1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need Help! Braviax.exe? Trojan?

Discussion in 'Virus & Other Malware Removal' started by broigel, Mar 25, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Hi, I have been hit with a serious virus - when it hit my whole system shut down. I had to reboot and now find a regular message telling me I'm infected plus a red circle with a white cross in the tray. On checking the System 32 file I see a number of new .exe files, e.g. braviax.exe (new, won't delete even in safe mode) and igfxpers.exe, igfxtray.exe, hkcmd.exe (all recently modified).
    This virus also seems to have zapped HijackThis - it will not run! I have deleted it and re-copied it from another machine - to no avail.
    I also cannot get Zone Alarm running properly nor instal AVG properly! I get error messages instead. (I did have McAfee but it seems to have lapsed, my fault.)
    God knows what is happening every time I log on to the net because evreything runs VERY slowly now.
    HELP! Can anyone sort this? Please?
     
  2. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Help someone please - have a major problem: the above braviax.exe seems to be a trojan I have picked up which dials a shadow internet number when I log on! Not only that but...
    a) it prevents HijackThis from running!
    b) it prevents Zone Alarm from running! and
    c) it prevents AVG from installing!

    It will not be deleted even in Safe mode. Can someone please suggest what to do next?
     
  3. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    I've merged both threads together. Please do not start more than one for the same problem.

    Try renaming the HijackThis.exe to puppy.exe and then see if you can run HijackThis.
     
  4. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Ok - well tried this many times and all failed....until finally I got a result! (Renamed as Tryon.) First thing I did was to check and fix braviax.exe so that seems to have gone. However I am still infected and most internet pages do not even open - I am posting this from an older machine. Although ZoneAlarm shows below, it sits in the tray with a big cross on the icon and is not working.

    I do hope someone might help me out this time. The HijackThis log looks like this:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 16:06:40, on 28/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system\smscg.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Trend Micro\Tryon\tryon.exe

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O20 - AppInit_DLLs: cru629.dat
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 4929 bytes
     
  5. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    OK - well braviax.exe did NOT get fixed and reappears on restart, even after deleting it from system 32 in Safe mode. Persistent.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix:

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    Combofix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished.
     
  7. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Combofix will not run! I followed all the instructions, got it downloaded but it will not run - not even in safe mode! Tried lots of times.

    I would be so grateful if you could suggest something else.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    Please download Malwarebytes Anti-Malware form Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply along with a new HijackThis log please.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
     
  9. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    This may have cracked it! A thousand thanks if so. The red circle with white cross and the constant message saying my computer is infected have gone, braviax.exe seems to have gone from system 32 and I may be sorted. Again all my thanks but first see the logs:

    Malwarebytes' Anti-Malware 1.10
    Database version: 586

    Scan type: Quick Scan
    Objects scanned: 28386
    Time elapsed: 3 minute(s), 1 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 6
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 11

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\univrs32.dat (Adware.Agent) -> Delete on reboot.
    C:\WINDOWS\cru629.dat (Trojan.Proxy) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\users32.dat (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Delete on reboot.
    C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.

    and

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:59:14, on 03/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system\smscg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\Tryon\tryon.exe

    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A076CEF8-9046-4E4E-8646-B8FE0A3250AB}: NameServer = 80.189.255.13 80.189.255.14
    O20 - AppInit_DLLs: cru629.dat
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5067 bytes
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    Please remove the ComboFix you have and redownload a new one. When doing so, rename the ComboFix.exe when saving it to ComboFax.exe. Then run a scan and post the log please.
     
  11. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Thanks again - have done this successfully. My firewall tells me that program 'smscg.exe' is trying to access the internet; I have denied access for now - should I allow access? ComboFix log is:

    ComboFix 08-04-03.3 - SMG 2008-04-04 9:29:21.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.633 [GMT 1:00]
    Running from: C:\Documents and Settings\SMG\Desktop\ComboFax.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\install.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
    .

    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Documents and Settings\SMG\Application Data\Malwarebytes
    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-03-28 14:39 . 2008-03-28 16:54 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-21 11:58 . 2008-03-21 11:58 100,352 -r-hs---- C:\WINDOWS\system\smscg.exe
    2008-03-21 11:57 . 2008-03-21 11:57 31,768,752 --a------ C:\Program Files\avg75free_519a1276.exe
    2008-03-21 11:36 . 2008-04-04 09:33 1,044,512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-03-21 11:36 . 2008-04-04 09:32 13,268 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-03-21 11:33 . 2008-03-21 11:33 <DIR> d-------- C:\Program Files\ZoneAlarmSB
    2008-03-21 11:32 . 2008-03-21 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-03-21 11:32 . 2008-03-14 00:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-03-21 11:32 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-03-21 11:32 . 2008-03-25 12:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-03-21 03:25 . 2006-01-06 16:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2008-03-21 03:25 . 2006-01-06 16:09 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-03-21 03:25 . 2006-01-06 16:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
    2008-03-21 03:10 . 2008-03-21 03:10 <DIR> d-------- C:\Program Files\Zone Labs
    2008-03-21 03:09 . 2008-04-04 09:17 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-03-21 03:02 . 2008-03-21 03:02 210,416 --a------ C:\Program Files\zaSetup_en.exe
    2008-03-21 02:18 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys
    2008-03-18 12:49 . 2008-03-18 12:49 <DIR> d-------- C:\WINDOWS\PrimoPDF4
    2008-03-18 12:49 . 2008-03-18 12:49 <DIR> d-------- C:\Program Files\activePDF
    2008-03-18 12:49 . 2006-12-11 21:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
    2008-03-18 12:44 . 2008-03-18 12:44 <DIR> d-------- C:\Program Files\Softland
    2008-03-18 12:44 . 2008-02-20 16:37 22,168 --a------ C:\WINDOWS\system32\dopdfmn6.dll
    2008-03-18 12:44 . 2008-02-20 16:37 18,072 --a------ C:\WINDOWS\system32\dopdfmi6.dll
    2008-03-18 12:44 . 2008-02-11 17:14 7,477 --a------ C:\WINDOWS\system32\dopdf6.ctm
    2008-03-18 12:43 . 2008-03-18 12:43 1,426,752 --a------ C:\Program Files\dopdf.exe
    2008-03-18 12:33 . 2008-03-18 12:33 18,473,549 --a------ C:\Program Files\PDF_FreewarePrimo32Setup.exe
    2008-03-18 02:10 . 2008-03-18 02:13 27,597,937 --a------ C:\Program Files\tm_mpjk059.zip
    2008-03-17 17:03 . 2008-03-17 17:03 <DIR> d-------- C:\Documents and Settings\SMG\Application Data\deskPDF
    2008-03-17 17:00 . 2007-02-18 18:00 18,764 --a------ C:\WINDOWS\system32\ddmon.dll
    2008-03-17 16:59 . 2008-03-18 12:35 <DIR> d-------- C:\Program Files\Docudesk

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-04 08:28 --------- d-----w C:\Documents and Settings\SMG\Application Data\MailWasherPro
    2008-03-30 16:02 --------- d-----w C:\Program Files\CaseWare
    2008-03-28 14:12 --------- d-----w C:\Documents and Settings\SMG\Application Data\AdobeUM
    2008-03-25 11:40 --------- d-----w C:\Program Files\Voyager 105 ADSL Modem
    2008-03-21 11:03 --------- d-----w C:\Program Files\QuickTime
    2008-03-21 11:03 --------- d-----w C:\Program Files\FeedReader30
    2008-03-21 11:03 --------- d-----w C:\Program Files\Dell Support
    2008-03-21 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    2007-11-12 11:05 3,431,053 ----a-w C:\Program Files\MailWasher_Free_setup.exe
    2007-11-09 15:12 4,620,542 ----a-w C:\Program Files\FeedReader311Setup.exe
    2007-11-06 01:28 2,223,653 ----a-w C:\Program Files\mpc2kxp6490.zip
    2007-11-05 14:40 2,028,336 ----a-w C:\Program Files\mplayerc_20070918.zip
    2002-04-16 10:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
    .
    Files Infected - Win32.Agent.zb
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\FeedReader30\feedreader.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2008-03-21 11:50 306688]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    "feedreader.exe"="C:\Program Files\FeedReader30\feedreader.exe" [2008-03-21 11:50 1201664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-03-21 11:50 1404928]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-21 11:50 94208]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-21 11:50 77824]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-25 11:58 114688]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-03-21 11:50 32881]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2008-03-21 11:50 86016]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-03-21 11:50 127035]
    "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-03-21 11:50 106496]
    "DSLSTATEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe" [2008-03-25 11:58 1659050]
    "DSLAGENTEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe" [2008-03-21 11:50 16384]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" [2008-03-21 11:58]
    S1 ensqio;ensqio;C:\WINDOWS\system32\DRIVERS\ensqio.sys []
    S1 sbpcint4;SB AudioPCI 128;C:\WINDOWS\system32\DRIVERS\sbpcint4.sys []

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-04 09:33:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-04-04 9:35:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-04-04 08:35:48
    Pre-Run: 142,825,320,448 bytes free
    Post-Run: 142,748,549,120 bytes free
    .
    2008-03-13 09:32:39 --- E O F ---
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    Open Notepad and copy and paste the text in the code box below into it:

    Code:
    File::
    C:\WINDOWS\system\smscg.exe
    
    Driver::
    SMSCGISVC
     
    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]


    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  13. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Right, have done that. Combofix did not do very much this time: after selecting run at the prompt, it sort of ran through something quickly and just flashed up the blue cmd screen, then nothing. It did not seem to produce another log - I searched for combofix.txt but just found the previous log. Anyway, here is the latest HijackThis log:-

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:49:01, on 08/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\system\smscg.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\Tryon\tryon.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A076CEF8-9046-4E4E-8646-B8FE0A3250AB}: NameServer = 80.189.92.2 80.189.94.2
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: System Managment Controler (SMSCGISVC) - Unknown owner - C:\WINDOWS\system\smscg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5274 bytes
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,908
    First Name:
    Karen
    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]


    Now please download a new copy of ComboFix from the same link as before and run the scan and post the new log.
     
  15. broigel

    broigel Thread Starter

    Joined:
    Oct 19, 2004
    Messages:
    79
    Thank you once again - much appreciated. Have done exactly this and new log is:-

    ComboFix 08-04-09.9 - SMG 2008-04-10 12:37:23.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.547 [GMT 1:00]
    Running from: C:\Documents and Settings\SMG\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-03-10 to 2008-04-10 )))))))))))))))))))))))))))))))
    .

    2008-04-04 12:20 . 2008-04-04 12:20 97 --a------ C:\WINDOWS\WirelessFTP.INI
    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Documents and Settings\SMG\Application Data\Malwarebytes
    2008-04-03 14:23 . 2008-04-03 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-03-28 14:39 . 2008-03-28 16:54 <DIR> d-------- C:\Program Files\Trend Micro
    2008-03-21 11:58 . 2008-03-21 11:58 100,352 -r-hs---- C:\WINDOWS\system\smscg.exe
    2008-03-21 11:57 . 2008-03-21 11:57 31,768,752 --a------ C:\Program Files\avg75free_519a1276.exe
    2008-03-21 11:36 . 2008-04-10 12:40 2,697,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-03-21 11:36 . 2008-04-06 01:10 16,388 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-03-21 11:33 . 2008-03-21 11:33 <DIR> d-------- C:\Program Files\ZoneAlarmSB
    2008-03-21 11:32 . 2008-03-21 11:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-03-21 11:32 . 2008-03-14 00:11 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-03-21 11:32 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-03-21 11:32 . 2008-03-25 12:39 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-03-21 03:25 . 2006-01-06 16:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
    2008-03-21 03:25 . 2006-01-06 16:09 <DIR> d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-03-21 03:25 . 2006-01-06 16:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Corel
    2008-03-21 03:10 . 2008-03-21 03:10 <DIR> d-------- C:\Program Files\Zone Labs
    2008-03-21 03:09 . 2008-04-10 12:31 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-03-21 03:02 . 2008-03-21 03:02 210,416 --a------ C:\Program Files\zaSetup_en.exe
    2008-03-21 02:18 . 2004-08-04 06:00 4,224 --a------ C:\WINDOWS\system32\dllcache\beep.sys
    2008-03-18 12:49 . 2008-03-18 12:49 <DIR> d-------- C:\WINDOWS\PrimoPDF4
    2008-03-18 12:49 . 2008-03-18 12:49 <DIR> d-------- C:\Program Files\activePDF
    2008-03-18 12:49 . 2006-12-11 21:12 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
    2008-03-18 12:44 . 2008-03-18 12:44 <DIR> d-------- C:\Program Files\Softland
    2008-03-18 12:44 . 2008-02-20 16:37 22,168 --a------ C:\WINDOWS\system32\dopdfmn6.dll
    2008-03-18 12:44 . 2008-02-20 16:37 18,072 --a------ C:\WINDOWS\system32\dopdfmi6.dll
    2008-03-18 12:44 . 2008-02-11 17:14 7,477 --a------ C:\WINDOWS\system32\dopdf6.ctm
    2008-03-18 12:43 . 2008-03-18 12:43 1,426,752 --a------ C:\Program Files\dopdf.exe
    2008-03-18 12:33 . 2008-03-18 12:33 18,473,549 --a------ C:\Program Files\PDF_FreewarePrimo32Setup.exe
    2008-03-18 02:10 . 2008-03-18 02:13 27,597,937 --a------ C:\Program Files\tm_mpjk059.zip
    2008-03-17 17:03 . 2008-03-17 17:03 <DIR> d-------- C:\Documents and Settings\SMG\Application Data\deskPDF
    2008-03-17 17:00 . 2007-02-18 18:00 18,764 --a------ C:\WINDOWS\system32\ddmon.dll
    2008-03-17 16:59 . 2008-03-18 12:35 <DIR> d-------- C:\Program Files\Docudesk

