We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Help needed to remove Trojan horse patched_c.LYU

Options
1235

Comments

  • Figment
    Figment Posts: 2,643 Forumite
    Part of the Furniture Combo Breaker
    Looking good so far.

    In waddler's absence, I suggest you repeat the DDS scan (see post #7)
    How do I add a signature?
  • kellyp
    kellyp Posts: 182 Forumite
    Part of the Furniture 100 Posts Name Dropper
    OK. I'll do that next and post my findings.
  • kellyp
    kellyp Posts: 182 Forumite
    Part of the Furniture 100 Posts Name Dropper
    AVG has come out clean, and this is the DDS log. Please tell me I am virus free!!

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.4.1
    Run by SAMSUNG at 17:26:21 on 2012-07-01
    Microsoft Windows 7 Starter 6.1.7601.1.1252.44.1033.18.2037.969 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\windows\system32\wininit.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\conhost.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\system32\taskhost.exe
    C:\windows\system32\Dwm.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\windows\Explorer.EXE
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Samsung\Samsung Support Center\SSCKbdHk.exe
    C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files\Samsung\Samsung Recovery Solution 4\WCScheduler.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\windows\system32\svchost.exe -k bthsvcs
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\LaCie\Genie Backup Assistant\GBMAgent.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\windows\system32\svchost.exe -k SDRSVC
    C:\windows\system32\taskhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\DllHost.exe
    C:\windows\system32\conhost.exe
    C:\windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/ig
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
    uRun: [GBMLite8AgentLaCie] c:\program files\lacie\genie backup assistant\GBMAgent.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} - hxxps://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{40C7E3F9-2B52-4276-81CA-F9D8D9011798} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{D2CF9CBF-DC87-40D5-99A3-657AE1423C76} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{D2CF9CBF-DC87-40D5-99A3-657AE1423C76}\244584F6D656845726D253343364 : DhcpNameServer = 192.168.1.254
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - c:\windows\system32\CbFsMntNtf3.dll
    STS: Virtual Storage Mount Notification: {5ff49fe8-b332-4cb9-b102-fb6951629e55} - c:\windows\system32\CbFsMntNtf3.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
    R1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2012-2-5 296592]
    R1 SABI;SAMSUNG Kernel Driver For Windows 7;c:\windows\system32\drivers\SABI.sys [2010-5-11 10752]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
    R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
    R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
    R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys [2011-2-6 286248]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2011-2-6 33320]
    R3 CryptOSD;Phoenix CryptOSD Device Driver;c:\windows\system32\drivers\CryptOSD.sys [2009-5-1 384896]
    R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
    R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
    R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
    R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
    R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 257224]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-25 52224]
    .
    =============== Created Last 30 ================
    .
    2012-07-01 15:51:20
    d-s---w- C:\ComboFix
    2012-07-01 11:50:24
    d
    w- c:\users\samsung\appdata\local\temp
    2012-06-30 22:22:10
    d
    w- c:\programdata\Spybot - Search & Destroy
    2012-06-30 22:22:10
    d
    w- c:\program files\Spybot - Search & Destroy
    2012-06-30 22:11:15
    d
    w- c:\program files\CCleaner
    2012-06-30 22:09:17
    d
    w- c:\users\samsung\appdata\roaming\Ad-Aware Antivirus
    2012-06-30 21:46:37
    d
    w- c:\users\samsung\appdata\roaming\Malwarebytes
    2012-06-30 21:46:17
    d
    w- c:\programdata\Malwarebytes
    2012-06-30 21:46:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-30 21:46:16
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-30 19:19:29
    d
    w- c:\programdata\Sophos
    2012-06-28 22:48:13
    d
    w- C:\sh4ldr
    2012-06-28 22:48:13
    d
    w- c:\program files\Enigma Software Group
    2012-06-28 22:46:58
    d
    w- c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP
    2012-06-28 22:46:55
    d
    w- c:\program files\common files\Wise Installation Wizard
    2012-06-28 22:36:26
    d
    w- c:\users\samsung\appdata\roaming\SpeedyPC Software
    2012-06-28 22:36:26
    d
    w- c:\users\samsung\appdata\roaming\DriverCure
    2012-06-28 22:36:08
    d
    w- c:\programdata\SpeedyPC Software
    2012-06-28 18:13:22
    d
    w- c:\program files\iPod
    2012-06-28 18:12:30
    d
    w- c:\users\samsung\appdata\roaming\GetRightToGo
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
    2012-06-28 17:54:23 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
    2012-06-21 18:55:53 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-21 18:55:06 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-21 18:54:28 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-21 18:54:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-19 20:50:27 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-06-19 20:50:02 2342400 ----a-w- c:\windows\system32\msi.dll
    2012-06-19 20:49:59 2343936 ----a-w- c:\windows\system32\win32k.sys
    2012-06-19 20:49:57 58880 ----a-w- c:\windows\system32\rdpwsx.dll
    2012-06-19 20:49:57 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
    2012-06-19 20:49:56 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
    2012-06-19 20:49:55 164352 ----a-w- c:\windows\system32\profsvc.dll
    2012-06-19 20:49:40 1158656 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-19 20:49:39 140288 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-19 20:49:38 103936 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-07 20:39:27
    d
    w- c:\program files\Oracle
    2012-06-07 20:38:49 772504 ----a-w- c:\windows\system32\npDeployJava1.dll
    2012-06-07 20:12:38
    d-sh--w- c:\windows\system32\%APPDATA%
    .
    ==================== Find3M ====================
    .
    2012-06-20 19:50:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-06-20 19:50:48 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-04-19 03:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2012-04-18 19:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2012-04-18 19:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    ============= FINISH: 17:27:34.95 ===============
  • spud17
    spud17 Posts: 4,431 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    I don't want to tread on any toes, :) but I notice that there is mention of Ad-Aware Antivirus in your DDS log.

    I can't recall this being mentioned in any of the posts.
    I'd recommend that it's removed, because there could be a conflict with AVG, but will bow to waddlers superior knowledge. :)
    Move along, nothing to see.
  • kellyp
    kellyp Posts: 182 Forumite
    Part of the Furniture 100 Posts Name Dropper
    I dont have ad aware installed on my computer, unless its been downloaded with one of the other anti-virus/malware tools. Certainly cant find it to open the software neither is there anything to uninstall it.
  • Figment
    Figment Posts: 2,643 Forumite
    Part of the Furniture Combo Breaker
    It certainly looks that way to me.


    If you haven't already done so, you should uninstall most of the programs you installed in trying to fix this problem, including:


    Spybot - Search & Destroy
    Ad-Aware Antivirus
    sh4ldr
    Enigma Software Group
    SpeedyPC Software
    DriverCure


    Leave Malwarebytes, CCleaner and Sophos


    I'm not sure what this is:

    c:\windows\9E897D0FF80441A3966C7BB6EB5B6BE8.TMP

    The file type suggests it's a temporary file. Check in the C:\Windows folder to see if it's still there. Do not delete it yet
    How do I add a signature?
  • Figment
    Figment Posts: 2,643 Forumite
    Part of the Furniture Combo Breaker
    kellyp wrote: »
    I dont have ad aware installed on my computer, unless its been downloaded with one of the other anti-virus/malware tools. Certainly cant find it to open the software neither is there anything to uninstall it.

    2012-06-30 22:09:17
    d
    w- c:\users\samsung\appdata\roaming\Ad-Aware Antivirus
    How do I add a signature?
  • Figment
    Figment Posts: 2,643 Forumite
    Part of the Furniture Combo Breaker
    Sorry Kelly, post 47 was replying to post 44
    How do I add a signature?
  • kellyp
    kellyp Posts: 182 Forumite
    Part of the Furniture 100 Posts Name Dropper
    I have already removed all the cleanup tools. Anything mentioned in the text above, is presumably files that dont get deleted(?).
    I have looed in the strange window file you mention - some files in there called WiseCustomCall, Wisecustomcalla and wise data. No idea what this is!
  • kellyp
    kellyp Posts: 182 Forumite
    Part of the Furniture 100 Posts Name Dropper
    Definitely cant find Ad Aware on the computer even though its on the report
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 350.8K Banking & Borrowing
  • 253K Reduce Debt & Boost Income
  • 453.5K Spending & Discounts
  • 243.8K Work, Benefits & Business
  • 598.6K Mortgages, Homes & Bills
  • 176.8K Life & Family
  • 257.1K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.1K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture