Help with Trojan Horse Dropper.Agent.GIT

Unknown

I am new to this forum and am having problems with Trojan Horse Dropper.Agent.GIT.

On Windows startup, I get 2 error messages:
1)In reference to C:\Windows\system32\pmnnk.exe: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.
2)Could not load or run C:\Windows\system32\pmnnk.exe specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

I am running AVG Free Edition 7.5.516

I am posting the HijackThis Log file below. Any help someone can provide on eradicating this virus would be appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:46 PM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.passport.net/uilogin.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmnnk.exe
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Filter hijack: text/html - {07851C6A-1C43-41d9-8319-BC89154A8C00} - C:\Program Files\RcvSystem\httpdchk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5946 bytes

Veka

Hello clasyldynpa!

I'll be handling your log to help you get cleaned up. Please give me some time to look it over.

Veka

Step 1:

Please download ComboFix from Here or Here to your Desktop.

* In the event you already have Combofix, this is a new version that I need you to download.
* It is important that it is saved directly to your desktop

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.

Step 2:

I need you to rename HijackThis.exe to clasyldynpa.exe

• Navigate to C:\Program Files\HJT
• Right click on HijackThis
• Select 'Rename'
• Type clasyldynpa
• Press Enter

Step 3:

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

clasyldynpa

Vekarppe:
I followed your instructions as best I could but was unable to rename to Clasyldynpa. The following is the report:
ComboFix 08-01-23.1 - Admin 2008-01-22 21:11:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.85 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\dic.gz
C:\Program Files\QdrModule\kwd.gz
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\pmnnk.dll

---

BITS: Possible infected sites

---

hxxp://80.93.59.108
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

---

\LEGACY_DOMAINSERVICE

---

\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 21:12 . 2008-01-22 21:12 3,584 --a

---

C:\WINDOWS\system32\pmnnk.exe
2008-01-22 21:02 . 2000-08-31 08:00 51,200 --a

---

C:\WINDOWS\Nircmd.exe
2008-01-21 17:27 . 2008-01-21 17:27 15,360 --a

---

C:\WINDOWS\system32\ctfmon .exe
2008-01-21 17:22 . 2008-01-21 17:22 9,216 --a

---

C:\WINDOWS\system32\avgwlntf.dll
2008-01-21 16:13 . 2007-06-05 10:56 44,928 --a

---

C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-21 16:12 . 2007-06-08 09:44 8,576 --a

---

C:\WINDOWS\system32\drivers\srwmqnowawmd.sys
2008-01-21 15:51 . 2008-01-21 16:12 <DIR> d

---

C:\WINDOWS\system32\ActiveScan
2008-01-21 15:51 . 2008-01-21 15:51 30,590 --a

---

C:\WINDOWS\system32\pavas.ico
2008-01-21 15:51 . 2008-01-21 15:51 2,550 --a

---

C:\WINDOWS\system32\Uninstall.ico
2008-01-21 15:51 . 2008-01-21 15:51 1,406 --a

---

C:\WINDOWS\system32\Help.ico
2008-01-21 15:38 . 2008-01-21 15:38 <DIR> d

---

C:\Program Files\HJT
2008-01-16 20:23 . 2008-01-22 20:42 <DIR> d

---

C:\Program Files\RcvSystem
2008-01-15 09:11 . 2008-01-19 20:19 54,156 --ah

---

C:\WINDOWS\QTFont.qfn
2008-01-15 09:11 . 2008-01-15 09:11 1,409 --a

---

C:\WINDOWS\QTFont.for
2008-01-15 09:00 . 2008-01-15 09:00 <DIR> d

---

C:\Program Files\iPod
2008-01-15 08:58 . 2008-01-19 21:53 <DIR> d

---

C:\Program Files\iTunes
2008-01-15 07:58 . 2008-01-19 23:01 <DIR> d

---

C:\Program Files\QuickTime
2007-12-25 12:00 . 2007-10-01 16:24 20,280 --a

---

C:\WINDOWS\system32\drivers\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 17:05

---

d

---

w C:\Program Files\PopCap Games
2008-01-20 17:04

---

d

---

w C:\Program Files\eGames
2008-01-20 16:57

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 16:57

---

d

---

w C:\Program Files\Belkin Bulldog Plus
2008-01-20 04:01

---

d

---

w C:\Program Files\PartyGaming
2008-01-20 02:51

---

d

---

w C:\Program Files\aim
2008-01-20 02:41

---

d

---

w C:\Program Files\Norton Security Scan
2008-01-17 02:14

---

d

---

w C:\Program Files\Google
2007-12-13 02:30

---

d

---

w C:\Program Files\Windows Live Toolbar
.

<pre>
----a-w           416,256 2008-01-21 22:26:45  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           145,920 2008-01-21 22:33:06  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w            15,360 2008-01-21 22:27:00  C:\WINDOWS\system32\ctfmon .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d26806cf-6a50-41ed-939c-e6ec44d0c3b8}]
C:\WINDOWS\system32\swgealnc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-21 17:35 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-21 17:22 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqomn]
rqrqomn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZumaSetup.exe]
C:\DOCUME~1\Admin\Desktop\ZUMASE~2.exe


.
Contents of the 'Scheduled Tasks' folder
"2008-01-15 12:07:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-23 02:16:14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE

clasyldynpa

One more quick notation: I know almost nothing on the inner workings of this computer. So please explain things in none computer terminology.. ) thanks so much

Veka

Rename HijackThis.exe to clasyldynpa.exe by doing the following:

• Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\HJT
• Right-click on the HijackThis.exe
• Choose from the pull-down menu; "Rename"
• And now Rename HijackThis.exe to clasyldynpa.exe
• When you've renamed HijackThis, open HijackThis again.
• Take a fresh HijackThis log (click Do a system scan and save a log file)
• Post the fresh HijackThis log here.

Veka

clasyldynpa, please let me know if you still need help.

Otherwise this thread will be archived within a couple of days.

Trogan

This topic is now closed due to inactivity. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

If you are not the user who started this thread, you must start your own Thread instead (grin)