Trojan.Agent will not delete

yenooc · April 28, 2009

Hello, and thank you for any help you can give me in this matter. I have the free version of Malwarebytes Anti-Malware, which has been extremely helpful in ridding my computer of viruses.

Recently, Malwarebytes' Anti-Malware has been repeatedly finding a Trojan.Agent in a folder called A on our computer. It does not name a specific file in that folder that is infected. Here is the log of a HijackThis scan I just ran and the most recent Malwarebytes' Anti-Malware log file:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:53:26 PM, on 4/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070727

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070727

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\A\DL aids\FlashGet \FlashGet\jccatch.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\A\DL aids\FlashGet \FlashGet\getflash.dll

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [%PROVIDERID%] "bin\sprtcmd.exe" /P %PROVIDERID%

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Download All with FlashGet - C:\A\DL aids\FlashGet \FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\A\DL aids\FlashGet \FlashGet\jc_link.htm

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\A\DL aids\FlashGet \FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\A\DL aids\FlashGet \FlashGet\FlashGet.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9563.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1227869322718

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1227869383453

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: kktunu.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 8067 bytes

Malwarebytes' Anti-Malware 1.36

Database version: 2036

Windows 5.1.2600 Service Pack 3

4/26/2009 12:53:32 PM

mbam-log-2009-04-26 (12-53-32).txt

Scan type: Quick Scan

Objects scanned: 83214

Time elapsed: 4 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\A (Trojan.Agent) -> Delete on reboot.

extremeboy · April 29, 2009

Hello and welcome to Malwarebytes.

If you have any problems running Combofix, let me know.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1

Link 2

Link 3

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
Close any open windows, including this one.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you

should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Do not touch and run any other programs when Combofix is running as it may cause it to stall.

With Regards,

Extremeboy

yenooc · April 29, 2009

I very much appreciate your help in this matter, Extremeboy, but before I run ComboFix, I have some concerns and questions.

Running ComboFix is a big step for an intermediate user such as myself. Bleeping Computer posts this warning on their website:

From http://www.bleepingcomputer.com/forums/forum103.html
When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

The Malwarebytes' forum also has a warning concerning ComboFix usage:

From http://www.malwarebytes.org/forums/index.php?showtopic=7191
Tools such as SDFix and Combofix are recommended by their developers to be used in a supervised environment, by a Malware Removal Expert trained in their use.
You use them yourself at your own risk.
I think its far better for users unsure of what they may be doing, to post a hijackthis log for expert help.

I understand that you are a trained user who is instructing me on how to use ComboFix, but you are not actually at my house running it for me. If there is any chance that this Trojan.Agent is a false positive and I end up making my computer unusable running ComboFix, I will find that to be very ironic.

So: why do I need to run ComboFix? Did the HJT log indicate in any way that I do, in fact, have a virus? Or are you recommending I run ComboFix because the HJT log does not give enough information?

Please excuse my caution, but as an intermediate user, I am wary of running extremely powerful programs myself if they are at all risky.

Thank you and best regards,

yenooc

extremeboy · April 30, 2009

Hello.

Combofix is a safe tool to use if it's not used properly it can lead to many problems. Yes it is a strong tool but it's not a tool that will make your computer unusable, otherwise we will not use such tool publicly as it will be far too dangerous.

So to recap, Combofix is a safe tool and you should proceed without any worries. There are certain areas where backups are made and if anything happens we can repair it.

Please proceed with Combofix and post the log once it's done please. I apologize but I cannot go into much details as how and why we run or use Combofix as it's not meant to be spoken out publicly. All I can say it's a great and powerful tool that is/can be used to diagonse as well as remove certain infections.

With Regards,

Extremeboy

yenooc · May 2, 2009

Hello Extremeboy,

Thank you for your patient response to my fears. I ran Combofix following your clear and detailed instructions, and as far as I can tell, it ran successfully (although my Internet Explorer settings were reset for some reason, and Internet Explorer no longer knew it was my default browser).

Here is the Combofix log:

ComboFix 09-05-02.4 - Us 05/02/2009 11:10.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -7:00]

Running from: c:\documents and settings\Us\Desktop\ComboFix.exe

AV: BitDefender Antivirus *On-access scanning disabled* (Updated)

AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)

FW: BitDefender Firewall *disabled*

FW: ZoneAlarm Security Suite Firewall *disabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\aHkSstwa.ini

c:\windows\system32\aHkSstwa.ini2

c:\windows\system32\sX3i19

.

((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))

.

