7 replies to this topic

[mcgarnacle]

Hi All,

There is a respawning process called SCtri.exe that has got hold of the PC.
Firewall access has been barred by "group policy"

My startuplist log is below. Grateful for any assistance.

Garny

StartupList report, 2/02/2009, 10:01:02 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================

Running processes:

C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\explorer.exe
C:\Program Files\NetLimiter 2 Monitor\NLClient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\AutoInstall\ZD1211B_Auto_Install_CD_Only_Gen_0ACE20FF\AutoEJCD.EXE
C:\Program Files\Sony\Wireless adapter\ZDWLan.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RtHDVCpl = RtHDVCpl.exe
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
IgfxTray = C:\Windows\system32\igfxtray.exe
HotKeysCmds = C:\Windows\system32\hkcmd.exe
Persistence = C:\Windows\system32\igfxpers.exe
AutoEJCD_0ACE20FF = C:\Program Files\AutoInstall\ZD1211B_Auto_Install_CD_Only_Gen_0ACE20FF\AutoEJCD.EXE /VID=0ACE /PID=20FF
Wireless Adapter Manager = C:\Program Files\sony\Wireless adapter\ZDWLan.EXE -minisize
NvCplDaemon = RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sidebar = C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
ehTray.exe = C:\Windows\ehome\ehTray.exe
MsnMsgr = "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
Steam = "c:\steam\steam.exe" -silent
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
SUPERAntiSpyware = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe %windir%\system32\drivers\SCtri.exe
SCRNSAVE.EXE=C:\Windows\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre6\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E}
(no name) - C:\Program Files\Java\jre6\bin\jp2ssv.dll - {DBC80044-A445-435b-BC74-9C25C1C588A9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

CatchMan Updates.job

--------------------------------------------------

Enumerating Download Program Files:

[System Requirements Lab Class]
InProcServer32 = C:\Windows\Downloaded Program Files\sysreqlab2.dll
CODEBASE = http://www.nvidia.co.../sysreqlab2.cab
OSD = C:\Windows\Downloaded Program Files\SysReqLab2.osd

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...t/ultrashim.cab

[Zylom Games Player]
InProcServer32 = C:\Windows\Downloaded Program Files\zylomgamesplayer.dll
CODEBASE = http://game13.zylom....gamesplayer.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Users\Elaine\AppData\Local\Temp\_iu14D2N.tmp|||\

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\system32\webcheck.dll

--------------------------------------------------
End of report, 7,137 bytes
Report generated in 0.063 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[oldman960]

Hi mcgarnacle, welcome to the forum.

Please be advised, as I'm still in training, all my replies will have to be approved by a teacher or expert before I can post them. This may cause some delays, but I will do my best to keep them as short as possible.

To make cleaning this machine easier

• Please do not uninstall/install any programs unless asked to
  It is more difficult when files/programs are appearing in/disappearing from the logs.
• Please do not run any scans other than those requested
• Please follow all instructions in the order posted
• All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
• Do not attach any logs/reports, etc.. unless specifically requested to do so.
• If you have problems with or do not understand the instructions, Please ask before continuing.

I will post back soon with additional instructions.


Thanks

[oldman960]

Hi mcgarnacle,

As a Vista user you will need to right click and click Run as Adminstrator in order to run the tools we will use.

Download OTViewIt to your desktop.

• Close all windows and right click OTViewIt and select Run as Adminstrator
• Place a tick in the Scan all Users box
• Click Run Scan and let the program run uninterrupted
• On completion it will produce two logs on the Desktop, atttach the OTViewIt.txt and Extras.txt logs in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Thanks

[mcgarnacle]

Hi oldman960, Thanks for helping. Attachments included. I'll add that the machine is my mum's PC and since the HJ log she upgraded AVG to the latest version and scans are running Garny

Attached Files

•  OTViewIt.Txt   106.08KB   246 downloads
•  Extras.Txt   38.03KB   625 downloads

[oldman960]

Hi mcgarnacle,

Thanks for letting me know. It will take a bit to go through these logs.

Please do not do any more scans. The logs will not reflect the true condition of your computer. Finish the one you are doing and when it's done obtain a new HJT (hijackthis) log.

Do this by

• Opening HJT
• click Do a system scan and save a logfile
• a notepad will open, please copy and paste it's conrents into your next reply.

Make sure wordwrap is unchecked in the notepad. To check, at the top of notepad, click format and make sure there isn't a checkmark beside wordwrap.

Thanks

[oldman960]

Hi

You've been infected with an autorun virus that is spread via USB devices. This infection can have backdoor capabilities I strongly suggest you change your passwords to any forum, websites, and sites you do financial transaction online with. Use a known clean computer to do this.

We'll fix taskmanger and registry tools first.

Right click the attached file  user.zip   379bytes   268 downloads and click "Save target as"

• Set the Save in box to desktop
• click save

Locate the file you downloaded and right click it, click extract here You will now have a file on your desktop named fixit.vbs Please right click the file and click Run as Adminstator.

Please note to run these tools you will need to right click and Run as Adminstrator

Next, Download Flash_Disinfector.exe by sUBs and save it to your desktop.

• right click on Flash_Disinfector.exe and click Run as Adminstrator to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.

Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Please do the above steps for any usb devices you have until all have been done. Hook up as many as you can at a time. This includes phones, ipods, thumb drives, cameras, any usb storage device.

Next, we'll look for a file. Have your usb device(s) attached before runing this next tool. Run the fix as many times as needed to do all of your devices.

Please download OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  Do not copy the word CODE
  
  

  :Processes
  
  :Services
  
  :Reg
  [-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{24e2701c-ef7f-11dd-bd7b-0019db7ff173}]
  
  :Files
  C:\SCtri.exe /s
  D:\SCtri.exe /s
  E:\SCtri.exe /s
  F:\SCtri.exe /s
  G:\SCtri.exe /s
  H:\SCtri.exe /s
  I:\SCtri.exe /s
  
  :Commands
  [purity]
  [emptytemp]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After the reboot, OTMoveIt3 will start automatically to finish the move process. Highlight everything in the Results pane (underneath the green bar) by right-clicking in it and choosing Select All and then right-clicking again and choosing Copy. Return to this topic and click the Reply button, right-click in the Reply window and choose paste to copy all of the results back here.

If you need to run the OTMOVEIT3 fix more than once, please

• save the log from each run
• post all the logs along with a new HJT log

Thanks

[oldman960]

Hi mcgarnale, How are you making out? Still with us? Thanks

[Essexboy]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log