Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help Infected! [CLOSED]

Started by mienboi07 , Jan 12 2008 02:40 AM

  • This topic is locked This topic is locked

#1
mienboi07
Posted 12 January 2008 - 02:40 AM

mienboi07

    New Member

  • Member
  • Pip
  • 6 posts
I believe its a trojan.Vundo and some other stuff because i found vtutt.dll and wvututt.dll and i cant seem to remove it out of my system 32 file. Help please!

Heres my HJT filelog

Logfile of HijackThis v1.99.1
Scan saved at 11:48:35 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Saetern\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {BD3E7944-13C3-432E-9D05-17AF488BB2C6} - C:\WINDOWS\system32\vtutt.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvututt.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: wvututt - C:\WINDOWS\SYSTEM32\wvututt.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

--
End of file - 5270 bytes
  • 0

Advertisements

#2
sage5
Posted 12 January 2008 - 07:19 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi mienboi07,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
Deckard's System Scanner
VundoFix.exe
OTMoveIt2 by OldTimer.


Run VundoFix.exe:
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click OK in the new window
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt & C:\vundofix.txt in your next reply.



Cheers,

sage5
  • 0

#3
mienboi07
Posted 13 January 2008 - 02:25 AM

mienboi07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
here is the vundoFix


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 12:02:26 AM 1/13/2008

Listing files found while scanning....

C:\WINDOWS\system32\rucfwjdm.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ysmhwkvc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rucfwjdm.dll
C:\WINDOWS\system32\rucfwjdm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysmhwkvc.dll
C:\WINDOWS\system32\ysmhwkvc.dll Has been deleted!

Performing Repairs to the registry.
Done!




------------------------------------------------------------------------

and here is the hijackthis report

Logfile of HijackThis v1.99.1
Scan saved at 12:23:59 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Saetern\Desktop\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {36c29d11-21b6-d9a9-8514-7d2310703363} - {36330701-32d7-4158-9a9d-6b1211d92c63} - C:\WINDOWS\system32\ysmhwkvc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvututt.dll (file missing)
O2 - BHO: (no name) - {D9854EAD-3448-412E-BD3A-7FD01BB49812} - C:\WINDOWS\system32\vtutt.dll (file missing)
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: wvututt - C:\WINDOWS\
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

--
End of file - 5294 bytes
  • 0

#4
mienboi07
Posted 13 January 2008 - 02:37 AM

mienboi07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
dss.exe keeps crashing and wont let me finish o.o
  • 0

#5
sage5
Posted 13 January 2008 - 04:14 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi mienboi07,

Let's try another scanner then.

Download the following & save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Cheers,

sage5
  • 0

#6
mienboi07
Posted 13 January 2008 - 02:25 PM

mienboi07

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
My computer is running a lot faster now thanks a lot!

heres the log file for ComboFix


ComboFix 08-01-13.1 - Saetern 2008-01-13 12:17:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.264 [GMT -8:00]
Running from: C:\Documents and Settings\Saetern\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\QdrDrive
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-13 12:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-13 01:23 . 2008-01-13 01:23 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\acccore
2008-01-13 01:19 . 2008-01-13 01:19 <DIR> d-------- C:\Program Files\Viewpoint
2008-01-13 01:19 . 2008-01-13 01:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-13 01:19 . 2008-01-13 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-01-13 01:18 . 2008-01-13 01:22 <DIR> d-------- C:\Program Files\AIM6
2008-01-13 00:31 . 2008-01-13 00:31 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 00:19 . 2008-01-13 00:19 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-13 00:02 . 2008-01-13 00:02 <DIR> d-------- C:\VundoFix Backups
2008-01-12 03:44 . 2008-01-12 03:44 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\Lavasoft
2008-01-12 03:43 . 2008-01-12 03:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-09 00:41 . 2008-01-09 01:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 00:16 . 2005-11-14 17:01 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-01-09 00:16 . 2005-11-14 16:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\toshiba
2008-01-09 00:16 . 2005-11-14 16:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2008-01-09 00:16 . 2005-11-14 17:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterVideo
2008-01-09 00:16 . 2007-12-10 21:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-01-08 22:44 . 2008-01-08 22:44 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\ESET
2007-12-30 21:58 . 2008-01-13 01:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-30 21:58 . 2007-12-30 21:58 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 21:53 . 2007-12-30 21:53 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\Apple Computer
2007-12-30 21:52 . 2008-01-08 20:18 <DIR> d-------- C:\Program Files\iTunes
2007-12-30 21:52 . 2007-12-30 21:52 <DIR> d-------- C:\Program Files\iPod
2007-12-30 21:49 . 2007-12-31 03:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-30 21:48 . 2007-12-30 21:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-30 21:48 . 2007-12-30 21:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-30 21:48 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-30 21:46 . 2007-12-30 21:46 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-30 21:46 . 2007-12-30 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-30 18:30 . 2007-12-30 18:30 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-30 00:04 . 2008-01-12 00:23 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-29 11:10 . 2007-12-29 11:10 32,764 --a------ C:\WINDOWS\17PHolmes11.exe
2007-12-28 11:26 . 2007-12-28 11:26 <DIR> d-------- C:\WINDOWS\Sun
2007-12-24 15:02 . 2007-12-24 15:02 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\Sonic
2007-12-23 01:06 . 2007-12-23 01:06 <DIR> d-------- C:\Program Files\DivX
2007-12-22 23:29 . 2007-12-22 23:29 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\Nexon
2007-12-22 23:28 . 2003-07-20 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2007-12-22 23:28 . 2005-01-04 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-12-22 23:23 . 2007-12-22 23:23 <DIR> d-------- C:\Nexon
2007-12-21 08:21 . 2007-12-21 08:21 71,176 --a------ C:\WINDOWS\system32\drivers\epfw.sys
2007-12-21 08:21 . 2007-12-21 08:21 53,768 --a------ C:\WINDOWS\system32\drivers\epfwtdi.sys
2007-12-21 08:21 . 2007-12-21 08:21 30,728 --a------ C:\WINDOWS\system32\drivers\epfwndis.sys
2007-12-21 08:20 . 2007-12-21 08:20 30,216 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-21 08:19 . 2007-12-21 08:19 39,944 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-12-18 15:42 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-12-18 15:42 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-15 09:51 . 2007-12-15 09:51 <DIR> d-------- C:\Documents and Settings\Saetern\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 09:19 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-13 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-13 09:15 --------- d-----w C:\Program Files\AIM
2008-01-13 09:15 --------- d-----w C:\Documents and Settings\Saetern\Application Data\Aim
2008-01-12 11:30 --------- d-----w C:\Documents and Settings\Saetern\Application Data\U3
2008-01-09 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-01-09 06:40 --------- d-----w C:\Program Files\QuickTime
2007-12-31 11:06 --------- d-----w C:\Documents and Settings\Saetern\Application Data\Azureus
2007-12-31 02:40 --------- d-----w C:\Program Files\Toshiba
2007-12-24 23:05 --------- d-----w C:\Program Files\Azureus
2007-12-13 04:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-13 04:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-13 04:24 --------- d-----w C:\Program Files\Bonjour
2007-12-13 04:17 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-11 09:37 --------- d-----w C:\Program Files\Google
2007-12-11 09:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-11 09:31 --------- d-----w C:\Program Files\Common Files\Real
2007-12-11 05:14 --------- d-----w C:\Program Files\Pure Networks
2007-12-11 05:12 --------- d-----w C:\Documents and Settings\Saetern\Application Data\AOL
2007-12-11 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-12-11 04:42 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-11 02:04 --------- d-----w C:\Documents and Settings\Saetern\Application Data\Winamp
2007-12-11 00:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-12-10 08:35 --------- d-----w C:\Program Files\AOD
2007-12-10 08:29 --------- d-----w C:\Program Files\Winamp
2007-12-10 08:27 --------- d-----w C:\Program Files\MSXML 4.0
2007-12-10 08:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 08:18 --------- d-----w C:\Program Files\MSBuild
2007-12-10 08:18 --------- d-----w C:\Program Files\Microsoft Works
2007-12-10 08:17 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-10 08:00 --------- d-----w C:\Program Files\Metamail Inc
2007-12-10 07:43 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2007-12-10 07:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 07:43 --------- d-----w C:\Program Files\Atheros
.
<pre>
----a-w		   267,048 2008-01-09 04:18:31  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   286,720 2008-01-09 06:40:25  C:\Program Files\QuickTime\QTTask				  .exe
----a-w		   286,720 2008-01-12 16:16:10  C:\Program Files\QuickTime\QTTask				 .exe
----a-w		   286,720 2008-01-13 20:19:38  C:\Program Files\QuickTime\QTTask				.exe
----a-w		   286,720 2008-01-12 16:16:12  C:\Program Files\QuickTime\QTTask			   .exe
----a-w		   286,720 2008-01-12 16:16:12  C:\Program Files\QuickTime\QTTask			  .exe
----a-w		   286,720 2008-01-12 16:16:12  C:\Program Files\QuickTime\QTTask			 .exe
----a-w		   286,720 2008-01-12 16:16:14  C:\Program Files\QuickTime\QTTask			.exe
----a-w		   286,720 2008-01-12 16:16:14  C:\Program Files\QuickTime\QTTask		   .exe
----a-w		   286,720 2008-01-12 16:16:14  C:\Program Files\QuickTime\QTTask		  .exe
----a-w		   286,720 2008-01-12 16:16:14  C:\Program Files\QuickTime\QTTask		 .exe
----a-w		   286,720 2008-01-12 16:16:17  C:\Program Files\QuickTime\QTTask		.exe
----a-w		   286,720 2008-01-12 16:16:17  C:\Program Files\QuickTime\QTTask	   .exe
----a-w		   286,720 2008-01-12 16:16:19  C:\Program Files\QuickTime\QTTask	  .exe
----a-w		   286,720 2008-01-12 16:16:18  C:\Program Files\QuickTime\QTTask	 .exe
----a-w		   286,720 2008-01-12 16:16:21  C:\Program Files\QuickTime\QTTask	.exe
----a-w		   286,720 2008-01-12 16:16:21  C:\Program Files\QuickTime\QTTask   .exe
----a-w		   286,720 2008-01-13 20:19:40  C:\Program Files\QuickTime\QTTask  .exe
----a-w		   286,720 2008-01-12 16:16:21  C:\Program Files\QuickTime\QTTask .exe
----a-w		 1,460,560 2008-01-09 23:01:39  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w			15,872 2008-01-12 08:23:43  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w		   158,208 2008-01-12 07:42:26  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-12 08:23:45  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36330701-32d7-4158-9a9d-6b1211d92c63}]
C:\WINDOWS\system32\ysmhwkvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D9854EAD-3448-412E-BD3A-7FD01BB49812}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-12 23:54 15360]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-12 08:16 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututt]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Saetern^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Saetern\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\000StTHK]
--a------ 2001-06-23 04:28 24576 C:\WINDOWS\system32\000StTHK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00THotkey]
--a------ 2005-03-01 00:43 245760 C:\WINDOWS\system32\00THotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a------ 2005-04-12 16:17 88358 C:\WINDOWS\agrsmmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
--a------ 2004-03-23 22:40 196608 C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-01-12 23:54 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2005-05-31 05:33 122941 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-06-08 10:59 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-06-08 11:02 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-01-08 23:53 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtutt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
--a------ 2005-04-12 16:18 184320 C:\Program Files\ltmoh\Ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDSTray.exe]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2005-06-08 11:03 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
--a------ 2005-03-17 17:37 151552 c:\toshiba\ivp\ism\pinger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule11]
C:\Program Files\QdrModule\QdrModule11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack11]
C:\Program Files\QdrPack\QdrPack11.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-08 22:40 286720 C:\Program Files\QuickTime\QTTask .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
--a------ 2005-04-26 16:13 122880 C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-01-09 20:26 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFNF5]
--a------ 2004-12-15 10:02 73728 C:\WINDOWS\system32\TFNF5.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TOSCDSPD]
--a------ 2008-01-09 20:43 65536 C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
--a------ 2005-06-28 20:43 126976 C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
--a------ 2005-08-09 19:22 315392 C:\WINDOWS\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSODDCtl]
--a------ 2005-08-09 19:22 110592 C:\WINDOWS\system32\TPSODDCtl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2008-01-12 00:23 15872 C:\Program Files\Unlocker\UnlockerAssistant .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Swupdtmr"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb529ff4-a6f5-11dc-a0bd-00038a000015}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-31 05:49:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 12:21:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 12:23:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 20:23:15
.
2007-12-11 05:12:57 --- E O F ---
  • 0

#7
sage5
Posted 13 January 2008 - 07:32 PM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi mienboi07,


Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O2 - BHO: {36c29d11-21b6-d9a9-8514-7d2310703363} - {36330701-32d7-4158-9a9d-6b1211d92c63} - C:\WINDOWS\system32\ysmhwkvc.dll (file missing)
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\wvututt.dll (file missing)
O2 - BHO: (no name) - {D9854EAD-3448-412E-BD3A-7FD01BB49812} - C:\WINDOWS\system32\vtutt.dll (file missing)
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O20 - Winlogon Notify: wvututt - C:\WINDOWS\[/b]
  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.

I see you have Azureus installed on your system.
While the program itself is legal, most of the files downloaded with it, are not.
These programs can also be one of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling Azureus as outlined below.


Remove folders & files:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    Azureus
    Please take note of any other programs that you don't recognise in that list, and include them in your next response


Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINDOWS\17PHolmes11.exe
C:\WINDOWS\system32\vtutt.exe

Folder::
C:\Program Files\Azureus
C:\Program Files\RcvSystem

RENV::
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\QuickTime\QTTask				  .exe
C:\Program Files\QuickTime\QTTask				 .exe
C:\Program Files\QuickTime\QTTask				.exe
C:\Program Files\QuickTime\QTTask			   .exe
C:\Program Files\QuickTime\QTTask			  .exe
C:\Program Files\QuickTime\QTTask			 .exe
C:\Program Files\QuickTime\QTTask			.exe
C:\Program Files\QuickTime\QTTask		   .exe
C:\Program Files\QuickTime\QTTask		  .exe
C:\Program Files\QuickTime\QTTask		 .exe
C:\Program Files\QuickTime\QTTask		.exe
C:\Program Files\QuickTime\QTTask	   .exe
C:\Program Files\QuickTime\QTTask	  .exe
C:\Program Files\QuickTime\QTTask	 .exe
C:\Program Files\QuickTime\QTTask	.exe
C:\Program Files\QuickTime\QTTask   .exe
C:\Program Files\QuickTime\QTTask  .exe
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Unlocker\UnlockerAssistant .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • C:\Combofix.txt


Run an Online Scan:
Disable your antivirus program while running this scan.
  • Open Internet Explorer, type http://www.eset.eu/online-scanner in the Address Bar & hit Enter to go to ESET Online Scanner
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt & C:\Combofix.txt back here.


Cheers,

sage5

Edited by sage5, 13 January 2008 - 07:36 PM.

  • 0

#8
sage5
Posted 24 January 2008 - 05:18 AM

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP