Jump to content

yenooc

Members
  • Posts

    8
  • Joined

  • Last visited

Everything posted by yenooc

  1. Hello Extremeboy, Just as an update, Malwarebytes Anti-Malware is still finding that same trojan.agent. Here is the Malwarebytes' log for the scan I just ran: Malwarebytes' Anti-Malware 1.36 Database version: 2083 Windows 5.1.2600 Service Pack 3 5/6/2009 9:56:52 AM mbam-log-2009-05-06 (09-56-47).txt Scan type: Quick Scan Objects scanned: 84870 Time elapsed: 2 minute(s), 48 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\A (Trojan.Agent) -> No action taken. Any further advice you can give me would be much appreciated. Best regards, yenooc
  2. Hello Extremeboy, Thank you for your patient response to my fears. I ran Combofix following your clear and detailed instructions, and as far as I can tell, it ran successfully (although my Internet Explorer settings were reset for some reason, and Internet Explorer no longer knew it was my default browser). Here is the Combofix log: ComboFix 09-05-02.4 - Us 05/02/2009 11:10.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -7:00] Running from: c:\documents and settings\Us\Desktop\ComboFix.exe AV: BitDefender Antivirus *On-access scanning disabled* (Updated) AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) FW: BitDefender Firewall *disabled* FW: ZoneAlarm Security Suite Firewall *disabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\aHkSstwa.ini c:\windows\system32\aHkSstwa.ini2 c:\windows\system32\sX3i19 . ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-04-30 02:53 . 2009-04-30 02:53 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache 2009-04-29 08:36 . 2009-04-29 08:36 -------- d-sh--w c:\documents and settings\Us\PrivacIE 2009-04-29 08:32 . 2009-04-29 08:32 -------- d-sh--w c:\documents and settings\Us\IETldCache 2009-04-29 08:30 . 2009-04-29 08:30 -------- dc-h--w c:\windows\ie8 2009-04-28 03:53 . 2009-04-28 03:53 -------- d-----w c:\program files\Trend Micro 2009-04-25 05:45 . 2009-04-25 05:45 -------- d-----w c:\program files\QuickTime 2009-04-25 05:44 . 2009-04-25 05:44 -------- d-----w c:\program files\Apple Software Update 2009-04-19 19:30 . 2009-04-19 19:30 -------- d-----w c:\program files\Common Files\xing shared 2009-04-15 06:03 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll 2009-04-15 06:03 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe 2009-04-15 06:03 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll 2009-04-15 06:03 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe 2009-04-15 06:03 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll 2009-04-15 06:03 . 2009-02-06 10:10 227840 ----a-w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-15 06:03 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-15 06:03 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll 2009-04-15 06:03 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll 2009-04-15 06:03 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll 2009-04-15 06:02 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll 2009-04-15 06:02 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 18:13 . 2007-08-01 15:19 176393760 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-05-02 18:13 . 2004-08-10 18:08 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-02 18:12 . 2007-08-01 15:19 2362940 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-05-02 18:04 . 2007-08-01 15:19 4212 ---ha-w c:\windows\system32\zllictbl.dat 2009-05-02 18:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At12.job 2009-05-02 17:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At11.job 2009-05-02 16:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At10.job 2009-05-02 15:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At9.job 2009-05-02 09:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At3.job 2009-05-02 08:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At2.job 2009-05-02 07:43 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At1.job 2009-05-02 06:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At24.job 2009-05-02 05:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At23.job 2009-05-02 04:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At22.job 2009-05-02 03:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At21.job 2009-05-02 02:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At20.job 2009-05-02 01:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At19.job 2009-05-02 00:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At18.job 2009-05-01 23:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At17.job 2009-05-01 22:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At16.job 2009-05-01 21:58 . 2009-04-25 05:44 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-05-01 21:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At15.job 2009-05-01 20:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At14.job 2009-05-01 19:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At13.job 2009-04-30 13:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At7.job 2009-04-30 12:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At6.job 2009-04-30 11:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At5.job 2009-04-29 17:51 . 2007-08-01 12:49 77968 ----a-w c:\documents and settings\Us\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-29 08:26 . 2007-07-27 13:31 -------- d-----w c:\program files\Microsoft Works 2009-04-28 14:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At8.job 2009-04-27 18:22 . 2009-04-27 19:41 2737152 ----a-w c:\windows\Internet Logs\xDBC.tmp 2009-04-25 10:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At4.job 2009-04-25 06:18 . 2007-08-05 20:39 -------- d-----w c:\program files\Windows Media Connect 2 2009-04-25 06:18 . 2007-07-27 13:29 -------- d-----w c:\program files\NetWaiting 2009-04-25 06:18 . 2007-07-27 13:29 -------- d-----w c:\program files\Modem Helper 2009-04-25 06:18 . 2008-05-22 05:01 -------- d-----w c:\program files\AoA Audio Extractor 2009-04-23 15:48 . 2009-04-23 15:52 1380352 ----a-w c:\windows\Internet Logs\xDBB.tmp 2009-04-19 19:30 . 2007-08-08 14:31 -------- d-----w c:\program files\Common Files\Real 2009-04-19 19:30 . 2003-03-19 03:14 499712 ----a-w c:\windows\system32\msvcp71.dll 2009-04-19 19:30 . 2003-02-21 11:42 348160 ----a-w c:\windows\system32\msvcr71.dll 2009-04-19 19:01 . 2008-11-30 08:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-19 14:49 . 2009-04-19 14:49 168978 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_19_02_24_58_small.dmp.zip 2009-04-19 09:25 . 2009-04-19 14:44 2796544 ----a-w c:\windows\Internet Logs\xDBA.tmp 2009-04-06 22:32 . 2008-11-30 08:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-06 22:32 . 2008-11-30 08:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-03 20:46 . 2009-04-03 20:46 189098 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_08_46_09_small.dmp.zip 2009-04-03 15:46 . 2009-04-03 20:41 3581440 ----a-w c:\windows\Internet Logs\xDB9.tmp 2009-04-03 15:46 . 2009-04-03 20:41 2640384 ----a-w c:\windows\Internet Logs\xDB8.tmp 2009-04-02 07:37 . 2009-04-02 07:37 51448 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_55_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 48318 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_54_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 48586 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_49_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 51791 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_48_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 51350 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_45_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 51348 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_46_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 51746 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_43_small.dmp.zip 2009-04-02 07:37 . 2009-04-02 07:37 14006486 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_39_full.dmp.zip 2009-04-02 07:32 . 2007-08-25 00:28 32212480 ----a-w c:\windows\Internet Logs\tvDebug.zip 2009-04-01 02:20 . 2007-08-01 15:19 72584 ----a-w c:\windows\zllsputility.exe 2009-04-01 02:20 . 2008-11-26 06:22 1221512 ----a-w c:\windows\system32\zpeng25.dll 2009-03-29 19:44 . 2009-03-29 21:48 1794048 ----a-w c:\windows\Internet Logs\xDB7.tmp 2009-03-27 01:46 . 2009-03-27 03:58 2635776 ----a-w c:\windows\Internet Logs\xDB6.tmp 2009-03-23 21:10 . 2009-03-23 21:12 2960896 ----a-w c:\windows\Internet Logs\xDB5.tmp 2009-03-22 17:19 . 2009-03-22 17:19 -------- d-----w c:\program files\MSECache 2009-03-08 11:34 . 2004-08-10 17:51 914944 ----a-w c:\windows\system32\wininet.dll 2009-03-08 11:34 . 2004-08-10 17:51 43008 ----a-w c:\windows\system32\licmgr10.dll 2009-03-08 11:33 . 2004-08-10 17:50 18944 ----a-w c:\windows\system32\corpol.dll 2009-03-08 11:33 . 2004-08-10 17:51 420352 ----a-w c:\windows\system32\vbscript.dll 2009-03-08 11:32 . 2004-08-10 17:50 72704 ----a-w c:\windows\system32\admparse.dll 2009-03-08 11:32 . 2004-08-10 17:51 71680 ----a-w c:\windows\system32\iesetup.dll 2009-03-08 11:31 . 2004-08-10 17:51 34816 ----a-w c:\windows\system32\imgutil.dll 2009-03-08 11:31 . 2004-08-10 17:51 48128 ----a-w c:\windows\system32\mshtmler.dll 2009-03-08 11:31 . 2004-08-10 17:51 45568 ----a-w c:\windows\system32\mshta.exe 2009-03-08 11:22 . 2004-08-10 17:51 156160 ----a-w c:\windows\system32\msls31.dll 2009-03-08 07:13 . 2008-11-28 20:40 -------- d-----w c:\program files\CCleaner 2009-03-07 18:38 . 2009-03-07 18:38 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0 2009-03-07 18:37 . 2008-04-12 22:41 -------- d-----w c:\program files\Common Files\Intuit 2009-03-07 18:33 . 2008-04-12 22:40 -------- d-----w c:\program files\TurboTax 2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll 2009-02-23 16:21 . 2009-02-23 16:21 60228 ---ha-w c:\windows\system32\mlfcache.dat 2009-02-22 18:33 . 2008-08-13 11:55 135 ----a-w C:\drmHeader.bin 2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys 2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe 2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe 2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Steam"="c:\program files\valve\steam\steam.exe" [2008-10-08 1410296] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-02 8429568] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-01 271672] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-08-01 339968] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 24576] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 "wave"= serwvdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\A\\DL aids\\BitTorrent 6.0\\bittorrent.exe"= "c:\\A\\DL aids\\FlashGet \\FlashGet\\flashget.exe"= "c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\enemy territory quake wars demo\\etqw.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-20 8944] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024] S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34] . - - - - ORPHANS REMOVED - - - - HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Download All with FlashGet - c:\a\DL aids\FlashGet \FlashGet\jc_all.htm IE: &Download with FlashGet - c:\a\DL aids\FlashGet \FlashGet\jc_link.htm IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 Trusted Zone: bankofamerica.com\www Trusted Zone: ticketmaster.com\www Trusted Zone: turbine.com\myaccount . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 11:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2223708041-1235463289-972948221-1009\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2212) c:\windows\system32\ieframe.dll c:\windows\system32\OneX.DLL c:\windows\system32\eappprxy.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\nvsvc32.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2009-05-02 11:17 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-02 18:17 Pre-Run: 503,406,600,192 bytes free Post-Run: 503,557,533,696 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 252 --- E O F --- 2009-04-29 08:15 Thank you and best regards, yenooc
  3. I very much appreciate your help in this matter, Extremeboy, but before I run ComboFix, I have some concerns and questions. Running ComboFix is a big step for an intermediate user such as myself. Bleeping Computer posts this warning on their website: The Malwarebytes' forum also has a warning concerning ComboFix usage: I understand that you are a trained user who is instructing me on how to use ComboFix, but you are not actually at my house running it for me. If there is any chance that this Trojan.Agent is a false positive and I end up making my computer unusable running ComboFix, I will find that to be very ironic. So: why do I need to run ComboFix? Did the HJT log indicate in any way that I do, in fact, have a virus? Or are you recommending I run ComboFix because the HJT log does not give enough information? Please excuse my caution, but as an intermediate user, I am wary of running extremely powerful programs myself if they are at all risky. Thank you and best regards, yenooc
  4. Hello, and thank you for any help you can give me in this matter. I have the free version of Malwarebytes Anti-Malware, which has been extremely helpful in ridding my computer of viruses. Recently, Malwarebytes' Anti-Malware has been repeatedly finding a Trojan.Agent in a folder called A on our computer. It does not name a specific file in that folder that is infected. Here is the log of a HijackThis scan I just ran and the most recent Malwarebytes' Anti-Malware log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:53:26 PM, on 4/27/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070727 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070727 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\A\DL aids\FlashGet \FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\A\DL aids\FlashGet \FlashGet\getflash.dll O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID% O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O8 - Extra context menu item: &Download All with FlashGet - C:\A\DL aids\FlashGet \FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\A\DL aids\FlashGet \FlashGet\jc_link.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\A\DL aids\FlashGet \FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\A\DL aids\FlashGet \FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227869322718 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227869383453 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - AppInit_DLLs: kktunu.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 8067 bytes Malwarebytes' Anti-Malware 1.36 Database version: 2036 Windows 5.1.2600 Service Pack 3 4/26/2009 12:53:32 PM mbam-log-2009-04-26 (12-53-32).txt Scan type: Quick Scan Objects scanned: 83214 Time elapsed: 4 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\A (Trojan.Agent) -> Delete on reboot.
  5. Thank you for your further thoughts on this issue, deathtospyware. I am not getting any access errors (thank goodness). There is a folder called "A" on the C drive, it is user-created. What is confusing me is that no file in that folder is named as being the source of the virus, and there are many many files in the A folder.
  6. Thank you for your detailed and thoughtful response. I am planning to try chkdsk at some point soon, that is a very good idea!
  7. Thank you for the suggestion. I want to try it, but am not sure how long it will take. My hard drive is 1.5 terabytes, and looking around on the Microsoft site, the best estimate I can find is "running CHKDSK can take anywhere from a few seconds to several days, depending on your specific situation". Microsoft also says "Warning Microsoft does not recommend interrupting the chkdsk process when it is used with the /f switch. Microsoft does not guarantee the integrity of the disk if the chkdsk program is interrupted." So, I am a little nervous that I could start chkdsk, and it would run for days. I wish I had a better idea of how long it would take, it sounds like a great idea to run it.
  8. I have Malwarebytes' Anti-Malware 1.36. It has been repeatedly finding a Trojan.Agent in a folder called A on our computer. It does not name a specific file in that folder that is infected. Here is the text of the most recent log file: Malwarebytes' Anti-Malware 1.36 Database version: 2036 Windows 5.1.2600 Service Pack 3 4/24/2009 2:02:44 PM mbam-log-2009-04-24 (14-02-44).txt Scan type: Quick Scan Objects scanned: 81846 Time elapsed: 2 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\A (Trojan.Agent) -> Delete on reboot. I have run SuperAntiSpyware and Zone Alarm Anti-Virus and Anti-Spyware, and none of those programs find this Trojan. Malwarebytes Anti-Virus does not find this Trojan when run in Safe Mode, only in regular mode. I have cleared all system restore points, I have disabled Zone Alarm so it will not run on reboot and I have run Malwarebytes' Anti-Malware and rebooted into regular mode when Malwarebytes' Anti-Malware finds this Trojan, but it is still there. It confuses me that Malwarebytes' Anti-Malware does not name a specific file in the folder as being infected with this Trojan. Is this normal? Is this a false positive? Any help anyone can give would be much appreciated.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.