Jump to content

Can't get rid of Trojan.Agent


Flycan

Recommended Posts

About 2 weeks ago my computer got infected by SpywareProtect2009 even with the MBAM Protection Module running. I ran MBAM and it killed a bunch of stuff and told me that Trojan.Agent would be deleted on reboot. I faithfully rebooted and it just keeps coming back ... grrrrrr.

As requested, here are the most recent MBAM and HijackThis logfiles ---- please help me get rid of this nasty bit of malware!!

Thanks,

Flycan

Malwarebytes' Anti-Malware 1.34

Database version: 1802

Windows 5.1.2600 Service Pack 3

2/25/2009 11:54:18 AM

mbam-log-2009-02-25 (11-54-13).txt

Scan type: Full Scan (C:\|)

Objects scanned: 203986

Time elapsed: 59 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmeguzuzese (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\tas\Local Settings\Application Data\ahilupav.dll (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:26:16 AM, on 2/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [Rmeguzuzese] rundll32.exe "C:\Documents and Settings\tas\Local Settings\Application Data\ahilupav.dll",e

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230816727671

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dynres.com

O17 - HKLM\Software\..\Telephony: DomainName = dynres.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dynres.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thanks for the quick response!

Here is the combofix log and a new HijackThis log:

ComboFix 09-02-25.02 - Administrator 02/25/2009 14:08:00.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2654 [GMT -8:00]

Running from: c:\documents and settings\tas\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\dumphive.exe

c:\windows\system32\kedokyyo.ini

c:\windows\system32\lsprst7.dll

c:\windows\system32\nsprs.dll

c:\windows\system32\Process.exe

c:\windows\system32\prsgrc.dll

c:\windows\system32\ssprs.dll

c:\windows\system32\tmp.reg

c:\windows\system32\vsmnbokw.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))

.

No new files created in this timespan

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-25 22:04 --------- d-----w c:\program files\Symantec AntiVirus

2009-02-25 17:19 --------- d-----w c:\program files\Trend Micro

2009-02-25 16:28 --------- d-----w c:\program files\Password Safe

2009-02-25 14:42 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\DNA

2009-02-25 14:17 --------- d-----w c:\program files\DNA

2009-02-23 21:27 --------- d-----w c:\documents and settings\tas\Application Data\Skype

2009-02-23 20:56 --------- d-----w c:\documents and settings\tas\Application Data\skypePM

2009-02-20 07:06 15,688 ----a-w c:\windows\system32\lsdelete.exe

2009-02-20 07:02 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-20 07:02 --------- d-----w c:\program files\Lavasoft

2009-02-20 07:02 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-20 07:02 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2009-02-13 23:40 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-12 15:40 --------- d-----w c:\documents and settings\tas\Application Data\BitTorrent

2009-02-11 18:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 18:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-10 16:34 --------- d-sh--w c:\documents and settings\tas\Application Data\twain32

2009-02-02 17:29 --------- d-----w c:\program files\QuickTime

2009-01-10 15:57 --------- d-----w c:\program files\TechSmith

2009-01-10 15:57 --------- d-----w c:\documents and settings\All Users\Application Data\TechSmith

2009-01-09 15:48 --------- d-----w c:\program files\RealLegal E-Transcript Viewer

2009-01-09 04:15 --------- d-----w c:\program files\Common Files\HP

2009-01-09 04:10 --------- d-----w c:\program files\HP

2009-01-09 04:07 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-01-08 04:45 --------- d-----w c:\program files\Common Files\SPSS

2009-01-07 05:11 --------- d-----w c:\documents and settings\tas\Application Data\ImTOO Software Studio

2009-01-03 19:35 --------- d-----w c:\documents and settings\tas\Application Data\dvdcss

2009-01-03 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-02 23:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-02 17:05 --------- d-----w c:\documents and settings\tas\Application Data\Malwarebytes

2009-01-02 16:49 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-02 16:49 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\Malwarebytes

2009-01-02 02:47 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2009-01-01 21:17 --------- d-----w c:\documents and settings\tas\Application Data\Share-to-Web Upload Folder

2009-01-01 17:59 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\Hewlett-Packard

