Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

LloydsTSB browser hijacked - please help [Solved]

Started by Layth , Jun 16 2009 09:48 AM

  • This topic is locked This topic is locked

#1
Layth
Posted 16 June 2009 - 09:48 AM

Layth

    Member

  • Member
  • PipPip
  • 42 posts
Hello

Looks like I'm back again, I hope you guys can help!

My flat mate Vicky asked me to look at her computer as it wasn't working! I realised that SP2 had been unsuccessfully installed and was corrupting everything. I got it installed and updated her system up to SP3 with all the latest patches etc from windows update and upgraded IE6 up to IE8. It wasn't well looked after as it had no updates and no antivirus.

I added all these and it now also has AVG8.5.

I went to lloydstsb.com to log onto my bank online using her computer and on the login page was...

UserID:
Password:
Memorable Word:


I rang up LloydsTSB and they said that there must be a virus or something because it shouldn't ask for the memorable word. I thought... trojan/spyware/something like that.

I scanned with AVG8.5/Ad-aware/MBAM and it found lots and lots and got rid of them all. However, the LloydsTSB problem is still there. I've installed Firefox now and that doesn't seem to be effected. This shows that it's a hijack related to IE8. Although i can get around it by using Firefox, i'd like to get rid of it anyway. I've also noticed that i can't go to windows update via IE8, i've gotta let it do it itself with automatic updates as IE8 crashes with an error related to msvcrt.dll if i've remembered correctly!

Can anyone help with the LloydsTSB problem? Is the windows updated problem somehow related?

Layth
  • 0

Advertisements

#2
Essexboy
Posted 16 June 2009 - 10:24 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there - before I can help I will need more information

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Check the box that says 64 bit
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
Layth
Posted 16 June 2009 - 10:45 AM

Layth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi

Thanks for your help

I've attached the log

Thanks

:)

Attached Files

  • Attached File  OTS.Txt   195.07KB   155 downloads

  • 0

#4
Essexboy
Posted 16 June 2009 - 11:13 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

I will need to use another tool now to check some different areas of your system, but first I will kill what I can see

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" [HKLM] -> c:\program files\google\googletoolbar2.dll [&Google]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2122901767-4168273537-3479383672-1005\] > -> HKEY_USERS\S-1-5-21-2122901767-4168273537-3479383672-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> c:\program files\google\googletoolbar2.dll [&Google]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "navapp" -> C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe [C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> ms32clod.dll -> C:\WINDOWS\System32\ms32clod.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Drives with AutoRun files > -> 
NY -> F:\autorun.inf [[AutoRun] | open=UFO.exe | Shellexecute=UFO.exe | shell\Auto\command=UFO.exe | ] -> F:\autorun.inf [ FAT ]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{f85a964d-59da-11de-a8d3-001d0fb9aa47} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell -> 
YN -> \{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell\Auto\command -> 
YN -> \{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell\Auto\command\\"" -> [UFO.exe]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell\AutoRun -> 
YN -> \{f85a964d-59da-11de-a8d3-001d0fb9aa47}\Shell\AutoRun\\"" -> [Auto&Play]
[Files/Folders - Created Within 30 Days]
NY -> cok458en.dat -> C:\WINDOWS\System32\cok458en.dat
NY -> mmd109en.dat -> C:\WINDOWS\System32\mmd109en.dat
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a OTL log so we can continue cleaning the system.


Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
Layth
Posted 16 June 2009 - 11:32 AM

Layth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi

I've tried to run the fix but the program just hangs after explorer closes. Have ended the process and tried again but the same happens. It's still hanging now... any suggestions?

Layth
  • 0

#6
Essexboy
Posted 16 June 2009 - 11:35 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yep go straight to the combofix section as the malware is blocking OTS. If necessary run Combofix in safe mode, it will complain but ignore it
  • 0

#7
Layth
Posted 16 June 2009 - 12:24 PM

Layth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Right

I ran ComboFix

It didn't like that AVG was still running and i couldn't find a way to stop it so it continued anyway.

I downloaded the Microsoft restore service or something. That was fine

Attached is the log


Thank you again

Layth

ComboFix 09-06-15.07 - Vix 16/06/2009 18:48.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.136 [GMT 1:00]
Running from: F:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\winmplayer.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 17:24 . 2009-06-16 17:24 -------- d-----w- C:\_OTS
2009-06-16 16:44 . 2009-06-16 16:44 -------- d-----w- c:\windows\LastGood
2009-06-16 15:32 . 2009-06-16 15:32 0 ----a-w- c:\windows\nsreg.dat
2009-06-16 15:32 . 2009-06-16 15:32 -------- d-----w- c:\documents and settings\Vix\Local Settings\Application Data\Mozilla
2009-06-16 15:17 . 2009-06-16 15:17 -------- d-----w- c:\program files\ERUNT
2009-06-16 14:56 . 2009-06-16 14:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-16 13:52 . 2009-06-16 14:00 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-16 13:52 . 2009-06-16 13:52 -------- d-----w- c:\windows\system32\DRVSTORE
2009-06-16 13:52 . 2009-06-16 13:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-16 13:52 . 2009-03-12 08:17 2902048 ----a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-16 13:51 . 2009-06-16 13:51 -------- d-----w- c:\program files\Lavasoft
2009-06-16 13:51 . 2009-06-16 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-15 21:25 . 2009-06-15 21:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-15 21:07 . 2009-06-15 21:07 -------- d-----w- c:\windows\system32\scripting
2009-06-15 21:07 . 2009-06-15 21:07 -------- d-----w- c:\windows\l2schemas
2009-06-15 21:07 . 2009-06-15 21:07 -------- d-----w- c:\windows\system32\en
2009-06-15 21:07 . 2009-06-15 21:07 -------- d-----w- c:\windows\system32\bits
2009-06-15 20:28 . 2009-06-15 20:28 -------- d-----w- c:\windows\ie8updates
2009-06-15 20:26 . 2003-02-28 17:26 139536 ----a-w- c:\windows\system32\javaee.dll
2009-06-15 20:24 . 2009-06-15 20:24 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-15 20:19 . 2009-06-15 20:19 -------- d-----w- c:\program files\MSXML 4.0
2009-06-15 20:17 . 2008-04-14 00:12 4874240 ------w- c:\windows\system32\dllcache\wmp.dll
2009-06-15 20:17 . 2008-09-10 01:14 1307648 ------w- c:\windows\system32\msxml6.dll
2009-06-15 20:17 . 2008-09-10 01:14 1307648 ------w- c:\windows\system32\dllcache\msxml6.dll
2009-06-15 20:15 . 2008-04-14 00:11 48640 ------w- c:\windows\system32\dhcpqec.dll
2009-06-15 20:14 . 2008-04-14 00:12 114688 ------w- c:\windows\system32\dllcache\wmpasf.dll
2009-06-15 20:13 . 2003-03-31 11:00 403 ------w- c:\windows\system32\dllcache\npdrmv2.zip
2009-06-15 20:13 . 2003-03-31 11:00 22060 ------w- c:\windows\system32\dllcache\npds.zip
2009-06-15 19:48 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-06-15 19:46 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-06-15 19:46 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-06-15 19:46 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-15 19:46 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-06-15 19:45 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-06-15 19:45 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-06-15 19:45 . 2008-10-03 10:02 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-06-15 19:45 . 2008-09-04 17:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-06-15 19:44 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-15 19:44 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-15 19:44 . 2009-06-15 19:44 -------- d--h--w- c:\windows\$hf_mig$
2009-06-15 19:35 . 2009-06-15 19:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-15 19:35 . 2009-06-15 19:35 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-15 19:35 . 2009-06-15 19:35 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-15 19:35 . 2009-06-15 19:35 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-15 19:35 . 2009-06-15 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-15 19:34 . 2009-06-15 19:34 -------- d-----w- c:\program files\AVG
2009-06-15 19:34 . 2009-06-15 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-15 19:23 . 2009-06-15 19:23 -------- d-----w- c:\documents and settings\Vix\Application Data\AVG8
2009-06-15 19:21 . 2009-06-15 19:21 -------- d-sh--w- c:\documents and settings\Vix\IECompatCache
2009-06-15 19:21 . 2009-06-15 19:21 -------- d-sh--w- c:\documents and settings\Vix\PrivacIE
2009-06-15 19:19 . 2009-06-15 19:19 -------- d-sh--w- c:\documents and settings\Vix\IETldCache
2009-06-15 19:15 . 2009-06-15 19:15 -------- d--h--w- c:\windows\ie8
2009-06-15 19:07 . 2009-06-15 19:07 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-06-15 18:58 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-15 18:56 . 2008-04-14 00:12 1737856 ------w- c:\windows\system32\mtxparhd.dll
2009-06-15 18:53 . 2009-06-15 18:53 -------- d-----w- c:\windows\ServicePackFiles
2009-06-15 18:49 . 2008-04-13 17:39 2897920 ------w- c:\windows\system32\xpsp2res.dll
2009-06-15 18:46 . 2009-01-07 17:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-06-15 18:43 . 2009-06-15 18:43 -------- d-----w- c:\windows\EHome
2009-05-28 20:08 . 2009-02-15 16:49 38200 ----a-w- c:\documents and settings\Beebop\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-28 19:36 . 2009-05-28 19:36 0 ----a-w- c:\windows\system32\cok458en.dat
