WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Trojan Horse Dropper.Agent.GIT - HJT Log included

Started by MungBean , Jan 16 2008 01:26 AM

This topic is locked

9 replies to this topic

#1 MungBean

New Member

New Member
5 posts

Posted 16 January 2008 - 01:26 AM

Hello.

Forgive me for the follwing wall of text. I just want to explain in as much detail the problem I am having.

Earlier today my computer became infected with this Trojan Horse Dropper.Agent.GIT.
This was also found during the scan. Trojan horse Dialer.RBO

I did a scan with AVG and it showed a number of files which were infected. I clicked the heal button, and a popup said all files were successfully healed. After that everything seemed to be fine so I shutdown the computer.

Not sure if this is needed or not, but these were the infected files that were healed:
vtutt.exe, avgcc.exe, axcmd.exe, BrStDvPt.exe, brctrcen.exe, NMBgMoniter.exe, NeroCheck.exe, realsched.exe, SSBkgdupdate.exe, PDVDServ.exe, jusched.exe, IndexSearch.exe, pptd40nt.exe, SiSUSBrg.exe, avp.exe

Later on when I re-booted the PC, it took longer than normal to start and when it finally showed my desktop, a message appeared saying something along the lines of "vtutt.exe" cannot be found and cannot start. I clicked OK then another message appeared saying that vtutt should be removed from the registry if it is no longer installed.
I ignored that message as I have no idea what vtutt is and I'm not experienced enough to play around with the resistry.

Anyway, i noticed that AVG wasn't showing up in my system tray and decided to start it manually. I clicked the icon for the Control Center and it said it was missing and could not be found. I was still able to do a scan and it now showed that MSN messenger was infected. The scan completed and sucessfully healed the infected item.

That's pretty much all that has happened until now, so here's the Hijack This! Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:53 PM, on 16/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtutt.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174360622375
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip....er/igloader.CAB
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-game...ameLauncher.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6083 bytes

Edited by MungBean, 16 January 2008 - 01:29 AM.

Advertisements

Register to Remove

#2 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 16 January 2008 - 12:21 PM

Hello MungBean and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem. It appears as if your system is infected with a Vundo trojan File infector. This infection tends to attempt to rename executable files that run at startup and replace them with infected copies. If this is the case we will try to reverse the process. Be advised that there is a possibility that you may have to reinstall certain programs where a legitimate replacement file can not be found.

Please download this file - combofix.exe by sUBs

You must download it to and run it from your Desktop
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.

Posted Image

#3 MungBean

New Member

New Member
5 posts

Posted 16 January 2008 - 06:03 PM

Thanks for the reply Trevuren.

Not sure if this is supposed to happen with ComboFix or not, but when it went to shutdown the computer, I got a blue screen error message. The main points of it were:
INVALID_KERNAL_HANDLE
and the Stop: 0x00000093 (0x00000144,0x00000000, 0x00000000, 0x00000000)
I had to manually restart the computer when that screen appeared.

Anyway, here the ComboFix log:

ComboFix 08-01-09.2 - David 2008-01-17 10:09:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.617 [GMT 10:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\BASSMOD.dll
C:\WINDOWS\system32\iifgeed.dll
C:\WINDOWS\system32\jkkihfc.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\winjvd32.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 10:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 09:46 . 2008-01-17 09:46 3,584 --a------ C:\WINDOWS\system32\vtutt.exe
2008-01-16 20:21 . 2008-01-16 20:21 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2008-01-16 17:06 . 2008-01-16 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 11:29 . 2008-01-13 11:29 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-13 11:21 . 2008-01-13 11:25 <DIR> d-------- C:\Program Files\BatchDPG
2008-01-12 19:57 . 2008-01-12 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-01-11 08:51 . 2007-12-22 17:21 339,328 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-01-05 13:44 . 2008-01-16 15:00 <DIR> d-------- C:\Program Files\Metin2.us
2008-01-05 10:59 . 2008-01-11 08:00 <DIR> d-------- C:\Program Files\The Adventure Company
2008-01-04 11:07 . 2008-01-04 11:07 <DIR> d-------- C:\Program Files\Disney
2007-12-31 12:55 . 2007-12-31 12:55 <DIR> d-------- C:\UserJoy
2007-12-30 12:32 . 2007-12-30 12:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\FastStone
2007-12-29 15:50 . 2007-12-29 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Reflexive
2007-12-27 13:36 . 2007-12-27 13:36 268 --ah----- C:\sqmdata06.sqm
2007-12-27 13:36 . 2007-12-27 13:36 244 --ah----- C:\sqmnoopt06.sqm
2007-12-26 15:57 . 2007-12-26 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCapv1004
2007-12-22 16:57 . 2007-12-28 16:33 <DIR> d-------- C:\Program Files\Mystery Case Files - Madame Fate
2007-12-19 05:14 . 2008-01-17 10:19 89,390 --a------ C:\WINDOWS\system32\oodbs.lor
2007-12-18 14:02 . 2007-12-18 14:02 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-18 13:38 . 2007-12-18 13:38 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-12-18 13:35 . 2007-12-18 13:35 <DIR> d-------- C:\Program Files\OO Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 09:25 --------- d-----w C:\Documents and Settings\David\Application Data\AVG7
2008-01-16 02:22 --------- d-----w C:\Program Files\Reflexive
2008-01-16 00:27 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-01-13 10:03 --------- d-----w C:\Program Files\Tales Of Pirates Online
2008-01-10 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 22:03 --------- d-----w C:\Program Files\Total Video Converter
2008-01-10 22:02 --------- d-----w C:\Program Files\PCTV4Me
2008-01-07 10:51 --------- d-----w C:\Program Files\SealOnline
2008-01-07 08:06 --------- d-----w C:\Documents and Settings\David\Application Data\iWin
2008-01-05 00:50 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-05 00:34 --------- d-----w C:\Program Files\ArtMoney
2008-01-04 00:32 --------- d-----w C:\Documents and Settings\David\Application Data\funkitron
2007-12-29 04:05 --------- d-----w C:\Program Files\MSN Messenger
2007-12-29 04:05 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-25 19:34 --------- d-----w C:\Program Files\Pokie Magic Games
2007-12-24 01:19 --------- d-----w C:\Program Files\Azureus
2007-12-18 03:23 --------- d-----w C:\Program Files\Scions of Fate
2007-12-15 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-09 01:27 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2007-12-06 07:10 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-06 07:10 --------- d-----w C:\Program Files\Common Files\Real
2007-12-06 07:09 --------- d-----w C:\Program Files\Real
2007-12-04 05:01 --------- d--h--w C:\Program Files\NLP
2007-12-04 04:11 --------- d-----w C:\Program Files\Ares
2007-11-30 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-30 21:44 --------- d-----w C:\Program Files\SlySoft
2007-11-30 21:43 --------- d-----w C:\Program Files\MagicDVDRipper
2007-11-30 01:28 --------- d-----w C:\Documents and Settings\David\Application Data\Ahead
2007-11-30 00:32 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-30 00:31 --------- d-----w C:\Program Files\Nero
2007-11-30 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-30 00:26 --------- d-----w C:\Program Files\Ahead
2007-11-26 08:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-26 08:30 --------- d-----w C:\Program Files\Outspark
2007-11-24 07:59 --------- d-----w C:\Program Files\Common Files\DirectX
2007-11-24 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-11-21 11:34 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-17 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-17 01:11 99,776 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-11-17 01:11 388,800 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-11-17 01:11 32,320 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-03-18 08:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"SoundMan"="SOUNDMAN.EXE" [2005-03-18 00:48 67584 C:\WINDOWS\SOUNDMAN.EXE]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [ ]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 07:01 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 17:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2006-12-01 10:01:56]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Program Files\Acronis\TrueImageWorkstation\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2007-12-01 07:41 1625024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTV4Me]
C:\Program Files\PCTV4Me\pctv4me.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Program Files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-11-15 05:56]
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
S3 22c266b2-7f73-4bf5-a726-8f3a9ea71aec;22c266b2-7f73-4bf5-a726-8f3a9ea71aec;D:\Player\cds300.dll []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 10:20:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 10:21:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 00:21:56
.
2007-11-13 20:59:45 --- E O F ---

And here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:12 AM, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174360622375
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip....er/igloader.CAB
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-game...ameLauncher.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6404 bytes

Edited by MungBean, 16 January 2008 - 06:29 PM.

#4 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 16 January 2008 - 06:27 PM

I just tried my link and it worked fine. Try one of these:

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#5 MungBean

New Member

New Member
5 posts

Posted 16 January 2008 - 06:36 PM

Sorry about that. The link worked after a few minutes. The server may have just been busy. I've posted the logs in my previous post.

#6 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 16 January 2008 - 07:40 PM

Well it appears as if the damage done was not too great. We will finish our cleanup of your system, then talk replacement.