2009-04-30 02:53 . 2009-04-30 02:53 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache

2009-04-29 08:36 . 2009-04-29 08:36 -------- d-sh--w c:\documents and settings\Us\PrivacIE

2009-04-29 08:32 . 2009-04-29 08:32 -------- d-sh--w c:\documents and settings\Us\IETldCache

2009-04-29 08:30 . 2009-04-29 08:30 -------- dc-h--w c:\windows\ie8

2009-04-28 03:53 . 2009-04-28 03:53 -------- d-----w c:\program files\Trend Micro

2009-04-25 05:45 . 2009-04-25 05:45 -------- d-----w c:\program files\QuickTime

2009-04-25 05:44 . 2009-04-25 05:44 -------- d-----w c:\program files\Apple Software Update

2009-04-19 19:30 . 2009-04-19 19:30 -------- d-----w c:\program files\Common Files\xing shared

2009-04-15 06:03 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-15 06:03 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-15 06:03 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-15 06:03 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-15 06:03 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-15 06:03 . 2009-02-06 10:10 227840 ----a-w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-15 06:03 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-15 06:03 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-15 06:03 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-15 06:03 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

2009-04-15 06:02 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-15 06:02 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-02 18:13 . 2007-08-01 15:19 176393760 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-05-02 18:13 . 2004-08-10 18:08 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-05-02 18:12 . 2007-08-01 15:19 2362940 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-05-02 18:04 . 2007-08-01 15:19 4212 ---ha-w c:\windows\system32\zllictbl.dat

2009-05-02 18:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At12.job

2009-05-02 17:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At11.job

2009-05-02 16:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At10.job

2009-05-02 15:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At9.job

2009-05-02 09:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At3.job

2009-05-02 08:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At2.job

2009-05-02 07:43 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At1.job

2009-05-02 06:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At24.job

2009-05-02 05:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At23.job

2009-05-02 04:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At22.job

2009-05-02 03:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At21.job

2009-05-02 02:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At20.job

2009-05-02 01:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At19.job

2009-05-02 00:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At18.job

2009-05-01 23:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At17.job

2009-05-01 22:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At16.job

2009-05-01 21:58 . 2009-04-25 05:44 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job

2009-05-01 21:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At15.job

2009-05-01 20:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At14.job

2009-05-01 19:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At13.job

2009-04-30 13:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At7.job

2009-04-30 12:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At6.job

2009-04-30 11:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At5.job

2009-04-29 17:51 . 2007-08-01 12:49 77968 ----a-w c:\documents and settings\Us\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-04-29 08:26 . 2007-07-27 13:31 -------- d-----w c:\program files\Microsoft Works

2009-04-28 14:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At8.job

2009-04-27 18:22 . 2009-04-27 19:41 2737152 ----a-w c:\windows\Internet Logs\xDBC.tmp

2009-04-25 10:00 . 2009-03-07 16:24 350 ----a-w c:\windows\Tasks\At4.job

2009-04-25 06:18 . 2007-08-05 20:39 -------- d-----w c:\program files\Windows Media Connect 2

2009-04-25 06:18 . 2007-07-27 13:29 -------- d-----w c:\program files\NetWaiting

2009-04-25 06:18 . 2007-07-27 13:29 -------- d-----w c:\program files\Modem Helper

2009-04-25 06:18 . 2008-05-22 05:01 -------- d-----w c:\program files\AoA Audio Extractor

2009-04-23 15:48 . 2009-04-23 15:52 1380352 ----a-w c:\windows\Internet Logs\xDBB.tmp

2009-04-19 19:30 . 2007-08-08 14:31 -------- d-----w c:\program files\Common Files\Real

2009-04-19 19:30 . 2003-03-19 03:14 499712 ----a-w c:\windows\system32\msvcp71.dll

2009-04-19 19:30 . 2003-02-21 11:42 348160 ----a-w c:\windows\system32\msvcr71.dll

2009-04-19 19:01 . 2008-11-30 08:30 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-19 14:49 . 2009-04-19 14:49 168978 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_19_02_24_58_small.dmp.zip

2009-04-19 09:25 . 2009-04-19 14:44 2796544 ----a-w c:\windows\Internet Logs\xDBA.tmp

2009-04-06 22:32 . 2008-11-30 08:30 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 22:32 . 2008-11-30 08:30 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-03 20:46 . 2009-04-03 20:46 189098 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_03_08_46_09_small.dmp.zip

2009-04-03 15:46 . 2009-04-03 20:41 3581440 ----a-w c:\windows\Internet Logs\xDB9.tmp

2009-04-03 15:46 . 2009-04-03 20:41 2640384 ----a-w c:\windows\Internet Logs\xDB8.tmp