2009-05-28 19:36 . 2009-05-28 19:36 0 ----a-w- c:\windows\system32\mmd109en.dat
2009-05-27 13:39 . 2009-05-27 13:39 16896 ----a-w- c:\windows\system32\perfc5932.dat
2009-05-27 13:39 . 2009-05-27 13:39 1 ----a-w- c:\windows\system32\perfc7683.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 21:13 . 2004-01-03 09:08 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-15 20:26 . 2009-06-15 20:26 2678 ----a-w- c:\windows\java\Packages\Data\YONNRR5V.DAT
2009-06-15 20:26 . 2009-06-15 20:26 2678 ----a-w- c:\windows\java\Packages\Data\7VVBZRBV.DAT
2009-06-15 20:26 . 2009-06-15 20:26 2678 ----a-w- c:\windows\java\Packages\Data\L79J3XVT.DAT
2009-06-15 20:26 . 2009-06-15 20:26 2678 ----a-w- c:\windows\java\Packages\Data\HR797R5R.DAT
2009-06-15 20:26 . 2009-06-15 20:26 2678 ----a-w- c:\windows\java\Packages\Data\AOIPRTR7.DAT
2009-06-15 19:35 . 2008-01-30 22:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-15 19:08 . 2004-10-31 09:42 79608 ----a-w- c:\documents and settings\Vix\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-15 17:43 . 1979-12-31 23:00 530772 ----a-w- c:\windows\system32\pst.dat
2009-05-26 12:20 . 2009-01-05 21:04 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2009-01-05 21:04 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 05:15 . 1979-12-31 23:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 1979-12-31 23:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 1979-12-31 23:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-01-03 09:59 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-04-28 184320]
"LManager"="c:\progra~1\LAUNCH~1\CPLBCL53.EXE" [2003-12-15 262144]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-21 40960]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-07-25 151552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-06-04 286720]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-15 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"CONNECTScheduler"="c:\program files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2005-11-15 69632]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-15 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-16 518488]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2003-05-14 55296]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-07-25 88363]
"bcmwltry"="bcmwltry.exe" - c:\windows\system32\bcmwltry.exe [2003-07-25 462848]
"RemoveCpl"="RemoveCpl.exe" - c:\windows\system32\RemoveCpl.exe [2003-01-14 24576]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
PI Monitor.lnk - c:\program files\ArcSoft\PhotoImpression 5\PI Monitor.exe [2004-12-25 86016]
CONNECTAUTrayApp.lnk - c:\program files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe [2005-11-15 114688]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Exif Launcher 2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2007-8-1 294912]
USB Wireless Client Utility.lnk - c:\program files\Wireless USB\Installer\WINXP\USB Wireless Client Utility.exe [2009-1-8 598016]
Net Send GUI.lnk - c:\program files\Fomine Net Send GUI\NetSendGUI.exe [2008-2-25 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-15 19:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Fomine Net Send GUI\\NetSendGUI.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [16/06/2009 14:52 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [15/06/2009 20:35 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [15/06/2009 20:35 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [15/06/2009 20:34 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1005904]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {ACC5B0A3-BC18-4CA2-A631-568266DE2E8F} = 192.168.0.1
TCP: {BF1C3B9B-2ECF-49B0-8295-FF0FF8BB7C4B} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 18:56
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-16 18:59
ComboFix-quarantined-files.txt 2009-06-16 17:59

Pre-Run: 5,190,631,424 bytes free
Post-Run: 5,166,006,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

186 --- E O F --- 2009-06-16 16:49

Attached Files


  • 0

#8
Essexboy
Posted 16 June 2009 - 12:36 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nearly done I believe, looks like OTS killed the really bad one before it locked. On completion of this run could you check the Lloyds site again please and let me know how the computer is running :)

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#9
Layth
Posted 16 June 2009 - 01:13 PM

Layth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Ok

The LloydsTSB website is back to normal! WOO!

Thank you so much

Malwarebytes found nothing, i've attached the log anyway.

Remember, this was my housemates laptop and it hadn't been updated for AGES and had no antivirus AND had been on the internet for ages so do you think there's anything else i can do to double check that there's nothing else on there before i give it back to her?

Thank you so much again!

Layth

Attached Files


  • 0

#10
Essexboy
Posted 16 June 2009 - 04:00 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks good now so follow the destructions below and you should be good :)

Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#11
Essexboy
Posted 17 June 2009 - 02:07 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP