Is this legit

aliEnRIK

danceppy wrote: »

So this is definitely some form of attack/virus?

At least 1 'worm' has been found which is definitely a nasty

Whether or not anything else remains we shall see when the logs posted

dixie_dean_2

Is that not the log I posted? Or is there something else?

aliEnRIK

Im waiting on the combofix log

dixie_dean_2

I dont know what combofix is?!

dixie_dean_2

Sorry...will do combofix now...last night seems a long time ago!

dixie_dean_2

How do i turn off spyware - seem to have avast (now) and mcaffee. only checked avast but dont know how to turn that off to perform combofic thing.

Cheers

dixie_dean_2

Managed to disable avast for 10 mins but cant seem to do same for mac...?

dixie_dean_2

Hmmm, think i've turned it all off but worried by the combo fix message freom before that says if they're not off it may damage my computer...not 100% they are off.

aliEnRIK

Unless im extremely tired from nights (every chance), I cant see Avast in the hijack log

Have you installed Avast in the last day or something?

You really shouldnt have 2 av programs running (especially with Mcrapee being one of them)

dixie_dean_2

Ah, yes, did avast as recomended in this thread. Should i leave avast on and remove mcafee then? Here is the log, apologies if i have left in stuff you said to delete and thanks again. Rea;ly appreciate the time. If I can help with anyhing in cooking(!)/gambling/travel related let me know. And now, a lot of mumbo jumbo:

ComboFix 11-02-28.07 - Bob 01/03/2011 18:40:48.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.293 [GMT 0:00]
Running from: c:\users\Bob\Downloads\QWERTY.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.
2011-03-01 18:52 . 2011-03-01 18:52

---

d

---

w- c:\users\Default\AppData\Local\temp
2011-03-01 17:18 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E3B2162E-478B-4BFB-A4A5-3ADB91DAEE6F}\mpengine.dll
2011-03-01 00:42 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-03-01 00:42 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-03-01 00:42 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-01 00:42 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-03-01 00:42 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-03-01 00:42 . 2011-02-23 14:55 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-03-01 00:41 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
2011-03-01 00:41 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-03-01 00:40 . 2011-03-01 00:40

---

d

---

w- c:\programdata\AVAST Software
2011-03-01 00:40 . 2011-03-01 00:40

---

d

---

w- c:\program files\AVAST Software
2011-02-28 21:37 . 2011-02-28 21:37 388096 ----a-r- c:\users\Bob\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-28 21:37 . 2011-02-28 21:37

---

d

---

w- c:\program files\Trend Micro
2011-02-28 21:11 . 2011-02-28 21:11

---

d

---

w- c:\users\Bob\AppData\Roaming\Malwarebytes
2011-02-28 21:11 . 2010-12-20 18:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-28 21:11 . 2011-02-28 21:11

---

d

---

w- c:\programdata\Malwarebytes
2011-02-28 21:11 . 2010-12-20 18:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-28 21:11 . 2011-02-28 21:11

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2011-02-28 20:14 . 2011-02-28 20:42

---

d

---

w- C:\QUARANTINE
2011-02-23 19:03 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-02-23 19:00 . 2009-10-09 21:56 12800 ----a-w- c:\windows\system32\wsmprovhost.exe
2011-02-23 19:00 . 2009-10-09 21:56 20480 ----a-w- c:\windows\system32\winrshost.exe
2011-02-23 19:00 . 2009-10-09 21:56 40448 ----a-w- c:\windows\system32\winrs.exe
2011-02-23 19:00 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\wsmplpxy.dll
2011-02-23 19:00 . 2009-10-09 21:56 10240 ----a-w- c:\windows\system32\winrssrv.dll
2011-02-23 18:59 . 2009-10-09 21:55 56320 ----a-w- c:\windows\system32\wecapi.dll
2011-02-23 18:59 . 2009-10-09 21:55 79872 ----a-w- c:\windows\system32\wecutil.exe
2011-02-23 18:59 . 2009-10-09 21:55 146944 ----a-w- c:\windows\system32\wecsvc.dll
2011-02-23 18:59 . 2009-10-09 21:55 81408 ----a-w- c:\windows\system32\wevtfwd.dll
2011-02-23 18:59 . 2009-10-09 21:55 54272 ----a-w- c:\windows\system32\WsmRes.dll
2011-02-23 18:59 . 2009-10-09 21:56 41472 ----a-w- c:\windows\system32\pwrshplugin.dll
2011-02-23 18:58 . 2009-08-01 06:27 201184 ----a-w- c:\windows\system32\winrm.vbs
2011-02-23 18:58 . 2009-10-09 21:56 145408 ----a-w- c:\windows\system32\WsmAuto.dll
2011-02-23 18:58 . 2009-10-09 21:56 214016 ----a-w- c:\windows\system32\WsmWmiPl.dll
2011-02-23 18:58 . 2009-10-09 21:56 241152 ----a-w- c:\windows\system32\winrscmd.dll
2011-02-23 18:58 . 2009-10-09 21:56 246272 ----a-w- c:\windows\system32\WSManHTTPConfig.exe
2011-02-23 18:58 . 2009-10-09 21:55 252416 ----a-w- c:\windows\system32\WSManMigrationPlugin.dll
2011-02-23 18:58 . 2009-10-09 21:56 1181696 ----a-w- c:\windows\system32\WsmSvc.dll
2011-02-14 17:31 . 2010-12-31 13:25 2038784 ----a-w- c:\windows\system32\win32k.sys
2011-02-14 17:31 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-14 17:31 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-14 17:31 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-14 17:31 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:11 . 2010-10-21 18:54 222080

---

w- c:\windows\system32\MpSigStub.exe
2010-12-28 14:57 . 2011-01-12 18:50 409600 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 15:49 . 2011-01-12 18:50 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-09 19:06 . 2010-12-09 19:06 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}]
2011-02-23 15:04 814160 ----a-w- c:\program files\AVAST Software\Avast\aswWebRepIE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}"= "c:\program files\AVAST Software\Avast\aswWebRepIE.dll" [2011-02-23 814160]
[HKEY_CLASSES_ROOT\clsid\{8e5e2654-ad2d-48bf-ac2d-d17f00898d06}]
[HKEY_CLASSES_ROOT\Avast.WrcBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD3AF781-AF1F-4400-9A30-15470BE43AD9}]
[HKEY_CLASSES_ROOT\Avast.WrcBar]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-01-29 430080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-10-21 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 129560]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-29 4911104]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"NDSTray.exe"="NDSTray.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2006-12-06 366400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-18 1836544]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-08-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-22 124240]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
c:\users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2010-11-25 294912]
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 135664]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-20 38224]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-10-22 65448]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;c:\windows\system32\DRIVERS\rtlprot.sys [2007-04-23 25896]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2009-10-22 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-10-22 70728]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-03 126976]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-12-26 290304]
.
Contents of the 'Scheduled Tasks' folder
2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 20:20]
2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-21 20:20]
2011-02-28 c:\windows\Tasks\User_Feed_Synchronization-{85B556E4-2136-4B13-A77D-ADBD915A4590}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://forums.moneysavingexpert.com/showpost.php?p=41605432&postcount=5
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-01 18:52
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????Ezo????X?X???X???X???X?
scanning hidden files ...

C:\## aswSnx private storage
scan completed successfully
hidden files: 1
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-03-01 19:03:02
ComboFix-quarantined-files.txt 2011-03-01 19:02
Pre-Run: 25,027,756,032 bytes free
Post-Run: 25,032,880,128 bytes free
- - End Of File - - C0C072E6E2539C31E0124DA2AB2BB595