2009-04-02 07:37 . 2009-04-02 07:37 51448 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_55_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 48318 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_54_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 48586 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_49_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 51791 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_48_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 51350 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_45_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 51348 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_46_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 51746 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_43_small.dmp.zip

2009-04-02 07:37 . 2009-04-02 07:37 14006486 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_02_00_30_39_full.dmp.zip

2009-04-02 07:32 . 2007-08-25 00:28 32212480 ----a-w c:\windows\Internet Logs\tvDebug.zip

2009-04-01 02:20 . 2007-08-01 15:19 72584 ----a-w c:\windows\zllsputility.exe

2009-04-01 02:20 . 2008-11-26 06:22 1221512 ----a-w c:\windows\system32\zpeng25.dll

2009-03-29 19:44 . 2009-03-29 21:48 1794048 ----a-w c:\windows\Internet Logs\xDB7.tmp

2009-03-27 01:46 . 2009-03-27 03:58 2635776 ----a-w c:\windows\Internet Logs\xDB6.tmp

2009-03-23 21:10 . 2009-03-23 21:12 2960896 ----a-w c:\windows\Internet Logs\xDB5.tmp

2009-03-22 17:19 . 2009-03-22 17:19 -------- d-----w c:\program files\MSECache

2009-03-08 11:34 . 2004-08-10 17:51 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 11:34 . 2004-08-10 17:51 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 11:33 . 2004-08-10 17:50 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 11:33 . 2004-08-10 17:51 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 11:32 . 2004-08-10 17:50 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 11:32 . 2004-08-10 17:51 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 11:31 . 2004-08-10 17:51 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 11:31 . 2004-08-10 17:51 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 11:31 . 2004-08-10 17:51 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 11:22 . 2004-08-10 17:51 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-08 07:13 . 2008-11-28 20:40 -------- d-----w c:\program files\CCleaner

2009-03-07 18:38 . 2009-03-07 18:38 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-03-07 18:37 . 2008-04-12 22:41 -------- d-----w c:\program files\Common Files\Intuit

2009-03-07 18:33 . 2008-04-12 22:40 -------- d-----w c:\program files\TurboTax

2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll

2009-02-23 16:21 . 2009-02-23 16:21 60228 ---ha-w c:\windows\system32\mlfcache.dat

2009-02-22 18:33 . 2008-08-13 11:55 135 ----a-w C:\drmHeader.bin

2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe

2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-08 1410296]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-02 8429568]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-08-01 271672]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]

"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2007-08-01 339968]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\A\\DL aids\\BitTorrent 6.0\\bittorrent.exe"=

"c:\\A\\DL aids\\FlashGet \\FlashGet\\flashget.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\enemy territory quake wars demo\\etqw.exe"=

"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2002-11-29 39048]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-20 7408]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-20 8944]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-20 55024]

S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-%PROVIDERID% - bin\sprtcmd.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download All with FlashGet - c:\a\DL aids\FlashGet \FlashGet\jc_all.htm

IE: &Download with FlashGet - c:\a\DL aids\FlashGet \FlashGet\jc_link.htm

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: bankofamerica.com\www

Trusted Zone: ticketmaster.com\www

Trusted Zone: turbine.com\myaccount

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-02 11:13

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2223708041-1235463289-972948221-1009\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2212)

c:\windows\system32\ieframe.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Dell Support Center\bin\sprtsvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-05-02 11:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-02 18:17

Pre-Run: 503,406,600,192 bytes free

Post-Run: 503,557,533,696 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

252 --- E O F --- 2009-04-29 08:15

Thank you and best regards,

yenooc

yenooc · May 6, 2009

Hello Extremeboy,

Just as an update, Malwarebytes Anti-Malware is still finding that same trojan.agent. Here is the Malwarebytes' log for the scan I just ran:

Malwarebytes' Anti-Malware 1.36

Database version: 2083

Windows 5.1.2600 Service Pack 3

5/6/2009 9:56:52 AM

mbam-log-2009-05-06 (09-56-47).txt

Scan type: Quick Scan

Objects scanned: 84870

Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\A (Trojan.Agent) -> No action taken.

Any further advice you can give me would be much appreciated.

Best regards,

yenooc

Katana · May 17, 2009

Hi yenooc,

I'm very sorry for the delay, Extremeboy has had connection problems.

If you still require help, please post a fresh Combofix log

extremeboy · June 11, 2009

Hello.

I would like to apologize for my late response. I had not been able to reply due to the fact I could not access this site.

Sorry in advance for the long delay.

With regards,

Extremeboy

extremeboy · June 11, 2009

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please feel free to send me a message In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,

Extremeboy

Trojan.Agent will not delete

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information