mystery trojan/virus? Please help. (hijackthis + combofix reports attached)

Viruses and worms
1

My pc run very slow, so I did scans with S&D, AVG, SAS and online MCafee. No virus was detected. Then I run the hijackthis and combofix. The PC seems running better, but it got reboot itself and an ADware was trying to change the registery after the PC was reboot. Here are the Hijackthis and Combomfix reports. Could anyone please help to have a look and give me some advice? Thanks in advnace.

2

Hi, unfortunatey you ran combofix more than once, Please check the following location and post all logs found there. It will make it a lot easier if we know what was removed.

ComboFix-quarantined-files.txt It would be on your C:\

Thanks.

I will check these ones for now.

3

Hi, I couldn’t find the combifix-quarantined-files.txt in my C:. I just found one combofix.txt and I attached here for your reference.

4

I found an older combofix file, hope it helps.

5

We’ll try a different scanner, nothing really showing in those logs. It doesn’t look like combofix removed anything.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer”
click allow change

Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

6

I’m sorry, but I have to attach the reports as they exceed the max. allowed length.

7

Hi Oldman,

FYI, I just found the 1st combofix log, hope it helps. Thanks.

ComboFix 08-03-03.15 - Maggie 2008-03-04 23:54:38.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.950.852.1033.18.130 [GMT 1:00]
Running from: C:\Documents and Settings\Maggie\Desktop\Combo-Fix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))
.

2008-03-04 23:12 . 2008-03-04 23:12 d-------- C:\Documents and Settings\Maggie\Application Data\Uniblue
2008-03-04 21:38 . 2008-03-04 21:38 d-------- C:\Program Files\CCleaner
2008-03-04 16:01 . 2008-03-04 16:01 d-------- C:\WINDOWS\McAfee.com
2008-03-04 16:00 . 2008-03-04 16:00 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 21:17 . 2008-03-03 21:17 d–hs---- C:\FOUND.002
2008-02-27 14:17 . 2008-02-27 14:17 127 --a------ C:\WINDOWS\wininit.ini
2008-02-27 14:02 . 2008-02-27 14:02 d-------- C:\Program Files\Common Files\xing shared
2008-02-27 13:28 . 2008-02-27 13:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-27 13:28 . 2008-02-27 13:28 2,551 --a------ C:\WINDOWS\unins000.dat
2008-02-06 14:53 . 2008-02-06 14:53 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 13:01 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-02 16:49 --------- d-----w C:\Documents and Settings\Maggie\Application Data\Founder
2008-01-29 10:33 --------- d-----w C:\Documents and Settings\Maggie\Application Data\Apple Computer
2008-01-29 10:32 --------- d-----w C:\Program Files\iTunes
2008-01-29 10:32 --------- d-----w C:\Program Files\iPod
2008-01-29 10:29 --------- d-----w C:\Program Files\Apple Software Update
2008-01-29 10:28 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-29 10:28 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2008-01-11 05:53 44,544 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-08 05:21 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-12-06 11:01 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-12-06 11:00 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-12-06 11:00 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 04:59 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 09:56 15360]
“BitComet”=“C:\Program Files\BitComet\BitComet.exe” [2007-06-19 09:03 5977152]
“MsnMsgr”=“C:\Program Files\MSN Messenger\MsnMsgr.exe” [2007-01-19 12:54 5674352]
“eyeBeam SIP Client”=“”
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2003-06-23 10:34 155648]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2003-06-23 10:34 114688]
“SoundMan”=“SOUNDMAN.EXE” [2003-06-20 19:55 55296 C:\WINDOWS\SOUNDMAN.EXE]
“AGRSMMSG”=“AGRSMMSG.exe” [2003-06-23 10:35 88267 C:\WINDOWS\AGRSMMSG.exe]
“Apoint”=“C:\Program Files\Apoint2K\Apoint.exe” [2002-07-25 04:49 151552]
“LManager”=“C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE” [2003-11-27 01:16 262144]
“IMJPMIG8.1”=“C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe” [2004-08-04 07:32 208952]
“MSPY2002”=“C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe” [2003-03-31 12:00 59392]
“PHIME2002ASync”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [2003-03-31 12:00 455168]
“PHIME2002A”=“C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe” [2003-03-31 12:00 455168]
“avgnt”=“C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” [2007-10-10 16:52 249896]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 00:47 31016]
“{0228e555-4f9c-4e35-a3ec-b109a192b4c2}”=“C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe” [2005-07-15 14:48 479232]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 09:56 110592 C:\WINDOWS\system32\bthprops.cpl]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe” [2006-01-14 02:28 49152]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe” [2006-01-14 02:28 172032]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2008-01-15 03:22 267048]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2008-02-27 14:01 185896]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
HotSync Manager.lnk - C:\Program Files\Sony Handheld\HOTSYNC.EXE [2002-08-09 15:36:20 299008]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoBandCustomize”= 0 (0x0)
“NoMovingBands”= 0 (0x0)
“NoCloseDragDropBands”= 0 (0x0)

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“C:\Program Files\MSN Messenger\MSNMSGR.EXE”=
“C:\Program Files\BitComet\BitComet.exe”=

[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“23838:TCP”= 23838:TCP:BitComet 23838 TCP
“23838:UDP”= 23838:UDP:BitComet 23838 UDP

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\DRIVERS\avgntmgr.sys [2007-09-07 20:12]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-07 20:12]

.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-04 23:58:09
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-03-04 23:58:44
.
2008-02-13 22:04:23 — E O F —

8

According to all 3 combofix logs, combofix didn’t remove anything. DSS is not showing anything unusual.

What notified you of the attempted change? Do you recall the name of the adware?

9

Hi Oldman,

Thanks for checking. It’s called something like ctfmon.exe…coolwebsearch…something similar.

10

ctfmon.exe is part of Office xp. It’s for language/alternative input services.

I think SAS can handle coolweb search. I didn’t notice it in your logs though.

You can try it in safe mode. (less things running, a bit faster scan) Use these settings, it will give you better results.

First update SAS Then boot into safe mode and set SAS up like this.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

  • CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked.

Let us know how you make out.

11

Hi Oldman,

It quarentined some tracking cookies but nothing looks reallly harmful to me. It’s really strange and my pc seems to work fine. Hopefully it was just me who was too sensitive. Thanks anyway for you time and help.

12

Just one small point cilai Sun Java Runtime Environment is out of date important to keep this up-to date

"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "

uninstall all previous version

Sun Java Runtime Environment 6 Update 5
Download Sun Java Runtime Environment
Sun Microsystems, Inc.

13

Thanks tednelly, that’s usually part of the tools cleanup.

@cilai

You may have had something lurkng in a tempory location, the tools may have emptied some temp files.

Clean up the tools.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

Open OTMOVEIT2 then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  • You can use the link provided by tednelly for your java, but do follow the steps to remove your old java.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 5…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u6-windows-i586-p.exe to your desktop; do not Run it. Do not install it yet.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  • If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0

Take care and keep safe.