Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

_gorvedi Trojan Horse?


  • Please log in to reply
17 replies to this topic

#1 mariska

mariska

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:09:13 PM

Posted 14 October 2007 - 10:04 AM

:thumbsup: Hello,i downloaded a file that i just can't get rid of,could u please take alook at my hjt log and see if there is anything suspicious.....thanx alot


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:58:04, on 14.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Christian\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\MSHTTPSCfg32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-21-2221717735-1802729512-2040942079-1006\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Lea')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124300608156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124300776359
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8421 byt

File: MSHTTPSCfg32.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: d01b4244df465754ca3251d7bee80a51
Packers detected: ARMADILLO
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 14 Oct 2007 19:05:51 (GMT)
A-Squared Found nothing
AntiVir Found TR/Agent.GBF.1
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found BackDoor.W32.DSSdoor.D
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Agent.GBF
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Email-Worm.Win32.VB.dd

Edited by mariska, 14 October 2007 - 02:13 PM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2007 - 02:06 PM

Hi mariska and Welcome to the Bleeping Computer!

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku

Posted 18 October 2007 - 08:31 AM

Hi Cretemonster,Thanks for your time,I'll update u a bit first on the situation,well,i decided to do a bit of fixing myself,i'll take u through what i've done,but i think i might of missed something.
First i ran combofix,and from there i could see which file was dodgy because of the time it installed itself,it was this O4 - HKLM\..\Run: [DSS] C:\WINDOWS\MSHTTPSCfg32.exe,so i fix checked it with HJT.
Then i ran smithfraudfix and SDfix in safe mode and the log showed that a Trojan stream was detected and deleted,then spybot quarantined 2 things one of which was Win32dssdoor.d Then i8 used superantispyware and it found and dealt with a couple of things but i can't recall the names
So based on what i've already done i'll post only the Hjt if u could take a look at it i'd be very grateful.
One other thing,are all these [CTFMON.EXE]entries normal?I can never remember there being so many..

Thanks
Chris.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30:57, on 18.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Christian\Työpöytä\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Paikallinen palve')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Verkkopalve')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124300608156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124300776359
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8074 bytes

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 09:42 AM

Log looks fine,all those ctfmon entries are a result of the new version of HJT scanning areas of the registry not usually scanned by older versions,u can actually fix all those with no problems.

Id like a peek at the logs from your adventure,specifically the SDFix log and ComboFix log.

If you can find he SAS log,that would be nice too.

#5 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:09:13 PM

Posted 18 October 2007 - 10:29 AM

Hi Cretemonster,well,i was afraid you were going to ask me that!! :thumbsup: ,but i'm afraid i don't have them anymore :wacko: .,though its good to hear that my log is clean,and thing do seem to be running o.k :) ,so i9 think maybe u can close this topic,I'll be in touch if any problems occur,
Thanks for ur time and help!!! :blink:
Regards
Chris
found sas log
stom Scan
Total Scan Time : 00:36:25

Memory items scanned : 0
Memory threats detected : 0
Registry items scanned : 56
Registry threats detected : 0
File items scanned : 29432
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\Christian\Cookies\christian@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Christian\Cookies\christian@atdmt[2].txt
C:\Documents and Settings\Christian\Cookies\christian@clickaider[1].txt
C:\Documents and Settings\Christian\Cookies\christian@imrworldwide[1].txt
C:\Documents and Settings\Christian\Cookies\christian@track.adform[1].txt
C:\Documents and Settings\Lea\Cookies\lea@2o7[2].txt
C:\Documents and Settings\Lea\Cookies\lea@atdmt[2].txt
C:\Documents and Settings\Lea\Cookies\lea@doubleclick[1].txt
C:\Documents and Settings\Lea\Cookies\lea@eas3.emediate[1].txt
C:\Documents and Settings\Lea\Cookies\lea@ehg-yvesrocher.hitbox[1].txt
C:\Documents and Settings\Lea\Cookies\lea@hitbox[2].txt
C:\Documents and Settings\Lea\Cookies\lea@imrworldwide[1].txt
C:\Documents and Settings\Lea\Cookies\lea@postclicktracking[1].txt
C:\Documents and Settings\Lea\Cookies\lea@track.adform[2].txt
C:\Documents and Settings\Lea\Cookies\lea@tradedoubler[2].txt
C:\Documents and Settings\Lea\Cookies\lea@www.googleadservices[1].txt
C:\Documents and Settings\Lea\Cookies\lea@www.googleadservices[2].txt
C:\Documents and Settings\Lea\Cookies\lea@www.googleadservices[3].txt

Trojan.Downloader-DNSDoor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP109\A0021889.EXE
C:\WINDOWS\MSHTTPSCFG32.EXE

Edited by mariska, 18 October 2007 - 10:34 AM.


#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 12:10 PM

Can you find this file on your System?

C:\WINDOWS\MSHTTPSCFG32.EXE

Be sure hidden files are showing
http://www.bleepingcomputer.com/forums/ind...showtutorial=62

#7 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku

Posted 18 October 2007 - 12:21 PM

Hi crete monster,well it was present in a 2kt textfile in C:\WINDOWS which i scanned with sas and it found nothing,do u t5hink i should try scanning with something else?
Thanks
Chris

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2007 - 01:05 PM

I need you to send that file to me at this location
http://www.bleepingcomputer.com/submit-malware.php?channel=4

Leave a link back to this post and upload the file,once its uploaded,please delete the file and empty the recycle bin.


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#9 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:09:13 PM

Posted 20 October 2007 - 01:22 AM

Hi Cretemonster,sorry for the delay in returning post,but i've had no time.
I had that C:\WINDOWS\MSHTTPSCFG32.EXE text file saved in the recycler.but when i went to retrieve it discovered my wife had emptied it,so i'm afraid its not avilable,but here are the results from the f-secure scan...thanks!



Report
Saturday, October 20, 2007 08:11:23 - 09:09:22
Computer name: MARISKA
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 6 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 28832
System: 4326
Not scanned: 8
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 5
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\LAME_ENC.DLL
C:\WINDOWS\SYSTEM32\NCTWAVPLAYER.OCX
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\RECYCLER\S-1-5-21-2221717735-1802729512-2040942079-1006\DC1.DOC
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0203\0181\VALUES
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\886DA18046BECC75CCB5073A87BBBE47_5E310C95-C408-4FBE-A4BD-B0CE272E6B89

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-19
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-15
F-Secure Libra: 2.4.2, 2007-10-19
F-Secure Orion: 1.2.37, 2007-10-19
F-Secure Pegasus: 1.19.0, 2007-09-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 02:57 AM

Im not that worried about the file,so its best its gone for good now. :thumbsup:


If you will,run another Online Scan at Panda please
http://www.nanoscan.com/as/v1/principal.aspx

Save the report and post it back here please.

#11 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku

Posted 20 October 2007 - 08:02 AM

Hello again Cretemonster.
Here is the Totalscan log,seems like there was still some infection..here's the log....Thanks :thumbsup:


;***********************************************************************************************************************************************************************************
ANALYSIS: 2007-10-20 15:56:56
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.7.1043 [VPS 000782-3] 4.7.1043 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024295.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024251.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024226.exe
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024195.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024102.exe
00139535 Application/Processor HackTools No 0 No No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024140.exe[SDFix\apps\Process.exe]
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\fixwareout\FindT\nircmd.exe
00517584 Application/SuperFast HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024253.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP110\A0022936.exe[nircmd.exe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP110\A0022936.exe[nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP109\A0022888.exe
01297189 Trj/Agent.GBF Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0023944.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024252.exe
02519515 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{62A22B18-6EB5-48C1-AAD2-647B2473640C}\RP111\A0024196.exe
;===================================================================================================================================================================================
SUSPECTS
Location

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 09:09 AM

No worries there,we can fix those easy.

Now we need to reset System Restore and Clear out all the old infected restore points.
  • Click Start
  • Right-Click "My Computer" and Select Properties.
  • Click on the "System Restore" tab.
  • Place a checkmark in the box for "Turn off System Restore" and Click "Apply."
  • Restart the Computer.
  • Return to System Restore and Uncheck the box for "Turn off System Restore" and Click "Apply."
  • A fresh Restore Point will be created.