A. 1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\vtutt.exe
C:\WINDOWS\IFinst27.exe
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm

Folder::
C:\Documents and Settings\All Users\Application Data\PopCapv1004

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"=-
"AVG7_CC"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTV4Me]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]

Driver::
22c266b2-7f73-4bf5-a726-8f3a9ea71aec

FileLook::
C:\WINDOWS\sm56hlpr.exe

KillAll::

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:

ComboFix.txt
Fresh HijackThis log run after all the other tools have performed their cleanup.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

B. Please use the Eset NOD32 Online Anti-Virus scanner and Removal Tool

Note: This tool requires the use of Internet Explorer and is Vista compatible

Please click HERE to start the process

Place a checkmark in the box beside "Terms of Service", then click "Start".
On the next scree, "Click" where prompted to install the required ActiveX Control.
Acknowledge the Security Warning in the next window by Clicking the "Install" button.
Press the "START" button on the Welcome Screen.
A download progress bar will then inform you on the status of your download.
Once the initialization is complete, place a checkmark beside "Remove found threats", then click "Scan".
When the tool has finished, under the Details Tab, you will find a list of items found and deleted.
No log will be made available for posting in your reply.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#7 MungBean

New Member

New Member
5 posts

Posted 16 January 2008 - 08:47 PM

ComboFix log:

ComboFix 08-01-09.2 - David 2008-01-17 11:46:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.634 [GMT 10:00]
Running from: C:\Documents and Settings\David\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\vtutt.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\PopCapv1004
C:\Documents and Settings\All Users\Application Data\PopCapv1004\Amazing Adventures\highscore.mse
C:\Documents and Settings\All Users\Application Data\PopCapv1004\Amazing Adventures\options.mso
C:\Documents and Settings\All Users\Application Data\PopCapv1004\Amazing Adventures\players.mse
C:\Documents and Settings\All Users\Application Data\PopCapv1004\Amazing Adventures\sue.mse
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\vtutt.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\22c266b2-7f73-4bf5-a726-8f3a9ea71aec

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 10:06 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:21 . 2008-01-16 20:21 <DIR> d-------- C:\Program Files\Windows Journal Viewer
2008-01-16 17:06 . 2008-01-16 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 11:29 . 2008-01-13 11:29 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-01-13 11:21 . 2008-01-13 11:25 <DIR> d-------- C:\Program Files\BatchDPG
2008-01-12 19:57 . 2008-01-12 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grey Alien Games
2008-01-11 08:51 . 2007-12-22 17:21 339,328 --a------ C:\WINDOWS\system32\_AxShlEx.dll
2008-01-05 13:44 . 2008-01-16 15:00 <DIR> d-------- C:\Program Files\Metin2.us
2008-01-05 10:59 . 2008-01-11 08:00 <DIR> d-------- C:\Program Files\The Adventure Company
2008-01-04 11:07 . 2008-01-04 11:07 <DIR> d-------- C:\Program Files\Disney
2007-12-31 12:55 . 2007-12-31 12:55 <DIR> d-------- C:\UserJoy
2007-12-30 12:32 . 2007-12-30 12:32 <DIR> d-------- C:\Documents and Settings\David\Application Data\FastStone
2007-12-29 15:50 . 2007-12-29 15:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Reflexive
2007-12-22 16:57 . 2007-12-28 16:33 <DIR> d-------- C:\Program Files\Mystery Case Files - Madame Fate
2007-12-19 05:14 . 2008-01-17 11:48 90,667 --a------ C:\WINDOWS\system32\oodbs.lor
2007-12-18 14:02 . 2007-12-18 14:02 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-18 13:38 . 2007-12-18 13:38 <DIR> d-------- C:\WINDOWS\system32\oodag
2007-12-18 13:35 . 2007-12-18 13:35 <DIR> d-------- C:\Program Files\OO Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 09:25 --------- d-----w C:\Documents and Settings\David\Application Data\AVG7
2008-01-16 02:22 --------- d-----w C:\Program Files\Reflexive
2008-01-16 00:27 --------- d-----w C:\Documents and Settings\David\Application Data\Azureus
2008-01-13 10:03 --------- d-----w C:\Program Files\Tales Of Pirates Online
2008-01-10 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-10 22:03 --------- d-----w C:\Program Files\Total Video Converter
2008-01-10 22:02 --------- d-----w C:\Program Files\PCTV4Me
2008-01-07 10:51 --------- d-----w C:\Program Files\SealOnline
2008-01-07 08:06 --------- d-----w C:\Documents and Settings\David\Application Data\iWin
2008-01-05 00:50 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-01-05 00:34 --------- d-----w C:\Program Files\ArtMoney
2008-01-04 00:32 --------- d-----w C:\Documents and Settings\David\Application Data\funkitron
2007-12-29 04:05 --------- d-----w C:\Program Files\MSN Messenger
2007-12-29 04:05 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-25 19:34 --------- d-----w C:\Program Files\Pokie Magic Games
2007-12-24 01:19 --------- d-----w C:\Program Files\Azureus
2007-12-18 03:23 --------- d-----w C:\Program Files\Scions of Fate
2007-12-15 22:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-06 07:10 --------- d-----w C:\Program Files\Common Files\xing shared
2007-12-06 07:10 --------- d-----w C:\Program Files\Common Files\Real
2007-12-06 07:09 --------- d-----w C:\Program Files\Real
2007-12-04 05:01 --------- d--h--w C:\Program Files\NLP
2007-12-04 04:11 --------- d-----w C:\Program Files\Ares
2007-11-30 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-30 21:44 --------- d-----w C:\Program Files\SlySoft
2007-11-30 21:43 --------- d-----w C:\Program Files\MagicDVDRipper
2007-11-30 01:28 --------- d-----w C:\Documents and Settings\David\Application Data\Ahead
2007-11-30 00:32 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-30 00:31 --------- d-----w C:\Program Files\Nero
2007-11-30 00:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-11-30 00:26 --------- d-----w C:\Program Files\Ahead
2007-11-26 08:37 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-26 08:30 --------- d-----w C:\Program Files\Outspark
2007-11-24 07:59 --------- d-----w C:\Program Files\Common Files\DirectX
2007-11-24 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Outspark
2007-11-21 11:34 97,216 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-11-17 01:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2007-11-17 01:11 99,776 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2007-11-17 01:11 388,800 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2007-11-17 01:11 32,320 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2007-03-18 08:09 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\sm56hlpr.exe ----

Company: Motorola Inc.
File Description: Motorola SM56 Win32 Utility
File Version: 6.09.07
Product Name: Motorola SM56 Tray Application
Copyright: Copyright c 1998-2004, Motorola Inc.
Original file name: SM56HLPR.EXE

((((((((((((((((((((((((((((( snapshot@2008-01-17_10.21.41.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-17 00:07:35 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 01:46:06 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-17 00:07:35 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 01:46:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-17 00:07:35 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 01:46:06 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-17 00:07:35 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 01:46:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-17 00:07:35 7,106,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-17 01:46:06 7,106,560 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-17 00:07:35 217,088 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 01:46:06 217,088 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-03-18 00:48 67584 C:\WINDOWS\SOUNDMAN.EXE]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 05:00 455168]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 07:01 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 17:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - C:\Program Files\WiFiConnector\NintendoWFCReg.exe [2006-12-01 10:01:56]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2007-12-01 07:41 1625024 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-11-15 05:56]
R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys [2004-12-17 17:14]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2004-10-15 12:50]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 11:49:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 11:50:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 01:50:35
ComboFix2.txt 2008-01-17 00:21:58
.
2007-11-13 20:59:45 --- E O F ---

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:42 AM, on 17/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174360622375
O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip....er/igloader.CAB
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download-game...ameLauncher.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6242 bytes

I then did the online scan and it found 1 infection.
Win32/TrojanDropper.Agent.DGO virus (unable to clean - deleted)
C:\QooBox\Quarantine\C\Windows\system32\vtutt.exe.vir

After all that I did a full system scan with AVG and it detected nothing.

Edited by MungBean, 17 January 2008 - 01:19 AM.

#8 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 17 January 2008 - 07:13 AM

Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab.
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt.
- Change the Download unsigned ActiveX controls to Disable.
- Change the Initialise and script ActiveX controls not marked as safe to Disable.
- Change the Installation of desktop items to Prompt.
- Change the Launching programs and files in an IFRAME to Prompt.
- Change the Navigate sub-frames across different domains to Prompt.
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

#9 MungBean

New Member

New Member
5 posts

Posted 17 January 2008 - 04:07 PM

Thank you so much for all your help. I had to uninstall and reinstall AVG as the Control Center got infected and was deleted, but other than that, everything ele seems to be running fine. Once again, thank you very much!

#10 Trevuren

Teacher Emeritus

Authentic Member
8,632 posts

Interests:Woodworking

Posted 17 January 2008 - 04:11 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP Consumer Security 2008 - 2009

Proud graduate of TC/WTT Classroom

Body Background

skin color theme