Possible trojan infection.

Status
Not open for further replies.
I uninstalled both AV programs a few days ago but still no noticeable improvements.

If it's possible for me to use a previous restore point I don't mind removing the infections we've already discussed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:47, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\Philip\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.za.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.za.acer.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 1
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: HP Image Zone Fast Start.lnk.disabled
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B9B1BCD-C486-46AD-BD33-A634DF49F2F0}: NameServer = 209.212.96.1 209.212.97.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8215 bytes
 
You could have some sort of software or hardware conflict, but we don't do that on this forum. Did this happen about the time you got infected? Or has this been going on for some time?? Do you remember installing any new software before this happened, or a new piece of hardware like a printer or scanner ??

Your call to run System Restore, if you do, post back with a new HJT log and lets see if anything came back , also let me know if it fixed the problem
 
I haven't installed any new hardware.

I may have installed one or two new programs.

What exactly will a system restore actually restore; registry settings?
And how do I do a system restore should I wish to try it?

One other thing. If I restore previous registry settings, will I have to re-install any new programs that were installed after the restore date?

Thanks.

PS : I ran Trojan Hunter and it showed some possible errors :

TrojanHunter Scan Report - Saved 2008-12-15

Port 12346/TCP is open (matches Netbus.160)
Port 12346/TCP is open (matches Netbus.170)

Found trojan file: C:\Documents and Settings\Philip\Desktop\ComboFix.exe/hidec.exe (RiskTool.Hidec.100)
Found trojan file: C:\Documents and Settings\Philip\Desktop\ComboFix.exe/Upx.unkwrlze/hidec.exe (RiskTool.Hidec.100)
(I downloaded ComboFix from the url listed here on the forum).

Found trojan file: C:\System Volume Information\_restore{A6852DCE-EEB0-4C61-AA50-0D98BDE97791}\RP571\A0081245.exe (RiskTool.Hidec.100)
Found trojan file: C:\System Volume Information\_restore{A6852DCE-EEB0-4C61-AA50-0D98BDE97791}\RP572\A0081340.EXE (RiskTool.Hidec.100)
Found trojan file: C:\System Volume Information\_restore{A6852DCE-EEB0-4C61-AA50-0D98BDE97791}\RP585\A0084226.exe (RiskTool.Hidec.100)

Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\Alert.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\ConfigWizard.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\DashBoard.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\LicenseUI.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\MainLoop.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\NavBar.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\Overview.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\Sandbox.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\TrayTest.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\UpdateUI.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\ZAlert.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zic.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zmenu.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zp4pc.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpdp.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zsys.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\ztv.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zui.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zvpn.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_686f6e5c\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\ATI.ACE.SDK.dll
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\CLI.Component.Eeu.dll
Warning: Executable file with double extensions found: C:\Program Files\ATI Technologies\ATI.ACE\CLI.Component.SDK.dll
Warning: Executable file with double extensions found: C:\Program Files\Adobe\Acrobat.com\Acrobat.com.exe

Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERDNT\subs\ERDNT.EXE
Warning: Unable to unpack UPX-packed file C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Philip\Desktop\ComboFix.exe/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Philip\Desktop\ComboFix.exe/ERDNT.e_e
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Philip\Desktop\ComboFix.exe/Upx.unkwrlze/catchme.cfexe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Philip\Desktop\ComboFix.exe/Upx.unkwrlze/ERDNT.e_e
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{A6852DCE-EEB0-4C61-AA50-0D98BDE97791}\RP572\A0081323.EXE
Warning: Unable to unpack UPX-packed file C:\System Volume Information\_restore{A6852DCE-EEB0-4C61-AA50-0D98BDE97791}\RP585\A0084208.EXE
Warning: Unable to unpack UPX-packed file C:\SDFix\apps\Cghtme.exe
Warning: Unable to unpack UPX-packed file C:\SDFix\apps\ERDNT.E_E
Warning: Unable to unpack UPX-packed file C:\SDFix\catchme.exe
 
Nothing bad in that log except the items in your system restore..

It basically restores your system to the date you choose, any hardware installed after the restore point may not work.

Why don't your post in one of these forums, PcPitStop will do a free scan of your system pointing out any errors, it will save a report that a tech in one of the windows forums may want to see. They can advise you better as we do not get involved in windows problems, we just do malware removal.

Windows Tech Support Forums
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top