TrojanDownloader.Agent

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
Please help with this problem that just won't go away. Last week, I deleted over 28,000 infected files on this computer using ewido, ccleaner, adaware, spybot and microsoft antispyware. It took forever to get rid of coolwwwsearch. Now this menace refuses to vacate. This computer was clean last week. Now I come back today and I find about 80 files infected with TrojanDownloader.Agent. I went ahead and deleted them and then got the Hijack This report. Maybe I should have gotten the report first? Anyway, here is the Hijack This report:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:39 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\defptr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O21 - SSODL: systemie - {CE76D4A4-B32E-4FAC-9E70-B4A712734FC4} - systemie.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
Hi and welcome to TSG,

Do a couple of on-line virus scans at these links:

Housecall

Panda Active Scan. Be sure to save the log it creates.

Rescan with Ewido and post the log it creates along with the log from the Panda scan and a new Hijack This log please.
 

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
Housecall turned up nothing. Here are the logs from Panda, Ewido, and Hijack :


Incident Status Location

Adware:Adware/CWS No disinfected C:\WINDOWS\color.css
Adware:Adware/CWS No disinfected C:\WINDOWS\system.sam
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:08:29 PM, 7/13/2005
+ Report-Checksum: 473BDD85

+ Scan result:

:mozilla.15:C:\Documents and Settings\eovercash\Application Data\Mozilla\Firefox\Profiles\frzeu9gx.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\Documents and Settings\eovercash\Application Data\Mozilla\Firefox\Profiles\frzeu9gx.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.26:C:\Documents and Settings\eovercash\Application Data\Mozilla\Firefox\Profiles\frzeu9gx.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\eovercash\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\eovercash\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\_default.pif:rkcmq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:rkkjj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rnanj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:rnsnsc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rtnbf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rxumd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rzidq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:setsx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:sfqam -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:sfuvi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:sgbit -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:shuzc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:sidlr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:sitkbt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:sklssd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:smmbg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:smpri -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:snflk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:snxqx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:spplz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:svpdb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:swtgk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:szilf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tcwpq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tdcwm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tdyxa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tedhu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tgelfi -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:tgrkt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tkhgm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tlyvy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:todgr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tplsj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tqpys -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tsbvb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:twuwr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uaesj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uamaa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uatqok -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:udbog -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ufvgg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ughan -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uhfzo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ujzex -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uklri -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ukygu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:unlqw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uouoc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ustni -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uvcot -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uvohf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uxlsc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uxvpb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uzipl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vccln -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vikqgl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vkdqo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vkxhk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vrgav -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 12:09:54 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\alg.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\defptr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O21 - SSODL: systemie - {CE76D4A4-B32E-4FAC-9E70-B4A712734FC4} - systemie.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
Click Here and download Killbox and save it to your desktop but don’t run it yet.


Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


O2 - BHO: (no name) - {4D32057E-3515-B39C-BB3C-2DA7E2D53A22} - (no file)

O21 - SSODL: systemie - {CE76D4A4-B32E-4FAC-9E70-B4A712734FC4} - systemie.dll (file missing)

O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)




Then boot to safe mode:


How to restart to safe mode


Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\Windows\system32\scagent.exe
C:\WINDOWS\color.css
C:\WINDOWS\system.sam


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the recycle bin.


Reboot and post another Hijack This log please.
 

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
I followed your instructions. Here is the Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:14 AM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Windows\System32\locator.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\defptr.exe
C:\Hijack This\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
The log looks good now. How's everything runnning?
 

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
OK for now, but why is the following line still in the Hijack This log?

O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
Sorry, I overlooked the fact that it was still there.

Click Start – Run - and type in:

services.msc

Click OK.

In the services window find: Security Agent

Right click and choose Properties. On the General tab under Service Status click the Stop button to stop the service. Beside Startup Type in the dropdown menu select Disabled. Click Apply then OK. Exit the Services utility.

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


Open Hijack This and click on the "Open Misc Tools section button. Now click on the "Delete an NT service" button. Copy and paste this line in that box:

scagent

Click OK.


Rescan with Hijack This and have it fix this entry:

O23 - Service: Security Agent (scagent) - Unknown owner - C:\Windows\system32\scagent.exe" start (file missing)


Run the Killbox on this file:

C:\Windows\system32\scagent.exe


Reboot and post another log to make sure it's gone please.
 

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
After following your instructions, I still found about 6 infected files with ewido, but deleted them. They must have sneaked in during the process. This misbehaving computer seems to be alright for now, but I'll reserve final judgment for a few days. This plague has come back too many times for me to be satisfied its gone yet. The latest Hijack This log is below. What do you think?

Logfile of HijackThis v1.99.1
Scan saved at 3:08:10 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\defptr.exe
C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Default Printer.lnk = C:\WINDOWS\system32\defptr.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\PTPNDFLS\PTPNDFLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\Software\..\Telephony: DomainName = spartanburgcounty.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = spartanburgcounty.local
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Spartanburg County\VPN Client\cvpnd.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\DOCUME~1\EOVERC~1\LOCALS~1\Temp\Temporary Directory 1 for CWShredder.zip\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\Windows\System32\NMSSvc.exe
O23 - Service: Advantage Plex Dispatch Service 510 (Ob510dp) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510DP.EXE (file missing)
O23 - Service: Advantage Plex Printing Service 510 (Ob510ps) - Unknown owner - C:\Program Files\CA\Advantage Plex\AppServer\bin\ob510PS.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
It looks good now.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.


I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.


Read here for info on how to tighten your security.



Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the recycle bin.
 

eovercash

Thread Starter
Joined
Jul 6, 2005
Messages
11
I've followed your instructions and thought this computer might be clean now. I've left it on for several days, rebooted several times, surfed the web a little, and nothing has happened of note. I've run all the anti-spyware programs again and nothing has turned up until this morning. I decided to run ewido one more time and noticed something in the default settings I've been using. In default, ewido only scans files with certain designated extensions. I changed this setting to scall all files and it found 17 more files infected with TrojanDownloader.Agent. Here is the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:48:30 AM, 7/20/2005
+ Report-Checksum: B4EFBC58

+ Scan result:

C:\WINDOWS\Coffee Bean.bmp:wupck -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\CPQ1600h.bmp:wiisk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fkksr.dat:gjxtw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:zvrwt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\odrqm.dat:ptgoyw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\onfgi.dat:avrgu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\oouav.dat:cuklj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.isu:kqoft -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.isu:uvdyl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ougvi.dat:lwurq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:dmuof -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:smigh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:ryvso -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\uovbt.dat:hrhzk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt.bmp:ilkns -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WMSysPr9.prx:ivscq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:iwook -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End

I don't think these files have infected the rest of my computer yet, but time will tell. I'll reboot and post another Hijack This log shortly. Since ewido seems to be the only program that can detect these infections, I think it's important that everyone know to change this setting when doing a scan with ewido. PS: What do those letters mean after the colon on all these infected files?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,166
Those letters are names put there by the trojan.

Please post your new HijackThis log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top