2009-01-01 17:58 --------- d-----w c:\program files\Hewlett-Packard

2009-01-01 17:57 82,380 ----a-w c:\windows\system32\drivers\AFS2K.SYS

2009-01-01 17:57 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\Share-to-Web Upload Folder

2009-01-01 17:55 --------- d-----w c:\program files\Common Files\Hewlett-Packard

2008-12-31 22:30 --------- d-----w c:\documents and settings\tas\Application Data\DivX

2008-12-31 22:30 --------- d-----w c:\documents and settings\tas\Application Data\CyberLink

2008-12-31 22:30 --------- d-----w c:\documents and settings\tas\Application Data\Blackberry Desktop

2008-12-31 22:30 --------- d-----w c:\documents and settings\tas\Application Data\ArcSoft

2008-12-31 16:46 --------- d-----w c:\documents and settings\tas\Application Data\Sonic

2008-12-30 23:45 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\BitTorrent

2008-12-30 23:22 --------- d-----w c:\program files\ImTOO

2008-12-30 22:38 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\ImTOO Software Studio

2008-12-30 22:34 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\Media Player Classic

2008-12-28 17:12 --------- d-----w c:\program files\SPSS Viewer

2008-12-28 17:02 --------- d-----w c:\documents and settings\All Users\Application Data\SafeNet Sentinel

2008-12-28 17:00 --------- d-----w c:\program files\SPSSInc

2008-12-28 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\SPSS

2008-12-26 21:19 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\ArcSoft

2008-12-26 21:04 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-26 21:04 --------- d-----w c:\program files\Common Files\ArcSoft

2008-12-26 21:04 --------- d-----w c:\program files\ArcSoft

2008-12-26 21:03 --------- d-----w c:\program files\Philips

2008-12-26 20:58 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\InstallShield

2008-12-25 17:55 --------- d-----w c:\documents and settings\tas\Application Data\Media Player Classic

2008-12-25 17:42 --------- d-----w c:\program files\K-Lite Codec Pack

2008-12-25 17:30 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\Skype

2008-12-25 17:29 --------- d-----w c:\documents and settings\Administrator.TASMITH4\Application Data\skypePM

2008-12-25 17:26 --------- d-----w c:\program files\Skype

2008-12-25 17:26 --------- d-----w c:\program files\Common Files\Skype

2008-12-25 17:26 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2008-12-08 11:53 57,344 ----a-w c:\windows\system32\ff_vfw.dll

2008-12-07 18:08 795,648 ----a-w c:\windows\system32\xvidcore.dll

2008-12-07 18:08 130,048 ----a-w c:\windows\system32\xvidvfw.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [12/21/2008 08:03 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [12/09/2005 20:29 49152]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/14/2008 21:38 623992]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 15:52 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 85184]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/10/2007 10:22 405504]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [03/30/2007 20:00 138008]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [03/30/2007 20:00 162584]

"Persistence"="c:\windows\system32\igfxpers.exe" [03/30/2007 19:59 138008]

"Apoint"="c:\program files\Apoint\Apoint.exe" [10/07/2005 14:13 176128]

"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [08/20/2008 16:27 1368064]

"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [08/20/2008 16:09 1191936]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [08/16/2007 08:56 236016]

"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [08/14/2008 07:58 611712]

"Adobe_ID0ENQBO"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [08/15/2008 05:46 378224]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 10:42 69632]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [02/02/2009 09:29 413696]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [02/11/2009 10:19 399504]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [02/19/2009 23:05 509784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [03/22/2007 19:29 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0x00000000"

"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server

"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server

"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server

"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2005-10-18 61440]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-01-02 179856]

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]

R3 EraserUtilDrvI7;EraserUtilDrvI7;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [2009-02-25 99376]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-01-02 15504]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

2009-02-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [02/19/2009 23:05]

2009-02-25 c:\windows\Tasks\ujcpcjoh.job

- c:\docume~1\tas\LOCALS~1\Temp\khfFXQGw.dll []

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-25 14:10:58

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

c:\windows\system32\netprovcredman.dll

.

Completion time: 02/25/2009 14:12:22

ComboFix-quarantined-files.txt 2009-02-25 22:12:20

Pre-Run: 15,382,712,320 bytes free

Post-Run: 15,368,716,288 bytes free

216

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:14:15 PM, on 2/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [Rmeguzuzese] rundll32.exe "C:\Documents and Settings\tas\Local Settings\Application Data\ahilupav.dll",e

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1230816727671

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dynres.com

O17 - HKLM\Software\..\Telephony: DomainName = dynres.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dynres.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe

O23 - Service: Broadcom ASF IP Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel

Link to post
Share on other sites

  • Root Admin

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup216.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 02

Your Adobe may need to be updated

Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

STEP 03

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

STEP 04

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

STEP 05

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Thanks for the help!

I ran CC Cleaner and it worked fine. Updated my Adobe Professional and then tried to run Dr. Web CureIt. Unfortunately after completing about 80% of the scan it crashed -- repeated this 3 times and watched it crash 3 times. Went on and ran MBAM and DDS and got the following log files.

Unfortunately it looks like Trojan.Agent is still there ...

Thanks in advance for our help.

Malwarebytes' Anti-Malware 1.34

Database version: 1808

Windows 5.1.2600 Service Pack 3

2/26/2009 9:42:38 PM

mbam-log-2009-02-26 (21-42-38).txt

Scan type: Quick Scan

Objects scanned: 61812

Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmeguzuzese (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\tas\Local Settings\Application Data\ahilupav.dll (Trojan.Agent) -> Delete on reboot.

DDS (Ver_09-02-01.01) - NTFSx86

Run by tas at 21:47:18.46 on Thu 02/26/2009

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2742 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Documents and Settings\tas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

uRun: [Rmeguzuzese] rundll32.exe "c:\documents and settings\tas\local settings\application data\ahilupav.dll",e

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray

mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230816727671

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]

R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-2 179856]

R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-2 15504]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090225.021\naveng.sys [2009-2-26 89104]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090225.021\navex15.sys [2009-2-26 876144]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]

=============== Created Last 30 ================

2009-02-26 13:16 <DIR> --d----- c:\documents and settings\tas\DoctorWeb

2009-02-26 10:40 <DIR> --d----- c:\program files\CCleaner

2009-02-25 14:07 <DIR> --d----- C:\ComboFix

2009-02-25 13:32 <DIR> a-dshr-- C:\cmdcons

2009-02-25 13:30 161,792 a------- c:\windows\SWREG.exe

2009-02-25 13:30 98,816 a------- c:\windows\sed.exe

2009-02-25 09:19 <DIR> --d----- c:\program files\Trend Micro

2009-02-23 19:14 <DIR> --d----- C:\Perl

2009-02-20 06:34 15,688 a------- c:\windows\system32\lsdelete.exe

2009-02-19 23:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-02-19 23:02 <DIR> --d----- c:\program files\Lavasoft

2009-02-18 21:35 552 a------- c:\windows\system32\d3d8caps.dat

2009-02-07 14:21 <DIR> --dsh--- c:\docume~1\tas\applic~1\twain32

2009-02-02 08:38 <DIR> --d-h--- c:\windows\PIF

==================== Find3M ====================

2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-08 20:19 179,858 a------- c:\windows\hpwins14.dat

2009-01-01 09:57 82,380 a------- c:\windows\system32\drivers\AFS2K.SYS

2008-12-18 15:13 21,640 a------- c:\windows\system32\emptyregdb.dat

2008-12-08 03:53 57,344 a------- c:\windows\system32\ff_vfw.dll

2008-12-07 10:08 795,648 a------- c:\windows\system32\xvidcore.dll

2008-12-07 10:08 130,048 a------- c:\windows\system32\xvidvfw.dll

============= FINISH: 21:47:28.15 ===============

Attach.zip

Attach.zip

Link to post
Share on other sites

  • Root Admin

Please run an Online Anti-Virus scan with either the Java or ActiveX version of Kaspersky

Java Version

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

ActiveX version

Run Kaspersky Online AV Scanner

Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

For some reason my IE7 will allow me to install the ActiveX control but won't allow me to run the Kaspersky online scanner because it tells me that it doesn't recognize the publisher. I get a window that tells me that Windows has blocked this software because it can't verify the publisher. The window only contains an OK button -- I was hoping that I would see a button that said install anyway. Tried to change a bunch of the security settings but still couldn't get it to get past the security block.

This is a company computer and I'm pretty sure that my profile is set as a power user -- I've been trying to run the AV scans under this profile because Trojan.Agent doesn't get seen when I run windows as the administrator.

Any ideas?

Thanks!

Link to post
Share on other sites

  • Root Admin

Well you need to run with Administrative rights for most of these tools to work properly. Power User doesn't have enough rights in most cases.

Well let's try a different tool then. Please download and burn this CD and then boot up with it and run it.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

Ran the Avira Rescue System from the CD and it gave me the following results:

Records: 14

Suspect files: 0

Warnings: 4

The records were divided up as follows:

Appl/PSExec.E - 6 occurences

SPR/ToolReboot.F - 3 occurences

SPR/Tool.Hardoff.A - 4 occurences

TR/Agent.5061067

Warnings were all the following: "Archive not completely scanned: part of a multi-volume archive"

Rebooted up and updated MBAM and ran a quick scan -- those evil little Trojan.Agents were still there (i.e. same MBAM logfile message as when we started).

Thoughts? Thanks for the assistance!

Link to post
Share on other sites

  • Root Admin

Please run the following.

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
Link to post
Share on other sites

Thanks for all of the help!

Here are the log files that you requested:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/05 06:50

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA7025000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl

Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\DeltekVision.exe.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\DeltekVision.exe.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.Misc.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.Misc.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinEditors.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinEditors.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Microsoft.Office.Interop.MSProject.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Microsoft.Office.Interop.MSProject.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.Columns.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.Columns.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.Styles.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\NineRays.FlyGrid.Styles.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinGrid.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinExplorerBar.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinExplorerBar.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinTree.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinTree.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinDock.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinDock.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinSchedule.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinGrid.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinSchedule.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Widgets.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Widgets.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Model.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Model.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Licensing.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Panopticon.Developer.Licensing.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Shared.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Shared.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinToolbars.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinToolbars.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinTabControl.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinTabControl.v6.1.manifest

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinCalcManager.v6.1.cdf-ms

Status: Locked to the Windows API!

Path: C:\Documents and Settings\tas\Local Settings\Apps\2.0\1GZ92N9V.8J5\RMY0GO0K.4Y1\manifests\Infragistics2.Win.UltraWinCalcManager.v6.1.manifest

Status: Locked to the Windows API!

SSDT

-------------------

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\system32\drivers\mbam.sys" at address 0xa80d1fe0

Service Pack 3 3 5 2009 07:20:32.375

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver compbatt.sys

Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver pcmcia.sys

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver cercsr6.sys

Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\wmiacpi.sys

Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys

Loaded driver \SystemRoot\system32\DRIVERS\igxpmp32.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\NETw5x32.sys

Loaded driver \SystemRoot\system32\DRIVERS\b57xp32.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\Apfiltr.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\serial.sys

Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\AFS2K.SYS

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\Drivers\RootMdm.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\RimSerial.sys

Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\system32\DRIVERS\NWADIenum.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\sthda.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSXHWAZL.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSX_DPV.sys

Loaded driver \SystemRoot\system32\DRIVERS\HSX_CNXT.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\system32\DRIVERS\easdrv.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\epfwtdir.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbccid.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Loaded driver \SystemRoot\system32\DRIVERS\s24trans.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Did not load driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\System32\Drivers\adfs.SYS

Loaded driver \SystemRoot\System32\drivers\aspi32.sys

Loaded driver \??\C:\Program Files\Broadcom\ASFIPMon\BASFND.sys

Loaded driver \SystemRoot\system32\DRIVERS\eamon.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\mbam.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\mdmxsdk.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Link to post
Share on other sites

Our IT guy installed ESET NOD32 Antivirus and Antispyware onto my computer and today it detected a variant of Win32/Kryptik.JU Trojan and successfully deleted it on the reboot. I then updated MBAM and ran a quickscan and it still found 1 threat (our old friend the Trojan.Agent) and this time it successfully quarantined it and deleted it.

Just ran a quick scan and it appears that there are 0 infections on my machine!! Yippeee!!

Thanks for all of your help guys -- keep up the great work.

Flycan

Link to post
Share on other sites

  • Root Admin

Okay then if the logs are clean and no other reports of Malware we'll call it done

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.