Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan horse Dropper.Agent.HHK


  • Please log in to reply

#1
theclamps27

theclamps27

    New Member

  • Member
  • Pip
  • 3 posts
Hey there, wont go into details but i stupidly tried to download some thing and got infected with this Trojan horse Dropper.Agent.HHK thing. My computer is running fine but every time I start it up the files tmp0.exe, tmp1.exe, tmp2.exe and tmp3.exe are created in my program files folder. AVG free edition puts them in the virus vault but they are still created every time i restart my laptop so i think there something more deeply rooted going on here! I downloaded hijack this and the log is included below as per instructions. Hope you can help me as i dont believe a system restore will help with this as the actual virus itself dosnt seem to be coming up in the avg scans so it must be well buried in my system somewhere (not that i'd know, im in no way a computer wiz!)

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:33:43, on 24/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\antiviirus.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.co.uk/8...WCompleteAddIns
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Quick Time\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [MAAgent] C:\Program Files\MarkAny\ContentSafer\MAAgent.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe

--
End of file - 7176 bytes


uninstall log:

Adobe Flash Player ActiveX
Adobe Reader 8.1.2
ALPS Touch Pad Driver
Apple Software Update
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 7.5
CD/DVD Drive Acoustic Silencer
Digidesign Free Bomb Factory Plug-Ins 7.4
Digidesign Pro Tools LE 7.4
Digidesign Shared Plug-Ins 7.4
HijackThis 2.0.2
Hotfix for Windows XP (KB894871)
Hotfix for Windows XP (KB895200)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
InterLok Driver Kit
Interlok driver setup x32
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 2
Japanese Fonts Support For Adobe Reader 8
Java™ 6 Update 3
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
NCH Toolbox
OpenOffice.org 2.3
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Samsung Media Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Sonic DLA
Sonic RecordNow!
Sony Ericsson PC Suite 1.20.224
Switch
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA Manuals
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Software Modem
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893056
Windows XP Hotfix - KB893086
Xpand!
XviD MPEG-4 Video Codec

cheers, james.

heres my combofix log too:

ComboFix 08-03-23.2 - James Clamp 2008-03-24 1:14:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.513 [GMT 0:00]
Running from: C:\Documents and Settings\James Clamp\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Other TimeOuts --
CF1372.exe /c " VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\* >Windir.dat"
VFind.exe -ltf -s-1300000 -d+2007-12-24 C:\WINDOWS\*
CF1372.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-24 "C:\Program Files\*"
CF1372.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-24 00:33 . 2008-03-24 00:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-23 23:35 . 2008-03-23 23:35 <DIR> d--h----- C:\WINDOWS\PIF
2008-03-23 22:10 . 2008-03-23 22:10 21,576 --a------ C:\Program Files\antiviirus.exe
2008-03-23 21:37 . 2008-03-23 21:37 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Apple Computer
2008-03-23 20:11 . 2008-03-23 20:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-23 20:11 . 2008-03-23 20:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-23 20:08 . 2008-03-23 21:44 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Teleca
2008-03-23 20:06 . 2008-03-23 20:06 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-23 20:06 . 2008-03-23 20:06 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-23 20:06 . 2008-03-23 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-03-23 20:06 . 2008-03-23 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-23 19:58 . 2008-03-23 19:58 65,024 --a------ C:\WINDOWS\IFinst26.exe
2008-03-23 19:57 . 2008-03-23 19:57 <DIR> d-------- C:\Program Files\XviD
2008-03-23 19:57 . 2008-03-23 19:57 <DIR> d-------- C:\Program Files\MarkAny
2008-03-23 19:56 . 2008-03-23 19:56 <DIR> d-------- C:\Program Files\Samsung
2008-03-23 12:06 . 2008-03-23 12:07 <DIR> d-------- C:\Documents and Settings\James Clamp\dwhelper
2008-03-20 17:42 . 2008-03-20 17:42 <DIR> d-------- C:\WINDOWS\Sun
2008-03-19 02:25 . 2008-03-19 02:25 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-19 01:57 . 2008-03-19 01:57 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\InstallShield
2008-03-19 01:57 . 2007-10-31 02:12 2,545,766 --a------ C:\WINDOWS\system32\dgfwdio.dll
2008-03-19 01:57 . 2007-10-30 23:03 270,336 --a------ C:\WINDOWS\system32\DigiPlatformSupport.dll
2008-03-19 01:57 . 2006-03-29 15:11 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2008-03-19 01:57 . 2007-10-31 00:35 45,568 --a------ C:\WINDOWS\system32\mbx2midu.dll
2008-03-19 01:57 . 2007-10-31 02:15 24,080 --a------ C:\WINDOWS\system32\drivers\dgfwboot.sys
2008-03-19 01:57 . 2007-10-31 02:16 21,904 --a------ C:\WINDOWS\system32\drivers\mbx2midk.sys
2008-03-19 01:57 . 2007-10-31 02:16 21,648 --a------ C:\WINDOWS\system32\drivers\mbx2dfu.sys
2008-03-19 01:57 . 2007-10-31 02:16 16,400 --a------ C:\WINDOWS\system32\drivers\diginet.sys
2008-03-19 01:06 . 2008-03-23 21:42 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Digidesign
2008-03-19 01:06 . 2008-03-19 02:02 <DIR> d-------- C:\Digidesign Databases
2008-03-19 01:04 . 2008-03-19 01:04 <DIR> d-------- C:\Program Files\InterLok
2008-03-19 01:04 . 2007-10-31 00:34 196,608 --a------ C:\WINDOWS\system32\Digi32.dll
2008-03-19 01:03 . 2007-10-31 02:15 97,808 --a------ C:\WINDOWS\system32\drivers\Dalwdm.sys
2008-03-19 01:03 . 2006-12-08 22:50 16,384 --a------ C:\WINDOWS\system32\drivers\DigiFilt.sys
2008-03-19 01:02 . 2008-03-19 02:07 <DIR> d-------- C:\Program Files\Digidesign
2008-03-19 01:02 . 2008-03-19 01:03 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-03-19 01:02 . 2007-10-31 03:16 3,683,014 --a------ C:\WINDOWS\system32\DirectIO.dll
2008-03-19 01:02 . 2007-10-31 00:03 1,362,460 --a------ C:\WINDOWS\system32\ExpansionHD_Firmware.bin
2008-03-19 01:02 . 2007-10-31 00:03 659,456 --a------ C:\WINDOWS\system32\DSI.dll
2008-03-19 01:02 . 2007-10-31 00:35 172,032 --a------ C:\WINDOWS\system32\Diomidi.DLL
2008-03-19 01:02 . 2006-12-08 23:21 90,112 --a------ C:\WINDOWS\system32\WinMMFix.dll
2008-03-19 01:02 . 2007-10-31 00:36 15,872 --a------ C:\WINDOWS\system32\digicoin.dll
2008-03-18 23:51 . 2008-03-18 23:51 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-18 23:43 . 2008-03-23 20:06 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-03-18 23:43 . 2008-03-18 23:43 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-03-18 23:43 . 2008-03-23 20:10 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\PACE Anti-Piracy
2008-03-18 23:43 . 2008-03-23 20:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2008-03-18 23:38 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-03-18 23:38 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-03-18 23:38 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-03-18 23:38 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-03-18 23:36 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-03-17 07:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-17 07:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-17 07:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-16 23:51 . 2008-03-16 23:51 <DIR> d-------- C:\Program Files\Apple Software Update
2008-03-16 23:51 . 2008-03-16 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-03-16 23:51 . 2008-03-16 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-03-16 23:45 . 2008-03-16 23:45 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-03-16 23:45 . 2008-03-16 23:45 <DIR> d-------- C:\Program Files\Common Files\Real
2008-03-16 23:43 . 2008-03-16 23:52 <DIR> d-------- C:\Program Files\Quick Time
2008-03-16 23:41 . 2008-03-16 23:47 <DIR> d-------- C:\Program Files\Real Player
2008-03-16 23:37 . 2008-03-16 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-03-16 23:36 . 2008-03-16 23:36 <DIR> d-------- C:\Program Files\Switch
2008-03-16 23:36 . 2008-03-16 23:38 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-03-16 23:36 . 2008-03-16 23:36 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\NCH Swift Sound
2008-03-16 23:33 . 2008-03-16 23:33 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-16 23:32 . 2008-03-16 23:34 <DIR> d-------- C:\Program Files\Windows Live
2008-03-16 23:32 . 2008-03-16 23:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-16 23:22 . 2008-03-17 07:42 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\OpenOffice.org2
2008-03-16 23:19 . 2008-03-16 23:20 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2008-03-16 23:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-16 23:09 . 2008-03-16 23:18 <DIR> d-------- C:\Program Files\Open Office
2008-03-16 22:41 . 2008-03-19 20:04 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Winamp
2008-03-16 22:41 . 2007-03-07 23:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-03-16 22:41 . 2007-03-07 23:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-16 22:41 . 2007-03-07 23:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-16 22:40 . 2008-03-16 22:41 <DIR> d-------- C:\Program Files\Winamp
2008-03-16 22:38 . 2008-03-16 22:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-16 22:30 . 2008-03-16 22:30 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Talkback
2008-03-16 22:30 . 2008-03-16 22:30 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-16 22:12 . 2008-03-16 22:24 <DIR> d-------- C:\Documents and Settings\James Clamp\Contacts
2008-03-16 22:11 . 2008-03-23 20:07 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-03-16 21:57 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-16 21:25 . 2006-12-07 06:40 2,362,184 -----c--- C:\WINDOWS\system32\dllcache\wmvcore.dll
2008-03-16 21:25 . 2007-07-09 13:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-16 21:13 . 2006-09-06 17:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-16 20:51 . 2008-03-24 00:25 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\AVG7
2008-03-16 20:50 . 2008-03-16 20:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-16 20:50 . 2008-03-16 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-16 20:50 . 2008-03-24 00:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-16 20:21 . 2008-03-16 20:21 <DIR> d--hs---- C:\Documents and Settings\James Clamp\UserData
2008-03-16 17:43 . 2005-08-25 15:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-03-16 17:43 . 2005-08-25 15:23 <DIR> d-------- C:\Documents and Settings\James Clamp\WINDOWS
2008-03-16 17:43 . 2005-08-25 15:27 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\toshiba
2008-03-16 17:43 . 2005-08-26 09:31 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Symantec
2008-03-16 17:43 . 2005-08-26 09:17 <DIR> d-------- C:\Documents and Settings\James Clamp\Application Data\Sonic
2008-03-16 17:43 . 2008-03-16 17:43 0 -rahs---- C:\WINDOWS\system32\drivers\TOSHIBA_EQUIUM M50_03436000-AV_PSM59E-00300.MRK
2008-03-16 17:42 . 2005-08-25 15:23 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-03-16 17:42 . 2004-12-22 16:44 843,776 --a------ C:\WINDOWS\system32\AegisE5.dll
2008-03-16 17:42 . 2005-03-27 17:32 385,024 --a------ C:\WINDOWS\system32\athcfg11.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 19:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-16 23:19 --------- d-----w C:\Program Files\Java
2008-03-16 17:58 --------- d-----w C:\Program Files\Symantec
2008-03-16 17:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-16 17:42 --------- d-----w C:\Program Files\Atheros
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-12-22 07:10 88358 C:\WINDOWS\agrsmmsg.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2004-03-24 05:40 196608]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2005-06-30 09:05 671744]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2005-06-08 14:51 53248]
"HWSetup"="C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2004-05-01 12:45 28672]
"SVPWUTIL"="C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2004-05-01 12:45 65536]
"Zooming"="ZoomingHook.exe" [2005-06-06 08:58 24576 C:\WINDOWS\system32\ZoomingHook.exe]
"TCtryIOHook"="TCtrlIOHook.exe" [2005-08-05 18:02 28672 C:\WINDOWS\system32\TCtrlIOHook.exe]
"TPSMain"="TPSMain.exe" [2005-08-11 13:33 266240 C:\WINDOWS\system32\TPSMain.exe]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 09:31 118784]
"TFncKy"="TFncKy.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 04:33 122941]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-16 20:52 579072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\Quick Time\QTTask.exe" [2008-01-31 23:13 385024]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 00:35 77824]
"SMSTray"="C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2006-07-21 08:32 126976]
"MAAgent"="C:\Program Files\MarkAny\ContentSafer\MAAgent.exe" [2006-06-02 14:39 57344]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]
"antiviirus"="C:\Program Files\antiviirus.exe" [2008-03-23 22:10 21576]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 12:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-16 20:50 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
--a------ 2004-11-17 09:56 1077327 C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
--a------ 2005-04-05 15:25 73728 C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"CFSvcs"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=

R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-12-08 22:50]
R2 DigiNet;Digidesign Ethernet Support;C:\WINDOWS\system32\DRIVERS\diginet.sys [2007-10-31 02:16]
S3 dalwdmservice;dal service;C:\WINDOWS\system32\drivers\dalwdm.sys [2007-10-31 02:15]
S3 MBX2DFU;MBX2DFU;C:\WINDOWS\system32\DRIVERS\MBX2DFU.sys [2007-10-31 02:16]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\WINDOWS\system32\drivers\mbx2midk.sys [2007-10-31 02:16]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-16 23:51:40 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-16 17:42:42 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2008-03-16 17:42:42 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 01:15:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 1:16:20
ComboFix-quarantined-files.txt 2008-03-24 01:16:11
.
2008-03-16 22:01:28 --- E O F ---


UPDATE! 24/3/08

AVG just doing its daily scan has found some more suspect files!

Dc1.exe in C:\Recycler\S-1-5-21-3179837507-3992972269-289082209-1007\Dc1.exe

A0003780.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003780.exe
A0003823.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003823.exe
A0003853.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003853.exe
A0003859.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003859.exe
A0003885.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003885.exe
A0003886.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003886.exe
A0003887.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003887.exe
A0003888.exe in C:\System Volume Information_restore{8822E5AF-692C-42F0-B1EA-1E71D2781317}\RP79\A0003888.exe

Edited by theclamps27, 24 March 2008 - 07:08 AM.

  • 0

Advertisements


#2
theclamps27

theclamps27

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Its o.k now, ive fixed it although my computer did die in the process and i had to reinstall everything.

I went here major geeks malware removal guide and the first part of the xp cleaning guide seemed to remove the virus but i decided to go through the rest to make sure. After i ran combo fix however my laptop refused to boot up anymore, i had run combofix before with no problems but maybe running it twice is a bad idea?.

Thanks to all that viewed this anyway and i hope what i found will help others battle this annoying trojan as i found very little on this particular one in my searches.

James x
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP