Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Virtumonde & Trojan Horse Dropper.AGENT.GIT Proble

Started by Nick LDN , Jan 16 2008 02:13 PM

  • This topic is locked This topic is locked
17 replies to this topic

#1 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 02:13 PM

Hi all,

I know you must be bored with the same type of problem, but I'd be really grateful if someone can help and give me some advice.

Nasty trojans Virtumondo & Trojan Horse Dropper. AGENT.GIT (I believe they are of same origin) have infected my PC, and I'm going through hell trying to get rid of them. I have already used Ad-aware 2007, AVG 7.5, Spybot S&D, but not much luck, as it seems that trojans are still there. Also, it seems that they have messed up my start up programs, and I also keep getting pop-up boxes withe message that Windows can not access C:\WINDOWS\System32\vtuts.exe

I also read about ComboFix (which I downloaded), but I don't dare use it, as I'm completely clueless about what to do with it.

Could anyone please help?! THANKS!

Here is my HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:10, on 16.1.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.c...ng/us/tpl/tpl01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.64.15:80
F3 - REG:win.ini: load=C:\WINDOWS\System32\vtuts.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pravoslavac 2007.lnk = C:\Program Files\Pravoslavac\Pravoslavac 2007.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)

--
End of file - 5665 bytes

    Advertisements

Register to Remove

#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 02:42 PM

Hello Nick LDN and welcome to the What the Tech Forums

My name is Trevuren and I will be helping you with your problem. It appears likely that your system has been infected with a Vundo trojan file infector. This trojan renames legitimate startup executables and replaces them with malware. We will attempt to reverse the process but please be advised that most often, there are one or two programs that can not be salvages and will need to be reinstalled.

A. Please delete your current copy of ComboFix as I need to make sure that you are in fact running one that is up
to date.

B. Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingc...to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 03:07 PM

Hi Trevuren,

Thanks very much for your reply. I have followed your instructions, and here is the Combofix log:

ComboFix 08-01-17.1 - Nikola Cobic 2008-01-16 20:49:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.44.1033.18.589 [GMT 0:00]
Running from: C:\Documents and Settings\Nikola Cobic\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Nikola Cobic\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Nikola Cobic\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Nikola Cobic\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\Outerinfo.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\drvdonr.dll
C:\WINDOWS\system32\drvnumr.dll
C:\WINDOWS\system32\nnnmjhf.dll
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\winmqx32.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 20:49 . 2008-01-17 20:49 3,584 --a------ C:\WINDOWS\system32\vtuts.exe
2008-01-16 20:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:17 . 2008-01-16 20:17 103,424 --a------ C:\WINDOWS\system32\drvnum.dll
2008-01-16 20:17 . 2008-01-16 20:17 145 --a------ C:\WINDOWS\system32\winver.bat
2008-01-16 19:53 . 2008-01-16 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:03 . 2008-01-16 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 18:02 . 2008-01-16 18:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 15:57 . 2008-01-16 17:32 580 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:27 . 2008-01-16 14:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 12:27 . 2008-01-13 12:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 15:14 . 2008-01-06 15:14 <DIR> d-------- C:\Program Files\CRON-O-METER
2008-01-06 15:14 . 2008-01-06 17:28 <DIR> d-------- C:\Documents and Settings\Nikola Cobic\Application Data\cronometer
2007-12-29 19:58 . 2007-12-29 19:58 100,989 --a------ C:\gallery.php
2007-12-29 19:13 . 2007-12-29 19:13 <DIR> d-------- C:\party_7
2007-12-17 17:39 . 2005-05-09 20:08 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-12-17 16:50 . 2007-12-17 16:50 <DIR> d-------- C:\Documents and Settings\Nikola Cobic\Application Data\Steinberg
2007-12-17 16:47 . 2005-06-04 09:08 487,936 --a------ C:\WINDOWS\system32\rmbe3260.dll
2007-12-17 16:47 . 2005-06-04 09:09 352,768 --a------ C:\WINDOWS\system32\pngu3263.dll
2007-12-17 16:47 . 2005-06-04 09:09 131,072 --a------ C:\WINDOWS\system32\pneng50.dll
2007-12-17 16:47 . 2005-06-04 09:09 130,560 --a------ C:\WINDOWS\system32\pnc3250.dll
2007-12-17 16:47 . 2005-06-04 09:08 87,040 --a------ C:\WINDOWS\system32\ra32sipr.dll
2007-12-17 16:47 . 2005-06-04 09:11 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2007-12-17 16:47 . 2005-06-04 09:09 81,920 --a------ C:\WINDOWS\system32\ra3214_4.dll
2007-12-17 16:47 . 2005-06-04 09:09 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2007-12-17 16:47 . 2005-06-04 09:09 61,952 --a------ C:\WINDOWS\system32\decdnet.dll
2007-12-17 16:47 . 2005-06-04 09:09 21,504 --a------ C:\WINDOWS\system32\ra32dnet.dll
2007-12-17 16:44 . 2007-12-17 16:44 <DIR> d-------- C:\Program Files\Syncrosoft
2007-12-17 16:44 . 2005-10-17 09:35 704,512 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-12-17 16:44 . 2004-05-10 15:58 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-12-17 16:44 . 2003-07-31 20:28 147,425 --a------ C:\WINDOWS\system32\SYNSOACC-Aide.chm
2007-12-17 16:44 . 2003-05-26 15:29 120,468 --a------ C:\WINDOWS\system32\SYNSOACC-Hilfe.chm
2007-12-17 16:44 . 2003-05-26 15:29 114,279 --a------ C:\WINDOWS\system32\SYNSOACC-Help.chm
2007-12-17 16:44 . 2002-11-25 08:36 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-12-17 16:44 . 2002-11-25 05:46 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 19:45 --------- d-----w C:\Program Files\QuickTime
2008-01-16 19:45 --------- d-----w C:\Program Files\iTunes
2008-01-16 18:50 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\AVG7
2008-01-16 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-01-16 18:03 --------- d-----w C:\Program Files\Lavasoft
2008-01-16 18:03 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\Lavasoft
2008-01-16 16:02 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\Skype
2008-01-16 14:17 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\LimeWire
2008-01-16 14:09 --------- d-----w C:\Program Files\Sony Setup
2008-01-16 14:09 --------- d-----w C:\Program Files\Sony
2008-01-16 12:50 --------- d-----w C:\Program Files\VSTplugins
2008-01-12 19:39 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-17 16:47 --------- d-----w C:\Program Files\Steinberg
2007-12-11 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-24 22:28 --------- d-----w C:\Program Files\Image-Line
2007-11-23 00:28 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\uTorrent
2007-11-20 23:45 --------- d-----w C:\Program Files\RapidLeecher Ultimate 2007
2007-11-20 14:37 --------- d-----w C:\Program Files\Java
2007-04-06 11:42 3,001 --sh--w C:\Documents and Settings\Nikola Cobic\ppUser.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:49 1115136]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [ ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [ ]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" [ ]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [ ]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [ ]
"Email Marketer Monitor"="C:\Program Files\Email Marketer Business Edition\Monitor.exe" [ ]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:30 219136]

C:\Documents and Settings\Nikola Cobic\Start Menu\Programs\Startup\
Pravoslavac 2007.lnk - C:\Program Files\Pravoslavac\Pravoslavac 2007.exe [2007-02-15 16:55:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-06 19:11:12]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Load.exe [2005-08-06 01:07:30]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-01-05 14:34:05]

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\System32\DRIVERS\cledx.sys [2005-05-09 20:08]
S0 SSI;SSI;C:\WINDOWS\System32\Drivers\SSI.SYS []
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 04:28]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\RTL8150.SYS [2001-05-24 01:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 10:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 20:56:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 20:58:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 20:58:41



AND, this is the new HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:02, on 17.1.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.c...ng/us/tpl/tpl01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.64.15:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Email Marketer Monitor] C:\Program Files\Email Marketer Business Edition\Monitor.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pravoslavac 2007.lnk = C:\Program Files\Pravoslavac\Pravoslavac 2007.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)

--
End of file - 5944 bytes

#4 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 03:59 PM

Unfortunately, we are unable to replace any of the infected files as the legitimate files were deleted, probably by your Antivirus. The first thing we have to do is clean the rest of your system then we will look at replacing what we can.


A.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\vtuts.exe
C:\WINDOWS\system32\drvnum.dll

DirLook::
C:\party_7

Driver::
SSI

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"=-
"PaperPort PTD"=-
"IndexSearch"=-
"SetDefPrt"=-
"Sony Ericsson PC Suite"=-
"SpySweeper"=-
"Email Marketer Monitor"=-
"H2O"=-
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

6. ComboFix will automatically REBOOT your machine when the KillAll:: switch is used..

7. Next, re-enable all the programs that you disabled prior to running ComboFix.

8. Post the following logs/Reports:
  • ComboFix.txt
  • Fresh HijackThis log run after all the other tools have performed their cleanup.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


B. I need you to run the following scan: Eset Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#5 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 06:35 PM

Trevuren, here are the results:

Combofix log:

ComboFix 08-01-17.1 - Nikola Cobic 2008-01-17 22:12:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.44.1033.18.670 [GMT 0:00]
Running from: C:\Documents and Settings\Nikola Cobic\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nikola Cobic\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\drvnum.dll
C:\WINDOWS\system32\vtuts.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drvnum.dll
C:\WINDOWS\system32\vtuts.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SSI
-------\SSI


((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-16 20:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-16 20:17 . 2008-01-16 20:17 145 --a------ C:\WINDOWS\system32\winver.bat
2008-01-16 19:53 . 2008-01-16 19:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-16 18:03 . 2008-01-16 18:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 18:02 . 2008-01-16 18:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-16 15:57 . 2008-01-16 17:32 580 --a------ C:\WINDOWS\wininit.ini
2008-01-13 12:27 . 2008-01-16 14:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-13 12:27 . 2008-01-13 12:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 15:14 . 2008-01-06 15:14 <DIR> d-------- C:\Program Files\CRON-O-METER
2008-01-06 15:14 . 2008-01-06 17:28 <DIR> d-------- C:\Documents and Settings\Nikola Cobic\Application Data\cronometer
2007-12-29 19:58 . 2007-12-29 19:58 100,989 --a------ C:\gallery.php
2007-12-29 19:13 . 2007-12-29 19:13 <DIR> d-------- C:\party_7
2007-12-17 17:39 . 2005-05-09 20:08 33,792 --a------ C:\WINDOWS\system32\drivers\cledx.sys
2007-12-17 16:50 . 2007-12-17 16:50 <DIR> d-------- C:\Documents and Settings\Nikola Cobic\Application Data\Steinberg
2007-12-17 16:47 . 2005-06-04 09:08 487,936 --a------ C:\WINDOWS\system32\rmbe3260.dll
2007-12-17 16:47 . 2005-06-04 09:09 352,768 --a------ C:\WINDOWS\system32\pngu3263.dll
2007-12-17 16:47 . 2005-06-04 09:09 131,072 --a------ C:\WINDOWS\system32\pneng50.dll
2007-12-17 16:47 . 2005-06-04 09:09 130,560 --a------ C:\WINDOWS\system32\pnc3250.dll
2007-12-17 16:47 . 2005-06-04 09:08 87,040 --a------ C:\WINDOWS\system32\ra32sipr.dll
2007-12-17 16:47 . 2005-06-04 09:11 85,504 --a------ C:\WINDOWS\system32\encdnet.dll
2007-12-17 16:47 . 2005-06-04 09:09 81,920 --a------ C:\WINDOWS\system32\ra3214_4.dll
2007-12-17 16:47 . 2005-06-04 09:09 72,704 --a------ C:\WINDOWS\system32\ra3228_8.dll
2007-12-17 16:47 . 2005-06-04 09:09 61,952 --a------ C:\WINDOWS\system32\decdnet.dll
2007-12-17 16:47 . 2005-06-04 09:09 21,504 --a------ C:\WINDOWS\system32\ra32dnet.dll
2007-12-17 16:44 . 2007-12-17 16:44 <DIR> d-------- C:\Program Files\Syncrosoft
2007-12-17 16:44 . 2005-10-17 09:35 704,512 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-12-17 16:44 . 2004-05-10 15:58 147,456 --a------ C:\WINDOWS\system32\SynsoLChk.dll
2007-12-17 16:44 . 2003-07-31 20:28 147,425 --a------ C:\WINDOWS\system32\SYNSOACC-Aide.chm
2007-12-17 16:44 . 2003-05-26 15:29 120,468 --a------ C:\WINDOWS\system32\SYNSOACC-Hilfe.chm
2007-12-17 16:44 . 2003-05-26 15:29 114,279 --a------ C:\WINDOWS\system32\SYNSOACC-Help.chm
2007-12-17 16:44 . 2002-11-25 08:36 45,056 --a------ C:\WINDOWS\system32\Synsopos.exe
2007-12-17 16:44 . 2002-11-25 05:46 16,896 --a------ C:\WINDOWS\system32\drivers\synasUSB.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 19:45 --------- d-----w C:\Program Files\QuickTime
2008-01-16 19:45 --------- d-----w C:\Program Files\iTunes
2008-01-16 18:50 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\AVG7
2008-01-16 18:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-01-16 18:03 --------- d-----w C:\Program Files\Lavasoft
2008-01-16 18:03 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\Lavasoft
2008-01-16 16:02 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\Skype
2008-01-16 14:17 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\LimeWire
2008-01-16 14:09 --------- d-----w C:\Program Files\Sony Setup
2008-01-16 14:09 --------- d-----w C:\Program Files\Sony
2008-01-16 12:50 --------- d-----w C:\Program Files\VSTplugins
2008-01-12 19:39 --------- d-----w C:\Program Files\Soulseek-Test
2007-12-17 16:47 --------- d-----w C:\Program Files\Steinberg
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 08:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-24 22:28 --------- d-----w C:\Program Files\Image-Line
2007-11-23 00:28 --------- d-----w C:\Documents and Settings\Nikola Cobic\Application Data\uTorrent
2007-11-20 23:45 --------- d-----w C:\Program Files\RapidLeecher Ultimate 2007
2007-11-20 14:37 --------- d-----w C:\Program Files\Java
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-06 11:42 3,001 --sh--w C:\Documents and Settings\Nikola Cobic\ppUser.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\party_7 ----

2007-12-29 18:30 395264 --ahs---- C:\party_7\Thumbs.db
2007-12-29 18:29 15810 --a------ C:\party_7\040_th.jpg
2007-12-29 18:28 47286 --a------ C:\party_7\040.jpg
2007-12-29 18:25 22336 --a------ C:\party_7\039_th.jpg
2007-12-29 18:24 60276 --a------ C:\party_7\039.jpg
2007-12-29 18:23 58450 --a------ C:\party_7\038.jpg
2007-12-29 18:23 22282 --a------ C:\party_7\038_th.jpg
2007-12-29 18:22 64526 --a------ C:\party_7\037.jpg
2007-12-29 18:22 22173 --a------ C:\party_7\037_th.jpg
2007-12-29 18:21 67969 --a------ C:\party_7\036.jpg
2007-12-29 18:21 22849 --a------ C:\party_7\036_th.jpg
2007-12-29 18:20 58270 --a------ C:\party_7\035.jpg
2007-12-29 18:20 22175 --a------ C:\party_7\035_th.jpg
2007-12-29 18:19 22412 --a------ C:\party_7\034_th.jpg
2007-12-29 18:18 62642 --a------ C:\party_7\034.jpg
2007-12-29 18:17 62691 --a------ C:\party_7\033.jpg
2007-12-29 18:17 22341 --a------ C:\party_7\033_th.jpg
2007-12-29 18:16 79371 --a------ C:\party_7\032.jpg
2007-12-29 18:16 23422 --a------ C:\party_7\032_th.jpg
2007-12-29 18:15 59065 --a------ C:\party_7\031.jpg
2007-12-29 18:15 22643 --a------ C:\party_7\031_th.jpg
2007-12-29 18:14 68594 --a------ C:\party_7\030.jpg
2007-12-29 18:14 23151 --a------ C:\party_7\030_th.jpg
2007-12-29 18:13 59627 --a------ C:\party_7\029.jpg
2007-12-29 18:13 23324 --a------ C:\party_7\028_th.jpg
2007-12-29 18:13 22343 --a------ C:\party_7\029_th.jpg
2007-12-29 18:12 67631 --a------ C:\party_7\028.jpg
2007-12-29 18:12 66094 --a------ C:\party_7\027.jpg
2007-12-29 18:12 22800 --a------ C:\party_7\027_th.jpg
2007-12-29 18:11 70084 --a------ C:\party_7\026.jpg
2007-12-29 18:11 23509 --a------ C:\party_7\026_th.jpg
2007-12-29 18:09 63238 --a------ C:\party_7\025.jpg
2007-12-29 18:09 22931 --a------ C:\party_7\025_th.jpg
2007-12-29 18:08 65114 --a------ C:\party_7\024.jpg
2007-12-29 18:08 22481 --a------ C:\party_7\024_th.jpg
2007-12-29 18:07 54364 --a------ C:\party_7\023.jpg
2007-12-29 18:07 21721 --a------ C:\party_7\023_th.jpg
2007-12-29 18:06 56217 --a------ C:\party_7\022.jpg
2007-12-29 18:06 21992 --a------ C:\party_7\022_th.jpg
2007-12-29 18:05 22471 --a------ C:\party_7\021_th.jpg
2007-12-29 18:04 60167 --a------ C:\party_7\021.jpg
2007-12-29 18:03 22081 --a------ C:\party_7\020_th.jpg
2007-12-29 18:02 56450 --a------ C:\party_7\020.jpg
2007-12-29 18:02 21633 --a------ C:\party_7\019_th.jpg
2007-12-29 18:01 51659 --a------ C:\party_7\019.jpg
2007-12-29 18:00 56189 --a------ C:\party_7\018.jpg
2007-12-29 18:00 21890 --a------ C:\party_7\018_th.jpg
2007-12-29 17:59 52177 --a------ C:\party_7\017.jpg
2007-12-29 17:59 22036 --a------ C:\party_7\017_th.jpg
2007-12-29 17:57 61090 --a------ C:\party_7\016.jpg
2007-12-29 17:57 22393 --a------ C:\party_7\016_th.jpg
2007-12-29 17:56 65502 --a------ C:\party_7\015.jpg
2007-12-29 17:56 22751 --a------ C:\party_7\015_th.jpg
2007-12-29 17:55 58442 --a------ C:\party_7\014.jpg
2007-12-29 17:55 21707 --a------ C:\party_7\014_th.jpg
2007-12-29 17:54 54900 --a------ C:\party_7\013.jpg
2007-12-29 17:54 21675 --a------ C:\party_7\013_th.jpg
2007-12-29 17:53 57843 --a------ C:\party_7\012.jpg
2007-12-29 17:53 21923 --a------ C:\party_7\012_th.jpg
2007-12-29 17:53 21841 --a------ C:\party_7\011_th.jpg
2007-12-29 17:52 58478 --a------ C:\party_7\010.jpg
2007-12-29 17:52 51343 --a------ C:\party_7\011.jpg
2007-12-29 17:52 22179 --a------ C:\party_7\010_th.jpg
2007-12-29 17:51 22262 --a------ C:\party_7\09_th.jpg
2007-12-29 17:50 62024 --a------ C:\party_7\09.jpg
2007-12-29 17:49 48699 --a------ C:\party_7\08.jpg
2007-12-29 17:49 21814 --a------ C:\party_7\08_th.jpg
2007-12-29 17:48 22306 --a------ C:\party_7\07_th.jpg
2007-12-29 17:47 63171 --a------ C:\party_7\07.jpg
2007-12-29 17:46 51221 --a------ C:\party_7\06.jpg
2007-12-29 17:46 21628 --a------ C:\party_7\06_th.jpg
2007-12-29 17:45 59341 --a------ C:\party_7\05.jpg
2007-12-29 17:45 22664 --a------ C:\party_7\05_th.jpg
2007-12-29 17:44 22260 --a------ C:\party_7\04_th.jpg
2007-12-29 17:43 53064 --a------ C:\party_7\04.jpg
2007-12-29 17:43 22611 --a------ C:\party_7\03_th.jpg
2007-12-29 17:42 62248 --a------ C:\party_7\03.jpg
2007-12-29 17:40 65816 --a------ C:\party_7\02.jpg
2007-12-29 17:40 23019 --a------ C:\party_7\02_th.jpg
2007-12-29 17:39 22517 --a------ C:\party_7\01_th.jpg
2007-12-29 17:38 68788 --a------ C:\party_7\01.jpg


((((((((((((((((((((((((((((( snapshot@2008-01-17_20.58.32.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 20:49:10 454,656 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
+ 2008-01-17 22:12:07 454,656 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat
- 2008-01-16 20:49:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 22:12:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 20:49:10 454,656 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-17 22:12:07 454,656 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-16 20:49:10 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 22:12:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 20:49:10 5,189,632 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 22:12:07 5,189,632 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-16 20:49:10 393,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 22:12:07 393,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-16 20:49:27 471,040 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-01-17 22:12:11 471,040 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 20:49 1115136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:30 219136]

C:\Documents and Settings\Nikola Cobic\Start Menu\Programs\Startup\
Pravoslavac 2007.lnk - C:\Program Files\Pravoslavac\Pravoslavac 2007.exe [2007-02-15 16:55:38]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-06 19:11:12]
ATI CATALYST System Tray.lnk - C:\Program Files\ATI Technologies\ATI.ACE\Load.exe [2005-08-06 01:07:30]
Status Monitor.lnk - C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe [2006-01-05 14:34:05]

R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\System32\DRIVERS\cledx.sys [2005-05-09 20:08]
R3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\RTL8150.SYS [2001-05-24 01:20]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\System32\Drivers\BrScnUsb.sys [2003-12-19 21:15]
S3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\System32\Drivers\BrSerIf.sys [2004-06-12 05:27]
S3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\System32\Drivers\BrUsbSer.sys [2004-01-10 04:28]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 10:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 22:19:37
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 22:22:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 22:22:00
ComboFix2.txt 2008-01-17 20:58:43


NEW HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:49, on 17.1.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.c...ng/us/tpl/tpl01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.64.15:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pravoslavac 2007.lnk = C:\Program Files\Pravoslavac\Pravoslavac 2007.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)

--
End of file - 5172 bytes


ESET Online Scanner Log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2799 (20080116)
# vers_arch_module=1.062 (20080115)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=91b81e9b74dfc7478eba3af25d3d8466
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-18 12:03:11
# local_time=2008-01-18 12:03:11 (+0000, GMT Standard Time)
# country="Serbia"
# osver=5.1.2600 NT Service Pack 1
# scanned=519817
# found=7
# scan_time=5630
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\6.0\59\303ac5bb-4ca23c9f Java/Exploit.Bytverify trojan DB45A3ABCBA0A662F627DCDD9AED8C96
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\6.0\59\303ac5bb-4ca23c9f »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\6.0\59\303ac5bb-4ca23c9f »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-35851aee-3e54e5a3.zip Java/Exploit.Bytverify trojan DB45A3ABCBA0A662F627DCDD9AED8C96
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-35851aee-3e54e5a3.zip »ZIP »NewSecurityClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\Documents and Settings\Nikola Cobic\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-35851aee-3e54e5a3.zip »ZIP »NewURLClassLoader.class Java/Exploit.Bytverify trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\vtuts.exe.vir Win32/TrojanDropper.Agent.DGO virus 00000000000000000000000000000000




Thanks so much once again for your help. I look forward to your next instructions.

#6 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 07:08 PM

A. We need to clean out your Java Cache.

Clearing Java Cache
Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)Posted Image
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


B. 1. Please go to Start -> Run -> type cmd and press Enter.

2. At the command prompt type sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker.

3. Follow the prompts, and insert your Windows installation CD if requested.

4. Then please REBOOT your computer.


C. Please post a fresh HJT log and provide me with some input regarding the running of the system file checker (i-e Any files replaced y/n)
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#7 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 07:42 PM

OK, I've followed your instructions and cleared Java Cache.

Then I ran System File Checker, and it prompted me to insert Windows CD, which I did and the scan went pretty smoothly, as far as I can tell. I was not prompted about any files.

I rebooted the system.

Here is the fresh HJT log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:37:54, on 18.1.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.c...ng/us/tpl/tpl01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.64.15:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pravoslavac 2007.lnk = C:\Program Files\Pravoslavac\Pravoslavac 2007.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe (file missing)

--
End of file - 5297 bytes

#8 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 07:49 PM

Good Work.


Please provide a list of uninstallable programs.

To Provide a List of Installed Programs
  • Run HijackThis.
  • Click Config>>Miscellaneous Tools>>Open Uninstall Manager>>Save List
  • Save list to Desktop
  • Copy the Notepad list and Paste it into this thread.

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#9 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 07:57 PM

OK... here goes: Ad-Aware 2007 Adobe Flash Player Plugin Adobe Photoshop 6.0 Adobe Reader 8.1.1 Adobe® Photoshop® Album Starter Edition 3.2 Age of Empires III Age of Mythology Apple Software Update ATI - Software Uninstall Utility ATI Catalyst Control Center ATI Display Driver ATI HYDRAVISION Audacity 1.2.4 AVG 7.5 AVS DVD Player version 2.2 Brother MFL-Pro Suite Call of Duty® 2 Contrast PlanPlus 2006 Creative MediaSource Creative System Information CRON-O-METER 0.9.3 Disc2Phone DivX Codec DivX Content Uploader DivX Converter DivX Player DivX Web Player EAX Unified ESET Online Scanner FL Studio v7.0 Funnsystems YuMp3Com-User-Authorization GT Interactive - Driver HijackThis 2.0.2 Indeo® Software iTunes J2SE Runtime Environment 5.0 Update 10 J2SE Runtime Environment 5.0 Update 11 J2SE Runtime Environment 5.0 Update 6 Java™ 6 Update 2 Java™ 6 Update 3 Java™ SE Runtime Environment 6 Update 1 LimeWire 4.14.0 Macromedia Dreamweaver 8 Macromedia Extension Manager Macromedia Flash Player 8 Mafia Game Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 2.0 Microsoft Office Professional Edition 2003 Microsoft Visual C++ 2005 Redistributable Mozilla Firefox (2.0.0.11) MSXML4 Parser PaperPort Pravoslavac 2007 v4 Quicken 2007 QuickTime RapidLeecher Ultimate 2007 RealPlayer Rhythm Rascal Skype 2.5 Sony ACID Music Studio 6.0b Sony ACID Music Studio 7.0 Sony Ericsson PC Suite 1.20.224 Sony Sound Forge 8.0d SoulSeek 157 test 5 Sound Blaster Live! 24-bit Spybot - Search & Destroy 1.4 Steinberg Cubase SX v3.1.1.944 SyncroSoft Emu (Remove only) Syncrosoft's License Control Time Calculator v1.1 (Free) Total Commander (Remove or Repair) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows XP Hotfix - KB837001 WinRAR archiver

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 16 January 2008 - 08:26 PM

A. 1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

sc stop svcWRSSSDK
sc delete svcWRSSSDK
del delete.bat

3. Save the file as "delete.bat". Make sure to save it with the quotes. It should look like this on your desktop: Posted Image

4. Double click delete.bat.


B. Uninstall and reinstall the following programs:

PaperPort
Sony Ericsson PC Suite


These should be just uninstalled and/or updated

ESET Online Scanner<== Would require new download if you ever want to use it again
J2SE Runtime Environment 5.0 Update 10 <== Old Java versions
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Microsoft .NET Framework 1.1 <== Using update already
Spybot - Search & Destroy 1.4<== Needs updating to v 1.5


After completion, please post a fresh HJT log and tell me how your system is running. If all is well, we will proceed with oour final cleanup procedures.
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

    Advertisements

Register to Remove

#11 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 09:21 PM

OK, done all of that. :-)

Created "delete.bat" and double clicked it.

I uninstalled and re-installed Sony Ericsson Suite and Paper Port (My printer/scanner application), and I've uninstalled all other software you suggested, apart from Spybot S&D, which I updated to version 1.5. Since I've done that, Spybot S&D takes a while longer to start, but when it does, it runs fine.

My system seems to be running fine, and I can't see any problems so far.


Here is a brand new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:21, on 18.1.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.grisoft.c...ng/us/tpl/tpl01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.253.64.15:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Pravoslavac 2007.lnk = C:\Program Files\Pravoslavac\Pravoslavac 2007.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\Load.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: YU-MP3.COM Account Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O9 - Extra 'Tools' menuitem: &YU-MP3.COM User Login - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\Funnsystems YuMp3Com-User-Authorization\YuMp3ComLogin.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6509 bytes

#12 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 16 January 2008 - 09:24 PM

Oh yes (sorry about double post)... My AVG Control center doesn't seem to be working. Should I re-install that as well?

#13 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 17 January 2008 - 07:23 AM

A. You beat me to the punch about the AVGCC. Yes, please Uninstall then reinstall AVG AV.

B. The prolonged startup time for Spybot is a "bug" in their programming. They have resolved the problem and are now Beta testing the product. If you do not find it too annoying, wait for the final release before updating Spybot. I never like recommending Beta versions of software.

C. Congratulations, your logs look CLEAN

There are a few things you must do once you system is completely clean:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image



The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Here are some tips to reduce the potential for spyware infection in the future:

1. Make your Internet Explorer More Secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

    • Change the Download signed ActiveX controls to Prompt.
    • Change the Download unsigned ActiveX controls to Disable.
    • Change the Initialise and script ActiveX controls not marked as safe to Disable.
    • Change the Installation of desktop items to Prompt.
    • Change the Launching programs and files in an IFRAME to Prompt.
    • Change the Navigate sub-frames across different domains to Prompt.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
2. Update your Anti-Virus Software - I can not overemphasize the need for you to update your Anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

3. Make sure you keep your Windows OS current by visiting Windows update regularly to download and install any critical updates and service packs. Without these you are leaving the back door open.

4. Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

5. Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

6. Install Spybot - Search and Destroy - Download and install Spybot - Search and Destroy with its TeaTimer option. This will provide real time spyware and hijacker protection on your computer alongside your virus protection. You should scan your computer with the program on a regular basis just as you would with your anti-virus software. A tutorial on installing and using this product can be found here:
Instructions for - Spybot S & D and Ad-aware

7. Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#14 Nick LDN

Nick LDN

    New Member

  • New Member
  • Pip
  • 9 posts

Posted 17 January 2008 - 08:12 AM

Great!!! Thanks so much! All done... I just have a problem with uninstalling and reinstalling AVG. Whether I try to do either, it's showing me an Error message: Local machine: installation failed Initialization: Error: Checking of state of the item file avgcc.exe failed. File opening failed. %FILE% = "C:\Program Files\Grisoft\AVG7\avgcc.exe" Permission denied Can you tell me why is this happening, and can I do anything manually to uninstall it in the first place? Also, I seem to have lost Skype, but I'll just re-install that as well. And finally, do you recommend that I install Zonealarm firewall, and will it work with AVG Free Edition?

Edited by Nick LDN, 17 January 2008 - 08:14 AM.

#15 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 17 January 2008 - 11:00 AM

Before following any of the procedures outlines below, make sure that you have AVG downloaded to your desktop. Once it is there, disconnect from the net completely and install the Antivirus. Reconnect and update its definitions.

A. Please disable Spybot's Tea Timer:

SPYBOT TEATIMER
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done.
  • (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

B. 1. Go to Start->Run and type in notepad and hit OK.

2. Then copy and paste the content of the following codebox into Notepad:

sc stop Avg7Alrt
sc delete Avg7Alrt
sc stop Avg7UpdSvc
sc delete Avg7UpdSvc
sc stop AVGEMS
sc delete AVGEMS
del delete.bat

3. Save the file as "delete.bat". Make sure to save it with the quotes. It should look like this on your desktop: Posted Image

4. Double click delete.bat.


C. Now go into Windows Explorer (Windows Key +E), locate and DELETE the following folder and all its content:

C:\Program Files\Grisoft


D. You should now be able to reinstall AVG
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·