Consider using Erunt for a backup to System Restore in case the machine ever does crash.
http://silentrunners.org/sr_eruntuse.html

Be sure to read through the entire page and pay close attention to Emergency Procedures should you ever need it.


Lets check the other apps on here,Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.


#13 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku
  • Local time:09:13 PM

Posted 20 October 2007 - 09:48 AM

How :blink:
Here is the the list of program files;Thanks for your time :thumbsup:

AC3Filter (remove only)
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Advanced WMA Workshop version 2.1rc2
Agere Systems PCI Soft Modem
Automaattiset valikot (Windows Live Toolbar)
avast! Antivirus
AVG Anti-Spyware 7.5
BlitzIn2
BSPlayer
CCleaner (remove only)
DC++ 0.673
Empire Earth - The Art of Conquest
ffdshow (remove only)
FreeUndelete
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
Hotfix-korjauspäivitys Windows Media Player 11:lle (KB939683)
hp psc 1200 series
HP valokuva- ja kuvankäsittelyohjelma 2.0 - hp psc 1200 series
HP:n valokuva- ja kuvankäsittelyohjelma 2.0 - All-in-One
HP:n valokuva- ja kuvankäsittelyohjelma 2.0 - All-in-One Ohjain
HP-muistolevy
Intel® Extreme Graphics Driver
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
Media Audio Capture
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Finnish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Microsoft Windows XP -käyttöjärjestelmän ohjatun CD-levylle tallentamisen HighMAT-laajennus
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 3.5 magicMoments_CE - Medion
Nero 6
Oma tietokoneesi
OneCare Advisor (Windows Live Toolbar)
Outlook-työkalurivi (Windows Live Toolbar)
Panda TotalScan
Philips Key Ring Audio Player
Ponnahdusikkunoiden esto (Windows Live Toolbar)
PowerDVD
Päivitys Windows XP:lle (KB933360)
Päivitys Windows XP:lle (KB936357)
Päivitys Windows XP:lle (KB938828)
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Spybot - Search & Destroy 1.4
Suojauspäivitys Windows Internet Explorer 7:lle (KB928090)
Suojauspäivitys Windows Internet Explorer 7:lle (KB929969)
Suojauspäivitys Windows Internet Explorer 7:lle (KB931768)
Suojauspäivitys Windows Internet Explorer 7:lle (KB933566)
Suojauspäivitys Windows Internet Explorer 7:lle (KB937143)
Suojauspäivitys Windows Internet Explorer 7:lle (KB938127)
Suojauspäivitys Windows Internet Explorer 7:lle (KB939653)
Suojauspäivitys Windows Media Player 11:lle (KB936782)
Suojauspäivitys Windows XP:lle (KB921503)
Suojauspäivitys Windows XP:lle (KB933729)
Suojauspäivitys Windows XP:lle (KB936021)
Suojauspäivitys Windows XP:lle (KB938829)
Suojauspäivitys Windows XP:lle (KB941202)
SUPERAntiSpyware Professional
Syötteen tunnistus (Windows Live Toolbar)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbarin laajennus (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Varmuuskopiointi
WinRAR archiver
WinZip 11.1
Yahoo! Toolbar

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 10:04 AM

Adobe Acrobat 5.0<--- Update to version 8

Adobe Flash Player 9 ActiveX<--- Be sure is latest version.

Java™ 6 Update 2<-- Uninstall

Java™ SE Runtime Environment 6 Update 1<-- Uninstall

QuickTime<-- Be sure its the latest version.

RealPlayer<-- Be sure its the latest version.


How does the PC seem to be acting now?

#15 mariska

mariska
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Location:Turku

Posted 20 October 2007 - 10:13 AM

Well i must say everything seems to be fine now :blink:
Thanks cretemonster for help and advice,its much appreciated, :thumbsup: Wishing u a pleasant weekend

Regards
Chris




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users