\brctrcen.exe
HKLM-Run-Ojexoj - c:\windows\agidijibazove.dll
HKLM-Run-rap - c:\program files\win\x41.exe
ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU32m.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-30 23:12
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-11-30 23:13:22
ComboFix-quarantined-files.txt 2010-11-30 23:13
Pre-Run: 24,714,354,688 bytes free
Post-Run: 24,826,687,488 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - B648C36E246519AA1ED639712DEA8506The birds of sadness may fly overhead but don't let them nest in your hair0 -
Nothing will ever be attempted if all possible [STRIKE]objections must first be overcome - Samuel Johnson[/STRIKE] Alienrik/Browntoa or another Combo fix guru arrives - paraphrased DCM's cat . Wait here Kitten :cool: .4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0
-
Jesus dusty. What DO you do with your computer??
Its been seriously compromised, and id recommend a full format and reinstall:idea:0 -
Dustykitten wrote: »Yes the lack of AV was DH's oversight. He 'rebuilt' the machine last month and omitted to put it back on. That has now been rectified with Avira - is that a good one?
I'll do combofix nowJesus dusty. What DO you do with your computer??
Its been seriously compromised, and id recommend a full format and reinstall
Guess thats the answer then Rik :eek:4.8kWp 12x400W Longhi 9.6 kWh battery Giv-hy 5.0 Inverter, WSW facing Essex . Aint no sunshine ☀️ Octopus gas fixed dec 24 @ 5.74 tracker again+ Octopus Intelligent Flux leccy0 -
Hi Rik techie hero :A
Please note it is not me doing this it is always one of the boys hence why my pc password is strictly guarded. DS was watching the Ashes on live streaming sites as we don't have sky so I'm guessing that is where it is from.
Stupid question but could somebody have got his banking details from this? I guess he should sign in on my pc and change the details asap?
Thanks for you help as ever tech team :TThe birds of sadness may fly overhead but don't let them nest in your hair0 -
Looking at what malwarebytes has removed, id say its very possible that details have been stolen:idea:0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards