WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Infected with win32.agent.pz, smitfraud-c and other vi

Started by kammila , Oct 28 2007 05:19 PM

This topic is locked

6 replies to this topic

#1 kammila

New Member

New Member
3 posts

Posted 28 October 2007 - 05:19 PM

I ran Spybot - Search & Destroy, Kaspersky - Anti Virus, and Ad-Aware.

Spybot finds the Smitfraud-C, Win32.Agent.pz and other entries in microsoft.windows.explorer, microsoft.windowssecuritycenter.registrytools, microsoft.windowssecuritycenter.taskmanager that its unable to remove.

Kaspersky & Adaware find lots of viruses & remove them but they seem to return. I get a pop up message every few minutes - "Warning! Potential Spyware Operation! Your computer is making unauthorized copies of your systen and Internet files. Run full scan now to prevent unauthorised access to your files! Click YES to download spyware remover"

Here's ny Hijack This log, please help -

Logfile of HijackThis v1.99.1
Scan saved at 7:02:05 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\IZArc\IZArc.exe
C:\DOCUME~1\Vijay\LOCALS~1\Temp\ARC1F\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: IEHlprObj Class - {ABCDECF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\vtr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O5 "LPT1:" /M "Stylus CX6400"
O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S1DA.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - Startup: system.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} (PDM Plugin) - http://10.155.1.152:...n/PDMPlugin.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Advertisements

Register to Remove

#2 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 28 October 2007 - 07:52 PM

Welcome to the forum.

Download to your Desktop FixPolicies.exe, a self-extracting ZIP archive from the link below:
http://cid-6aaab341c...FixPolicies.exe

(Please ignore the warning about downloading .exe files, this file is safe)

Double-click FixPolicies.exe

Click the "Install" button on the bottom toolbar of the box that will open.

The program will create a new Folder called FixPolicies.

Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.

A black box will briefly appear and then close.

--------------------------

Then..........

Please run ATF, ComboFix and SuperAntiSpyware (SAS) from the link below:

http://forums.maddok...?showtopic=9590

Then post the logs from ComboFix, SAS and a fresh HJT log back HERE.

Thanks, MrC

#3 kammila

New Member

New Member
3 posts

Posted 28 October 2007 - 09:57 PM

Here are the Combofix, SAS & HJT log. One more note - I get a sonic update popup on reboot which tries to install smoething even when I click X. I hope its not installing some viruses.

ComboFix 07-10-28.2 - Vijay 2007-10-28 22:32:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.668 [GMT -4:00]
Running from: C:\Documents and Settings\Vijay\Local Settings\Temporary Internet Files\Content.IE5\5EK9MOTY\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Anish\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Suneetha\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Vijay\Start Menu\Programs\Startup\system.exe
C:\Program Files\ISM2
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\ISM2\targets.gz
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\del.bat
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\symavc32.sys
C:\WINDOWS\system32\drivers\Yorm51.sys
C:\WINDOWS\xlavra3.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-28 22:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-28 22:27 <DIR> d-------- C:\FixPolicies
2007-10-24 19:12 16,384 --a------ C:\WINDOWS\xlavba6.exe
2007-10-23 15:00 16,384 --a------ C:\WINDOWS\xlavba3.exe
2007-10-19 12:57 120,024 --a------ C:\WINDOWS\drkara.exe
2007-10-19 11:33 99,032 --a------ C:\WINDOWS\system32\trust.dll
2007-10-16 08:56 94,384 --a------ C:\WINDOWS\system32\msxml9r.dll
2007-10-13 08:27 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 20:33 6 --a------ C:\Documents and Settings\Akhil\del.bat
2007-10-12 20:18 113,152 --a------ C:\WINDOWS\dravis.exe
2007-10-11 23:23 6 --a------ C:\Documents and Settings\Vijay\del.bat
2007-10-11 15:17 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-10-11 15:16 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-10 15:40 16,384 --a------ C:\WINDOWS\xlavra2.exe
2007-10-10 09:45 16,384 --a------ C:\WINDOWS\xlavra.exe
2007-10-09 15:03 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-06 11:52 <DIR> d-------- C:\Program Files\iTunes
2007-10-06 11:52 <DIR> d-------- C:\Program Files\iPod
2007-10-05 15:59 <DIR> d-------- C:\Downloads
2007-10-04 17:48 <DIR> d-------- C:\Program Files\BroadVision
2007-10-04 17:48 <DIR> d-------- C:\Documents and Settings\Vijay\WINDOWS
2007-10-04 17:47 <DIR> d-------- C:\DCC
2007-10-04 17:41 12,458,561 --a------ C:\DCC.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 02:37 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-29 02:35 369,572 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-29 02:35 27,647,008 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-29 02:35 267,188 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-29 02:35 2,860,832 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-11 19:50 --------- d-----w C:\Program Files\Picasa2
2007-09-25 20:40 --------- d-----w C:\Program Files\Lavasoft
2007-09-25 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-25 20:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-25 20:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-19 22:06 --------- d-----w C:\Documents and Settings\Suneetha\Application Data\Apple Computer
2007-09-19 20:54 --------- d-----w C:\Documents and Settings\Akhil\Application Data\Apple Computer
2007-09-19 00:48 --------- d-----w C:\Program Files\IrfanView
2007-09-17 18:51 --------- d-----w C:\Documents and Settings\Vijay\Application Data\Apple Computer
2007-09-17 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-17 14:50 --------- d-----w C:\Program Files\QuickTime
2007-09-17 14:48 --------- d-----w C:\Program Files\Apple Software Update
2007-09-17 14:47 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-17 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-06 17:28 30,336 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-09-02 19:45 --------- d-----w C:\Documents and Settings\Akhil\Application Data\Leadertech
2007-09-02 19:45 --------- d-----w C:\Documents and Settings\Akhil\Application Data\AdobeAUM
2006-07-11 12:35:36 1,071,381 --sh--w C:\WINDOWS\system32\hhkmp.bak1
2006-07-18 03:49:03 1,105,136 --sh--w C:\WINDOWS\system32\hhkmp.bak2
2006-07-18 04:15:03 1,106,964 --sh--w C:\WINDOWS\system32\hhkmp.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 20:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"DellHelp"="C:\Dell\DellHelp\DellHelp.exe" [2004-04-01 16:51]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-11-15 13:12]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" []
"EPSON Stylus CX6400 (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-08 19:00]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 14:55]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-26 15:49]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 15:53]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-04-10 22:09]

C:\Documents and Settings\Suneetha\Start Menu\Programs\Startup\
LifeDrive™ Manager.lnk - C:\Program Files\palmOne\LifeDriveMgrTray.exe [2005-04-21 17:05:06]

R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 14:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 22:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-28 22:38:37 - machine was rebooted
.
--- E O F ---

SAS Log -

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/28/2007 at 11:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3332
Trace Rules Database Version: 1333

Scan type : Complete Scan
Total Scan Time : 00:47:13

Memory items scanned : 392
Memory threats detected : 0
Registry items scanned : 5617
Registry threats detected : 37
File items scanned : 49483
File threats detected : 9

Adware.AdSponsor/ISM
HKLM\Software\Classes\CLSID\{9815DA81-2E0C-478c-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}#AppID
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\InprocServer32
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\InprocServer32#ThreadingModel
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\ProgID
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\TypeLib
HKCR\CLSID\{9815DA81-2E0C-478C-90E4-06E474E704D0}\VersionIndependentProgID
C:\PROGRAM FILES\ISM\BNDDRIVE.DLL
HKCR\BndDrive.Band
HKCR\BndDrive.Band\CLSID
HKCR\BndDrive.Band\CurVer
HKCR\BndDrive.Band.1
HKCR\BndDrive.Band.1\CLSID
HKCR\BndDrive.BHO
HKCR\BndDrive.BHO\CLSID
HKCR\BndDrive.BHO\CurVer
HKCR\BndDrive.BHO.1
HKCR\BndDrive.BHO.1\CLSID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}#AppID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\Implemented Categories
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\InprocServer32
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\InprocServer32#ThreadingModel
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\ProgID
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\TypeLib
HKCR\CLSID\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}\VersionIndependentProgID
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\win32
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\FLAGS
HKCR\TypeLib\{DCD2F298-BFA3-410F-8C21-B422AF11F363}\1.0\HELPDIR
HKCR\AppId\{1F5E0EA2-ABEA-44c3-95EC-2D1E721FE95E}
HKU\S-1-5-21-1081798020-1046645115-3455261916-1009\Software\BndDrive
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{231F6FAB-ECED-4975-9EF2-C0C7BC81927B}
C:\Documents and Settings\Vijay\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Vijay\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Vijay\Start Menu\Programs\Internet Speed Monitor
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM2\ISMPACK5.EXE.VIR

Trojan.Downloader-AgentDQ
C:\WINDOWS\DRKARA.EXE
C:\WINDOWS\SYSTEM32\TRUST.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HHKMP.BAK1
C:\WINDOWS\SYSTEM32\HHKMP.INI

HJT Log -

Logfile of HijackThis v1.99.1
Scan saved at 11:47:18 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\IZArc\IZArc.exe
C:\DOCUME~1\Vijay\LOCALS~1\Temp\ARC1A\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DellHelp] C:\Dell\DellHelp\DellHelp.exe /c
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O5 "LPT1:" /M "Stylus CX6400"
O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {E765747B-A0E4-4BD4-93E4-EA0E3500D57C} (PDM Plugin) - http://10.155.1.152:...n/PDMPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Unknown owner - C:\Program Files\Norton Internet Security\ISSVC.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)

#4 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 29 October 2007 - 04:06 PM

One more note - I get a sonic update popup on reboot which tries to install smoething even when I click X. I hope its not installing some viruses.

Do you have Sonic Record Now or similar?

You should be able to open up the program and somewhere uncheck auto updates.

---------------------------

Please move HJT into its own permanent folder so backups can be made and found.
example: C:\MyHJT\HiJackThis.exe, C:\Program Files\MYHJT\HiJackThis.exe or C:\MyDocuments\MyHJT\HiJackThis.exe

---------------------

Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)

Click on Fix Checked and exit HijackThis.

Reboot and post a fresh HijackThis log and we'll take another look. MrC

#5 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 02 November 2007 - 06:04 PM

Do you still need help or shall I close this post, MrC

#6 kammila

New Member

New Member
3 posts

Posted 02 November 2007 - 09:30 PM

All the viruses are removed & this topic can be closed. I really appreciate your amazingly fast responses, MrCharlie. I will contribute so the forum can keep up with its good work. Kammila

#7 MrCharlie

SuperMember

Malware Team
2,949 posts

Posted 03 November 2007 - 06:36 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Body Background

skin color theme