Computer Security & Viruses/Trojan.Agent.H

Advertisement

Expert: - 11/2/2010


Question
QUESTION: Hi Brian, I have an infection with Trojan.Agent.H. Malwarebytes identifies it and cleans it but it reappears. I tried to analyse for rootkits with a programme called GMER (obtained via BleepingComputer.com) but my computer crashes and reboots, sometimes with a blue screen of death whenever i run this. I also find INternet Explorer is running very slowly and frequently stops running, and my computer performance is slowing down a lot recently. I need to get rid of the infection, and probably do a lot of cleaning up to get it all back to good perfromance. Thanks for the help, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 09:09:00, on 27/10/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\Maxtor\MANAGE~1\OneTouch.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\DoScan.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Users\user\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [DCPstrApp] C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe
O4 - HKLM\..\Run: [DellConnectionManager] "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Users\user\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [gassffg] "c:\users\user\appdata\local\gassffg.exe" gassffg
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} (DellSystem.Scanner) - http://xserv.dell.com/DellDriverScanner/DellSystem.CAB
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45195A3C-461C-4374-9EC6-AF79348F0480}: NameServer = 10.7.40.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\aestsrv.exe
O23 - Service: Ambient Light Sensor (alssvc) - Dell Inc. - C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Program Files\Fingerprint Sensor\AtService.exe
O23 - Service: Broadcom Management Agent (BrcmMgmtAgent) - Broadcom Corporation - C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel(R) Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files\Hotspot Shield\bin\hsswd.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: MaxSyncService (NTService1) -   - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel(R) Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: NTRU TSS v1.2.1.27 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

--
End of file - 13890 bytes


Brian

ANSWER: Hi Brian

I'm very sorry for the delay in getting to your question.  It's been a very long week at work!  
I have gone over your log and do not see any malware present.  It is possible there is a rootkit involved, which is what GMER scans for.  Let's try a different scanner and hope it does not blue screen.  Download the Sophos Anti-rootkit scanner here:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
After running, let me know the results.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,

I ran Malwarebytes again and it reported trojan.agent.h was present, and cleaned it. I then ran Sophos to look for the rootkit as you suggested. 2 files were found - here is the information:

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\Windows\winsxs\x86_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.0.6001.18000_none_b3dc8e9f30720cdd\pdh.dll
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

Area:   Local hard drives
Description:   Unknown hidden file
Location:   C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XHLEEE7\13060;58738;201;js;SpecificMedia;728x90FantasyLeagueplayersLadssitesandFootball[1]
Removable:   Yes (but clean up not recommended for this file)
Notes:   (no more detail available)

Thanks for the help.

ANSWER: Hi Brian

Please download ComboFix from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

*Important*-Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  If asked to install the Windows Recovery Console, please allow the program to do so.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log in your next follow-up.

Brian



---------- FOLLOW-UP ----------

QUESTION: Hi Brian, looking at the receipt email from AllExperts, I'm not sure if all of the combofix log was copied, so here it is again, just in case:

ComboFix 10-11-01.05 - user 02/11/2010   8:38.3.2 - x86
Microsoft® Windows Vista™ Business   6.0.6002.2.1252.1.1033.18.2002.820 [GMT 0:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\64dlls.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\intel64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Kernel32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\localsys64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\ntos.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\oembios.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra64.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\sdra73.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\swin32.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twex.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\twext.exe
c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\wsnpoema.exe

.
(((((((((((((((((((((((((   Files Created from 2010-10-02 to 2010-11-02  )))))))))))))))))))))))))))))))
.

2010-11-02 08:49 . 2010-11-02 08:49   --------   d-----w-   c:\users\user\AppData\Local\temp
2010-11-02 08:49 . 2010-11-02 08:49   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-11-02 08:49 . 2010-11-02 08:49   --------   d-----w-   c:\users\Guest\AppData\Local\temp
2010-11-02 08:49 . 2010-11-02 08:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-11-02 08:49 . 2010-11-02 08:49   --------   d-----w-   c:\users\Administrator\AppData\Local\temp
2010-11-02 07:32 . 2010-10-07 23:21   6146896   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{BE68F21C-8742-476C-A879-CC5B813C3C82}\mpengine.dll
2010-10-28 13:04 . 2010-10-28 13:04   --------   d-----w-   c:\program files\Sophos
2010-10-28 08:27 . 2010-10-28 08:29   --------   d-----w-   c:\users\Administrator.user-PC
2010-10-28 07:17 . 2010-08-26 16:34   1696256   ----a-w-   c:\windows\system32\gameux.dll
2010-10-28 07:17 . 2010-08-26 16:33   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-10-28 07:17 . 2010-08-26 14:23   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-22 08:14 . 2010-10-22 08:14   159744   ----a-r-   c:\users\user\AppData\Roaming\Microsoft\Installer\{4B200398-CA2D-4F67-8D00-C618F04020A7}\oMetronome_WAV.exe
2010-10-22 08:14 . 2010-10-22 08:14   --------   d-----w-   c:\program files\Open Metronome
2010-10-22 08:02 . 2010-10-22 08:02   --------   d-----w-   c:\program files\NCH Swift Sound
2010-10-16 15:18 . 2010-10-16 15:19   --------   d-----w-   c:\users\user\AppData\Roaming\Dropbox
2010-10-13 08:11 . 2010-09-13 13:56   168960   ----a-w-   c:\program files\Windows Media Player\wmplayer.exe
2010-10-13 08:11 . 2010-09-13 13:56   8147456   ----a-w-   c:\windows\system32\wmploc.DLL
2010-10-13 08:10 . 2010-09-06 16:20   125952   ----a-w-   c:\windows\system32\srvsvc.dll
2010-10-13 08:10 . 2010-09-06 16:19   17920   ----a-w-   c:\windows\system32\netevent.dll
2010-10-13 08:10 . 2010-09-06 13:45   304128   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-10-13 08:10 . 2010-09-06 13:45   145408   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-10-13 08:10 . 2010-09-06 13:45   102400   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-10-13 08:08 . 2010-08-31 13:27   2038272   ----a-w-   c:\windows\system32\win32k.sys
2010-10-13 08:08 . 2010-05-04 19:13   231424   ----a-w-   c:\windows\system32\msshsq.dll
2010-10-13 08:08 . 2010-08-20 16:05   867328   ----a-w-   c:\windows\system32\wmpmde.dll
2010-10-13 08:08 . 2010-08-31 15:44   531968   ----a-w-   c:\windows\system32\comctl32.dll
2010-10-05 16:54 . 2010-10-05 16:54   --------   d-----w-   c:\users\Guest\AppData\Roaming\HPAppData
2010-10-03 22:43 . 2010-10-03 22:43   59240   ----a-w-   c:\windows\system32\drivers\RapportKELL.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 10:41 . 2009-10-02 21:19   222080   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-17 07:52 . 2010-09-17 07:52   405504   ----a-r-   c:\users\user\AppData\Roaming\Microsoft\Installer\{0003C1E0-E0E7-49BB-A0F6-4AE6D2B09202}\ARPPRODUCTICON.exe
2010-09-16 13:05 . 2010-09-16 13:09   29472   ----a-w-   c:\windows\system32\drivers\btwl2cap.sys
2010-09-16 13:05 . 2010-09-16 13:09   108072   ----a-w-   c:\windows\system32\drivers\btwavdt.sys
2010-09-16 13:05 . 2010-09-16 13:09   86056   ----a-w-   c:\windows\system32\drivers\btwaudio.sys
2010-09-16 13:05 . 2010-09-16 13:09   18344   ----a-w-   c:\windows\system32\drivers\btwrchid.sys
2010-09-11 07:54 . 2010-09-11 07:54   388096   ----a-r-   c:\users\user\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-10 22:32 . 2009-12-15 13:58   167936   ----a-w-   c:\windows\system32\drivers\wpshelper.sys
2010-09-10 12:18 . 2009-02-03 08:05   0   ----a-w-   c:\users\user\AppData\Local\WavXMapDrive.bat
2010-08-26 16:33 . 2010-10-28 07:17   173056   ----a-w-   c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-28 07:17   2159616   ----a-w-   c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-28 07:17   458752   ----a-w-   c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-28 07:17   542720   ----a-w-   c:\windows\apppatch\AcLayers.dll
2010-08-17 14:11 . 2010-09-15 15:43   128000   ----a-w-   c:\windows\system32\spoolsv.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19   94208   ----a-w-   c:\users\user\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"
[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]
2009-11-08 09:55   297808   ----a-w-   c:\windows\System32\mscoree.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2009-11-08 09:55   297808   ----a-w-   c:\windows\System32\mscoree.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-01 39408]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"Google Update"="c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-11-02 135664]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-09-02 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-02-17 278528]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-13 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-13 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-13 145944]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-12-22 1845248]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-07-17 442467]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-08 115560]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-29 202256]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-8-11 795936]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-8-1 1180952]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages   REG_MULTI_SZ      msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-09-23 133104]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-09-16 29472]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-07-14 23888]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\911C.tmp [x]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-07 3662848]
R3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2010-10-03 59240]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-28 390528]
S1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [2010-10-03 34792]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-10-03 169320]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_2311653e\aestsrv.exe [2008-07-17 77824]
S2 alssvc;Ambient Light Sensor;c:\program files\Dell\Ambient Light Sensor\AlsSvc.exe [2008-06-03 382232]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2010-05-10 1803584]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2009-10-23 110592]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-08-06 277792]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2008-08-01 455960]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-06-16 322608]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-10-03 767208]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-12-22 77312]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2010-05-10 540288]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2009-10-27 274984]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-31 102448]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-08-13 112128]
S3 NETwNv32;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETwNv32.sys [2010-07-14 6680064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork   REG_MULTI_SZ      PLA DPS BFE mpssvc
bthsvcs   REG_MULTI_SZ      BthServ
WindowsMobile   REG_MULTI_SZ      wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ      WcesComm RapiMgr
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-11-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-05 04:56]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-23 05:00]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-23 05:00]

2010-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-674015678-3032219402-3789288886-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-15 02:18]

2010-11-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-674015678-3032219402-3789288886-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-15 02:18]

2010-11-02 c:\windows\Tasks\User_Feed_Synchronization-{EA8E3124-3145-41B0-9F93-CA4433C44235}.job
- c:\windows\system32\msfeedssync.exe [2010-10-13 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: {45195A3C-461C-4374-9EC6-AF79348F0480} = 10.7.40.1
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-02 08:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  


c:\windows\TEMP\TMP0000005212BDF37C4F8658DC 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\911C.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2010-11-02  08:52:38
ComboFix-quarantined-files.txt  2010-11-02 08:52
ComboFix2.txt  2010-10-26 08:00
ComboFix3.txt  2010-09-12 08:23

Pre-Run: 104,967,827,456 bytes free
Post-Run: 105,016,217,600 bytes free

- - End Of File - - 9C5B09095FFD57E1BFF1D6C2912F82A6


Answer
Hi Brian

The log came through fine.  You should now clean out the junk files.  Download CCleaner from here:

http://www.piriform.com/ccleaner/download/slim

Install and run the program.  Click on the Analyze button and you'll get a summary of what can be cleaned.  Then click Run Cleaner to delete those files safely.  After cleaning, let me know how things are running.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.