Author Topic: EMOTIGT Trojan---HELP! (Read 7157 times)

saubunch · « **on:** February 21, 2008, 04:05:22 PM »

I have a 13 year old boy who got a little curious on the internet yesterday, if you know what I mean. Anyway, I have been hijacked by the emotigt trojan, a copycat of the zlob. I scanned with avast and with spynomore, deleted everything that was caught, I even had to restart my pc, but I can't seem to get rid of it.
What do I do now?

Lisandro · « **Reply #1 on:** February 21, 2008, 04:18:57 PM »

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

FreewheelinFrank · « **Reply #2 on:** February 21, 2008, 04:26:07 PM »

Uninstall Spynomore.

Try the usual, trusted, effective and free adware/spyware scanners.

AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy

Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.

Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.

saubunch · « **Reply #3 on:** February 21, 2008, 06:56:34 PM »

I have XP home edition and I also have had spyware blaster for a while. Unfortunately, I had forgotten to update it for a few months or so.
I went to HIJACK THIS and created a log. Can someone look at it for me? I can post it. I "fixed" a few KNOWN problems, but my homepage is still jacked up. It keeps redirecting me to msn and won't let me change it to google.

FreewheelinFrank · « **Reply #4 on:** February 21, 2008, 07:21:28 PM »

Quote

Can someone look at it for me? I can post it

Don't be shy. Go ahead.

saubunch · « **Reply #5 on:** February 21, 2008, 07:33:47 PM »

Logfile of HijackThis v1.99.1
Scan saved at 12:25:17 PM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D337EB0-3BFB-42A3-B314-A24BBA8C085B} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.31.5/ttinst.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics.lexmark.com/serval.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildGames\Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

FreewheelinFrank · « **Reply #6 on:** February 21, 2008, 08:03:09 PM »

Do you still have the symptoms of emotigt?

Quote

...the effects of emotigt: a yellow bar appears under my IE links/address/buttons that says "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."

Nothing leaps out of the log. I'd try AdAware, Spybot and AVG AntiSpyware as mentioned before.

saubunch · « **Reply #7 on:** February 21, 2008, 10:07:15 PM »

I don't have the yellow bar anymore but my homepage is still being hijacked. I just finished running AVG AntiSpyware and a few things came up that don't make sense to me.

Name: Dropper.Small.w
Path: C:\Program Files\eGames\Word Connect\assets\demos.htm
Risk: High

Name: Adware.SpyNoMore
Path: C:\Program Files\SpyNoMore\snmIeGuard.dll
Risk: Medium

SpyNoMore is supposed to be trusted, right? I paid for it.
Also, eGames is a trusted game site, I won the game on McDonalds Monopoly last year.

OH........JUST GREAT.........I tried to remove all the infections and an error occurred. I have to download and rescan. UGH!!!

FreewheelinFrank · « **Reply #8 on:** February 21, 2008, 10:19:11 PM »

Upload the file to VirusTotal for analysis:

C:\Program Files\eGames\Word Connect\assets\demos.htm

http://www.virustotal.com/

eGames have been involved with spyware before, so it's worth checking out.

http://en.wikipedia.org/wiki/EGames#Bundled_Spyware

SpyNoMore was once listed as a rogue application, but now seems to be legit:

Quote

Note on SpyNoMore: SpyNoMore was listed on this page because of concerns with false positives. Testing with the latest version of the program indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider SpyNoMore to be "rogue/suspect" anti-spyware.

http://www.spywarewarrior.com/rogue_anti-spyware.htm#snm_note

For this reason it seems to have been listed as malware by one or more anti-malware programs. About the best I can say about the program is that it has no proven track record. Detections by AVG are probably safe to ignore.

http://www.castlecops.com/p859083-Ad_Aware_finds_SpyNoMore_a_rogue_anti_spyware_application.html

polonus · « **Reply #9 on:** February 21, 2008, 10:31:54 PM »

Please download ComboFix from http://subs.geekstogo.com/ComboFix.exe to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

* Please, never rename Combofix unless instructed.
* Close any open browsers.
* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
-----------------------------------------------------------

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

* Double click on combofix.exe & follow the prompts.

RegistrySmart and ErrorSmart could be gone, the only sign I see are the scheduled tasks. Check in the Program Files folder.

You can also use the Combofix's CFScript function to delete RegistrySmart and ErrorSmart leftovers.

Open notepad and copy/paste all the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\Windows\Tasks\ErrorSmart Scheduled Scan.job
C:\Windows\Tasks\RegistrySmart Scheduled Scan.job

Folder::
C:\Program Files\ErrorSmart
C:\Program Files\RegistrySmart
--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts.

polonus

saubunch · « **Reply #10 on:** February 22, 2008, 01:05:23 AM »

THANK YOU!!!! COMBO FIX DID IT!!! FINALLY!!!
YEA!!!!!!!!!!!!!

I'm not really sure what all this means, but if anyone's feelin' frisky, I'd love an explanation. (In laymens terms)

ComboFix 08-02-22 - Owner 2008-02-21 18:44:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Other Deletions

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
(((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))
.
2008-02-21 16:40 . 2008-02-21 16:41   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2008-02-21 16:40 . 2008-02-21 17:32   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-21 10:55 . 2008-02-21 10:55   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\PC Tools
2008-02-21 10:55 . 2007-12-10 14:53   81,288   --a------   C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-21 10:55 . 2007-12-10 14:53   66,952   --a------   C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-21 10:55 . 2007-12-10 14:53   41,864   --a------   C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-21 10:55 . 2007-12-10 14:53   29,576   --a------   C:\WINDOWS\system32\drivers\kcom.sys
2008-02-21 10:45 . 2008-02-21 11:45   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-21 10:23 . 2008-02-21 13:03   <DIR>   d--------   C:\Program Files\Spyware Doctor
2008-02-21 07:53 . 2008-02-21 08:01   <DIR>   d--------   C:\Program Files\XoftSpySE
2008-02-19 15:22 . 2008-02-19 11:48   81,920   --a------   C:\WINDOWS\fsxloqf.exe
2008-02-13 12:07 . 2008-02-13 12:07   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\LearnSomething
2008-02-13 12:06 . 2008-02-13 12:06   <DIR>   d--------   C:\Program Files\Common Files\SWF Studio
2008-02-07 21:06 . 2008-02-20 07:58   <DIR>   d--------   C:\Program Files\LimeWire
2008-02-07 21:06 . 2008-02-20 08:01   <DIR>   d--------   C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-28 10:46 . 2008-01-28 10:46   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2008-01-26 08:42 . 2008-01-26 08:42   <DIR>   d--------   C:\Program Files\Disney
2008-01-23 08:14 . 2008-01-23 08:20   <DIR>   d--------   C:\Program Files\Encore
.
((((((((((( Find3M Report )))))))))))))
.
2008-02-21 23:43   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 23:38   ---------   d-----w   C:\Program Files\SpyNoMore
2008-02-21 23:15   ---------   d-----w   C:\Program Files\eGames
2008-02-21 15:45   ---------   d-----w   C:\Program Files\Google
2008-02-21 13:03   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-02-14 00:03   ---------   d-----w   C:\Program Files\PCFriendly
2008-02-04 23:30   ---------   d-----w   C:\Program Files\Lexmark X1100 Series
2008-01-24 20:35   ---------   d-----w   C:\Program Files\Cheat Engine
2008-01-23 13:14   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-01-09 16:52   ---------   d-----w   C:\Program Files\Outspark
2008-01-09 16:51   ---------   d-----w   C:\Program Files\DarkSwords
2008-01-07 14:36   ---------   d-----w   C:\Documents and Settings\Owner\Application Data\Snapfish
2007-12-25 00:29   107,888   ----a-w   C:\WINDOWS\system32\CmdLineExt.dll
2007-12-25 00:29   ---------   d--h--r   C:\Documents and Settings\Owner\Application Data\SecuROM
2007-12-25 00:21   ---------   d-----w   C:\Program Files\EA SPORTS
2007-12-19 01:12   1,022   ----a-w   C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-07 00:44   666,112   ----a-w   C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38   550,912   ------w   C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-07-08 17:27   67,088   ----a-w   C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.
The rest is on the next post.........too big for this one.

saubunch · « **Reply #11 on:** February 22, 2008, 01:15:03 AM »

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 19:03 1957888]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-21 10:45 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 15:47 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2008-02-19 02:00 1274320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-21 10:45:05 125624]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-28 12:09:10 54512]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\china rainbow.jpg
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Express Calendar Checker SE.lnk
backup=C:\WINDOWS\pss\Photo Express Calendar Checker SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 10:43 57344 C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE]
--a------ 1998-07-03 12:51 25088 C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-15 15:47 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildGames\Game Console\GameConsoleService.exe" [2007-12-18 13:40]

*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:09:46 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe

**********************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 18:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************
Completion time: 2008-02-22 18:52:14
ComboFix-quarantined-files.txt 2008-02-22 23:52:11
.
2008-02-13 08:04:05 --- E O F ---

Author Topic: EMOTIGT Trojan---HELP! (Read 7157 times)

saubunch

EMOTIGT Trojan---HELP!

Lisandro

Re: EMOTIGT Trojan---HELP!

FreewheelinFrank

Re: EMOTIGT Trojan---HELP!

saubunch

Re: EMOTIGT Trojan---HELP!

FreewheelinFrank

Re: EMOTIGT Trojan---HELP!

saubunch

Re: EMOTIGT Trojan---HELP!

FreewheelinFrank

Re: EMOTIGT Trojan---HELP!

saubunch

Re: EMOTIGT Trojan---HELP!

FreewheelinFrank

Re: EMOTIGT Trojan---HELP!

polonus

Re: EMOTIGT Trojan---HELP!

saubunch

Re: EMOTIGT Trojan---HELP!

saubunch

Re: EMOTIGT Trojan---HELP!