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-04-10 11:32 --------- d-----w C:\Documents and Settings\SMG\Application Data\MailWasherPro
    2008-04-09 16:34 --------- d-----w C:\Documents and Settings\SMG\Application Data\AdobeUM
    2008-04-08 13:28 --------- d-----w C:\Program Files\SageV12
    2008-03-30 16:02 --------- d-----w C:\Program Files\CaseWare
    2008-03-30 10:39 3,142 ----a-w C:\WINDOWS\system32\tmp.reg
    2008-03-25 11:40 --------- d-----w C:\Program Files\Voyager 105 ADSL Modem
    2008-03-25 10:58 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
    2008-03-21 11:08 26,364 ----a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2008_03_21_11_04_27_small.dmp.zip
    2008-03-21 11:03 --------- d-----w C:\Program Files\QuickTime
    2008-03-21 11:03 --------- d-----w C:\Program Files\FeedReader30
    2008-03-21 11:03 --------- d-----w C:\Program Files\Dell Support
    2008-03-21 10:50 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
    2008-03-21 10:50 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
    2008-03-21 01:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
    2008-03-19 01:26 5,852 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    2008-03-13 23:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    2007-11-12 11:05 3,431,053 ----a-w C:\Program Files\MailWasher_Free_setup.exe
    2007-11-09 15:12 4,620,542 ----a-w C:\Program Files\FeedReader311Setup.exe
    2007-11-06 01:28 2,223,653 ----a-w C:\Program Files\mpc2kxp6490.zip
    2007-11-05 14:40 2,028,336 ----a-w C:\Program Files\mplayerc_20070918.zip
    2002-04-16 10:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
    .
    Files Infected - Win32.Agent.zb
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\Program Files\FeedReader30\feedreader.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2008-03-21 11:50 306688]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    "feedreader.exe"="C:\Program Files\FeedReader30\feedreader.exe" [2008-03-21 11:50 1201664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2008-03-21 11:50 1404928]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-03-21 11:50 94208]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-03-21 11:50 77824]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2008-03-25 11:58 114688]
    "SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-03-21 11:50 32881]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
    "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2008-03-21 11:50 86016]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-03-21 11:50 127035]
    "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-03-21 11:50 106496]
    "DSLSTATEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe" [2008-03-25 11:58 1659050]
    "DSLAGENTEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe" [2008-03-21 11:50 16384]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
    "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-14 00:11 919016]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-21 11:50 98304]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R2 SMSCGISVC;System Managment Controler;"C:\WINDOWS\system\smscg.exe" [2008-03-21 11:58]
    S1 ensqio;ensqio;C:\WINDOWS\system32\DRIVERS\ensqio.sys []
    S1 sbpcint4;SB AudioPCI 128;C:\WINDOWS\system32\DRIVERS\sbpcint4.sys []

    *Newly Created Service* - CATCHME
    .
    **************************************************************************

    catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-10 12:39:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-04-10 12:40:55
    ComboFix-quarantined-files.txt 2008-04-10 11:40:48
    ComboFix2.txt 2008-04-04 08:35:55
    Pre-Run: 145,168,293,888 bytes free
    Post-Run: 145,146,798,080 bytes free
    .
    2008-03-13 09:32:39 --- E O F ---
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/697032

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice