Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

spyware f4f.exe trojan horse agent ALGJ

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 12th, 2008, 9:36 pm

Greetings - I have somehow contracted a trojan horse that I can't get rid of from multiple scans using AVG. I would be most grateful for some advice as to how to remove it :alien: Here is my logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:56 PM, on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\WINDOWS\system32\iesvcmon.exe
C:\WINDOWS\f4f.exe
C:\Program Files\Vuze\Azureus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: globaladsolution - {b3a4a095-e53b-fdbf-e6d4-8b1d8ffa57f3} - C:\WINDOWS\system32\nsq38D.dll
O2 - BHO: (no name) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O3 - Toolbar: (no name) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iesvcmon] "C:\WINDOWS\system32\iesvcmon.exe"
O4 - HKLM\..\Run: [G4G] C:\WINDOWS\f4f.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1188961546
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7444 bytes
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm
Advertisement
Register to Remove

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 14th, 2008, 5:24 am

Hi spiraldaddy

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 14th, 2008, 9:35 pm

Thank you for your response. Here is the list you requested.

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free 8.0
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
Brother HL-2140
Contextual Tool Globaladsolution
DPS
Free RAR Extract Frog 1.00
Google Gmail Notifier
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IE Privacy Keeper
Internet Speed Monitor
iTunes
Java(TM) 6 Update 7
Media Player Codec Pack 3.2.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
N.I Pro-53 v3.0-OxYGeN
Netflix Movie Viewer
PPC Booster
QuickTime
RegScrubXP 5.1
RocketDock 1.3.5
RON Tool Globaladsolution
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Noise Reduction Plug-In 2.0h
Sony Sound Forge 9.0
SoundMAX
Tweak UI
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Vuze
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WOT for Internet Explorer
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 15th, 2008, 5:57 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent DNA
Vuze


I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Uninstall also these:

Internet Speed Monitor
PPC Booster

Please run a new uninstall list scan when finished and post the log back here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 17th, 2008, 11:14 am

Thanks Shaba,

I did as you instructed and here is the new uninstall list:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AVG Free 8.0
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
Brother HL-2140
Contextual Tool Globaladsolution
DPS
Free RAR Extract Frog 1.00
Google Gmail Notifier
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IE Privacy Keeper
iTunes
Java(TM) 6 Update 7
Media Player Codec Pack 3.2.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
N.I Pro-53 v3.0-OxYGeN
Netflix Movie Viewer
QuickTime
RegScrubXP 5.1
RocketDock 1.3.5
RON Tool Globaladsolution
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Noise Reduction Plug-In 2.0h
Sony Sound Forge 9.0
SoundMAX
Tweak UI
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WOT for Internet Explorer
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 17th, 2008, 11:17 am

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Post:

- mbam log
- rsit logs (taken after mbam run)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 17th, 2008, 11:38 pm

I followed your instructions and here are the following log files. Thanx Again :alien:

Malware Bytes Antimalware:

Malwarebytes' Anti-Malware 1.30
Database version: 1406
Windows 5.1.2600 Service Pack 3

11/17/2008 7:20:12 PM
mbam-log-2008-11-17 (19-20-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113359
Time elapsed: 39 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cont_globaladsolution (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3a4a095-e53b-fdbf-e6d4-8b1d8ffa57f3} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3a4a095-e53b-fdbf-e6d4-8b1d8ffa57f3} (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\admin\Desktop\Sony ACID Pro 6.0 Incl. Keygen\keygen\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cont_globaladsolution-remove.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\nsglobaladsolution.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nsq38D.dll (Adware.BHO) -> Quarantined and deleted successfully.


Logfile of random's system information tool1.04 (written by random/random)
Run by admin at 2008-11-17 19:27:09
Microsoft Windows XP Professional Service Pack 3
System drive C: has 40 GB (52%) free of 76 GB
Total RAM: 2014 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:20 PM, on 11/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\admin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O3 - Toolbar: (no name) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iesvcmon] "C:\WINDOWS\system32\iesvcmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1188961546
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6817 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-10-26 308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-10-10 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{71576546-354D-41c9-AAE8-31F2EC22BF0D}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-05-01 843776]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-10-10 1234712]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"M-Audio Taskbar Icon"=C:\WINDOWS\System32\MAFWTray.exe [2008-03-03 252424]
"MAFWTaskbarApp"=C:\WINDOWS\system32\MAFWTray.exe [2008-03-03 252424]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"BrStsWnd"=C:\Program Files\Brownie\BrstsWnd.exe [2008-01-08 864256]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 479232]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-26 185872]
"iesvcmon"=C:\WINDOWS\system32\iesvcmon.exe []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"RocketDock"=C:\Program Files\RocketDock\RocketDock.exe [2007-09-02 495616]
"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2008-11-11 342336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-07-27 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Vuze\Azureus.exe"="C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-11-17 19:27:09 ----D---- C:\rsit
2008-11-17 18:15:56 ----D---- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-11-17 18:15:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-17 18:15:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-14 16:45:42 ----A---- C:\Pro-53fx.dll
2008-11-14 16:45:41 ----A---- C:\Pro-53.dll
2008-11-13 17:06:55 ----D---- C:\Program Files\Pro-53
2008-11-12 23:18:39 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 23:18:33 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 23:18:24 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-12 17:10:46 ----D---- C:\Program Files\Trend Micro
2008-11-11 20:36:59 ----D---- C:\ACID_Loops
2008-11-11 19:44:08 ----D---- C:\Documents and Settings\All Users\Application Data\Azureus
2008-11-11 19:44:06 ----D---- C:\Documents and Settings\admin\Application Data\Azureus
2008-11-10 22:25:48 ----A---- C:\WINDOWS\lik02.exe
2008-11-10 22:25:48 ----A---- C:\WINDOWS\j414.exe
2008-11-10 22:25:47 ----A---- C:\WINDOWS\tj85.exe
2008-11-10 22:25:47 ----A---- C:\WINDOWS\cor704836.exe
2008-11-10 22:25:46 ----A---- C:\WINDOWS\eo4.exe
2008-11-10 22:25:46 ----A---- C:\WINDOWS\ee3362.exe
2008-11-10 22:25:45 ----D---- C:\Program Files\SpeedTest
2008-11-10 22:25:41 ----HD---- C:\$AVG8.VAULT$
2008-11-10 22:25:33 ----A---- C:\WINDOWS\tjyvb346054.exe
2008-11-10 22:25:29 ----A---- C:\WINDOWS\system32\dqodorstdzcymxoo.exe
2008-11-10 21:05:20 ----D---- C:\Documents and Settings\admin\Application Data\DivX
2008-11-07 17:15:11 ----D---- C:\WINDOWS\Sun
2008-11-02 13:25:21 ----D---- C:\Program Files\MSBuild
2008-11-02 13:25:11 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-02 13:24:57 ----D---- C:\Program Files\Reference Assemblies
2008-11-02 13:24:08 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-11-02 13:20:19 ----D---- C:\Program Files\RegScrubXP
2008-11-01 21:22:31 ----D---- C:\WINDOWS\system32\custom matrices
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\QuickTime
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\C2MP
2008-11-01 16:03:53 ----D---- C:\Documents and Settings\admin\Application Data\Move Networks
2008-10-26 20:26:42 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-26 20:25:36 ----D---- C:\Program Files\Common Files\xing shared
2008-10-26 20:25:29 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-10-26 20:25:22 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-10-26 20:25:22 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-10-26 20:25:21 ----D---- C:\Program Files\Real
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-26 20:25:17 ----D---- C:\Program Files\Common Files\Real
2008-10-26 20:25:11 ----D---- C:\Documents and Settings\admin\Application Data\Real
2008-10-24 06:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-20 16:56:46 ----D---- C:\Program Files\Netflix

======List of files/folders modified in the last 1 months======

2008-11-17 19:26:27 ----D---- C:\downloads
2008-11-17 19:25:22 ----D---- C:\Program Files\Mozilla Firefox
2008-11-17 19:23:34 ----D---- C:\WINDOWS\Temp
2008-11-17 19:22:20 ----A---- C:\WINDOWS\Brownie.ini
2008-11-17 19:22:19 ----D---- C:\Program Files\DNA
2008-11-17 19:22:19 ----D---- C:\Documents and Settings\admin\Application Data\DNA
2008-11-17 19:21:48 ----D---- C:\WINDOWS\system32\drivers
2008-11-17 19:21:48 ----D---- C:\WINDOWS
2008-11-17 19:21:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-17 19:21:14 ----D---- C:\WINDOWS\Prefetch
2008-11-17 19:20:11 ----RD---- C:\Program Files
2008-11-17 19:20:11 ----D---- C:\WINDOWS\system32
2008-11-13 23:40:09 ----D---- C:\Program Files\Vstplugins
2008-11-13 22:20:53 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-13 22:20:46 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-13 21:02:04 ----HD---- C:\WINDOWS\inf
2008-11-13 21:02:04 ----D---- C:\WINDOWS\Help
2008-11-13 19:52:45 ----SHD---- C:\WINDOWS\Installer
2008-11-13 16:59:52 ----D---- C:\Program Files\Sony
2008-11-13 16:47:43 ----D---- C:\Documents and Settings\admin\Application Data\Sony
2008-11-13 16:46:23 ----D---- C:\Program Files\Sony Setup
2008-11-12 23:18:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 23:18:36 ----A---- C:\WINDOWS\imsins.BAK
2008-11-10 22:29:46 ----D---- C:\Documents and Settings\admin\Application Data\LimeWire
2008-11-04 16:47:44 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-03 16:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-02 23:09:05 ----RSD---- C:\WINDOWS\assembly
2008-11-02 23:09:05 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-02 22:50:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-02 13:27:24 ----D---- C:\WINDOWS\WinSxS
2008-11-02 13:25:18 ----RSD---- C:\WINDOWS\Fonts
2008-11-02 13:25:16 ----D---- C:\WINDOWS\system32\en-US
2008-11-02 13:24:19 ----D---- C:\WINDOWS\system32\spool
2008-10-26 20:25:36 ----D---- C:\Program Files\Common Files
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\msvcp71.dll
2008-10-26 14:14:06 ----SD---- C:\Documents and Settings\admin\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-10 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-10 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2003-05-28 17005]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-08-22 44384]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-22 230400]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-07-27 2371584]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MAFW;%FW.SvcDesc%; C:\WINDOWS\system32\DRIVERS\mafw.sys [2008-10-15 186368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2007-07-27 483328]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-10 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-07-27 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17 7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

From info

info.txt logfile of random's system information tool 1.04 2008-11-17 19:27:22

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Broadcom 440x 10/100 Integrated Controller-->MsiExec.exe /X{612B9183-67A9-4B44-9877-2F059E35B86A}
Broadcom Management Programs-->MsiExec.exe /I{C99C0593-3B48-41D9-B42F-6E035B320449}
Brother HL-2140-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8C1F1115-BC5B-44BC-B692-A36717A5EB4C}\SETUP.exe" -l0x9 -removeonly /uninst
DPS-->"C:\WINDOWS\system32\iesvcmon.exe" -u
Free RAR Extract Frog 1.00-->C:\Program Files\Free RAR Extract Frog\uninstall.exe
Google Gmail Notifier-->"C:\Program Files\Google\Gmail Notifier\UninstallGmail.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
IE Privacy Keeper-->C:\Program Files\UnH Solutions\IE Privacy Keeper\unins000.exe
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Player Codec Pack 3.2.0-->C:\WINDOWS\system32\C2MP\Uninst.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
N.I Pro-53 v3.0-OxYGeN-->C:\PROGRA~1\Pro-53\UNWISE.EXE C:\PROGRA~1\Pro-53\INSTALL.LOG
Netflix Movie Viewer-->MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RegScrubXP 5.1-->"C:\Program Files\RegScrubXP\unins000.exe"
RocketDock 1.3.5-->"C:\Program Files\RocketDock\unins000.exe"
RON Tool Globaladsolution-->C:\WINDOWS\system32\dqodorstdzcymxoo.exe
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sony ACID Pro 6.0-->MsiExec.exe /X{2956585F-DB2F-45C2-9363-F8CB0BB4F2A7}
Sony Media Manager 2.2-->MsiExec.exe /X{2B5A75F0-FD85-4094-AB00-94902398D192}
Sony Noise Reduction Plug-In 2.0h-->MsiExec.exe /X{06A1BE8A-4CA4-4A39-B9E4-E815AA8FE05C}
Sony Sound Forge 9.0-->MsiExec.exe /X{4AEA9A23-D627-4699-8A0F-FC474308C2E6}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WOT for Internet Explorer-->MsiExec.exe /X{5AC2D321-11E2-47E7-A1CA-61A34C2057AB}

======Security center information======

AV: AVG Anti-Virus Free

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 18th, 2008, 9:22 am

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    :processes
    btdna.exe
    
    :files
    C:\Program Files\LimeWire
    C:\Program Files\DNA
    C:\Program Files\Vuze
    C:\Program Files\BitTorrent
    C:\Documents and Settings\All Users\Application Data\Azureus
    c:\Documents and Settings\admin\Application Data\Azureus
    c:\WINDOWS\lik02.exe
    C:\WINDOWS\j414.exe
    C:\WINDOWS\tj85.exe
    C:\WINDOWS\cor704836.exe
    C:\WINDOWS\eo4.exe
    C:\WINDOWS\ee3362.exe
    C:\WINDOWS\tjyvb346054.exe
    C:\WINDOWS\system32\dqodorstdzcymxoo.exe
    C:\Documents and Settings\admin\Application Data\DNA
    
    :reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "iesvcmon"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"=-
    
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\Program Files\DNA\btdna.exe"=-
    "C:\Program Files\BitTorrent\bittorrent.exe"=-
    "C:\Program Files\LimeWire\LimeWire.exe"=-
    "C:\Program Files\Vuze\Azureus.exe"=-
    

  • Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run rsit.

Post:

- a fresh rsit log (only log.txt will appear)
- otmoveit3 log
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 18th, 2008, 10:39 pm

Followed instructions and here are the posts:

========== PROCESSES ==========
Process btdna.exe killed successfully.
========== FILES ==========
File/Folder C:\Program Files\LimeWire not found.
C:\Program Files\DNA\plugins moved successfully.
C:\Program Files\DNA moved successfully.
File/Folder C:\Program Files\Vuze not found.
File/Folder C:\Program Files\BitTorrent not found.
C:\Documents and Settings\All Users\Application

Data\Azureus moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\torrents moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\tmp moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\subs moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\shares moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\plugins moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\net moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\logs\save moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\logs moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\dht moved successfully.
c:\Documents and Settings\admin\Application

Data\Azureus\active moved successfully.
c:\Documents and Settings\admin\Application Data\Azureus

moved successfully.
c:\WINDOWS\lik02.exe moved successfully.
C:\WINDOWS\j414.exe moved successfully.
C:\WINDOWS\tj85.exe moved successfully.
C:\WINDOWS\cor704836.exe moved successfully.
C:\WINDOWS\eo4.exe moved successfully.
C:\WINDOWS\ee3362.exe moved successfully.
C:\WINDOWS\tjyvb346054.exe moved successfully.
C:\WINDOWS\system32\dqodorstdzcymxoo.exe moved

successfully.
C:\Documents and Settings\admin\Application Data\DNA moved

successfully.
========== REGISTRY ==========
Registry value

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersio

n\Run\\iesvcmon deleted successfully.
Registry value

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

\Run\\BitTorrent DNA deleted successfully.
Registry value

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shared

access\parameters\firewallpolicy\standardprofile\authorized

applications\list\\C:\Program Files\DNA\btdna.exe deleted

successfully.
Registry value

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shared

access\parameters\firewallpolicy\standardprofile\authorized

applications\list\\C:\Program

Files\BitTorrent\bittorrent.exe deleted successfully.
Registry value

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shared

access\parameters\firewallpolicy\standardprofile\authorized

applications\list\\C:\Program Files\LimeWire\LimeWire.exe

deleted successfully.
Registry value

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\shared

access\parameters\firewallpolicy\standardprofile\authorized

applications\list\\C:\Program Files\Vuze\Azureus.exe

deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on

11182008_183514

RSIT

Logfile of random's system information tool 1.04 (written

by random/random)
Run by admin at 2008-11-18 18:37:35
Microsoft Windows XP Professional Service Pack 3
System drive C: has 40 GB (52%) free of 76 GB
Total RAM: 2014 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:45 PM, on 11/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\downloads\OTMoveIt3.exe
C:\WINDOWS\system32\notepad.exe
C:\downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\admin.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for

Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA}

- C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) -

{C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O3 - Toolbar: (no name) -

{71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog

Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon]

C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp]

C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck]

%systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BrStsWnd] C:\Program

Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program

Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://www.update.microsoft.com/windows ... V5Controls

/en/x86/client/wuweb_site.cab?1191188961546
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java

Runtime Environment 1.6.0) -

http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... install-6u

7-windows-i586-jc.cab?e=1223737652490&h=0d9d6dff8297b924d0f

dcf49c27d6550/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

(Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/s ... abs/flash/

swflash.cab
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot -

{C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. -

C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -

C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG

Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe

--
End of file - 6623 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Explorer\Browser Helper

Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Explorer\Browser Helper

Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer

- C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-10-26

308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Explorer\Browser Helper

Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll

[2008-10-10 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Explorer\Browser Helper

Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\Explorer\Browser Helper

Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Toolbar]
{71576546-354D-41c9-AAE8-31F2EC22BF0D}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi

on\Run]
"SoundMAXPnP"=C:\Program Files\Analog

Devices\Core\smax4pnp.exe [2006-05-01 843776]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-10-10

1234712]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe

[2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe

[2008-10-01 289576]
"SunJavaUpdateSched"=C:\Program

Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader

9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"M-Audio Taskbar Icon"=C:\WINDOWS\System32\MAFWTray.exe

[2008-03-03 252424]
"MAFWTaskbarApp"=C:\WINDOWS\system32\MAFWTray.exe

[2008-03-03 252424]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"BrStsWnd"=C:\Program Files\Brownie\BrstsWnd.exe

[2008-01-08 864256]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program

Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 479232]
"TkBellExe"=C:\Program Files\Common

Files\Real\Update_OB\realsched.exe [2008-10-26 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio

n\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13

15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13

1695232]
"RocketDock"=C:\Program Files\RocketDock\RocketDock.exe

[2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-07-27 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi

on\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBo

ot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi

on\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio

n\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\share

daccess\parameters\firewallpolicy\standardprofile\authorize

dapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.

exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network

Diagnostic\xpnetdiag.exe"="%windir%\Network

Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program

Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program

Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program

Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program

Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program

Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program

Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program

Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe"="C:\WIND

OWS\PCHealth\HelpCtr\Binaries\helpctr.exe:*:Enabled:Remote

Assistance - Windows Messenger and Voice"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\share

daccess\parameters\firewallpolicy\domainprofile\authorizeda

pplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.

exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network

Diagnostic\xpnetdiag.exe"="%windir%\Network

Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1

months======

2008-11-18 18:35:14 ----D---- C:\_OTMoveIt
2008-11-17 19:27:09 ----D---- C:\rsit
2008-11-17 18:15:56 ----D---- C:\Documents and

Settings\admin\Application Data\Malwarebytes
2008-11-17 18:15:47 ----D---- C:\Documents and Settings\All

Users\Application Data\Malwarebytes
2008-11-17 18:15:46 ----D---- C:\Program

Files\Malwarebytes' Anti-Malware
2008-11-14 16:45:42 ----A---- C:\Pro-53fx.dll
2008-11-14 16:45:41 ----A---- C:\Pro-53.dll
2008-11-13 17:06:55 ----D---- C:\Program Files\Pro-53
2008-11-12 23:18:39 ----HDC----

C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 23:18:33 ----HDC----

C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 23:18:24 ----HDC----

C:\WINDOWS\$NtUninstallKB955069$
2008-11-12 17:10:46 ----D---- C:\Program Files\Trend Micro
2008-11-11 20:36:59 ----D---- C:\ACID_Loops
2008-11-10 22:25:45 ----D---- C:\Program Files\SpeedTest
2008-11-10 22:25:41 ----HD---- C:\$AVG8.VAULT$
2008-11-10 21:05:20 ----D---- C:\Documents and

Settings\admin\Application Data\DivX
2008-11-07 17:15:11 ----D---- C:\WINDOWS\Sun
2008-11-02 13:25:21 ----D---- C:\Program Files\MSBuild
2008-11-02 13:25:11 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-02 13:24:57 ----D---- C:\Program Files\Reference

Assemblies
2008-11-02 13:24:08 ----N----

C:\WINDOWS\system32\spmsg2.dll
2008-11-02 13:20:19 ----D---- C:\Program Files\RegScrubXP
2008-11-01 21:22:31 ----D---- C:\WINDOWS\system32\custom

matrices
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\QuickTime
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\C2MP
2008-11-01 16:03:53 ----D---- C:\Documents and

Settings\admin\Application Data\Move Networks
2008-10-26 20:26:42 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-26 20:25:36 ----D---- C:\Program Files\Common

Files\xing shared
2008-10-26 20:25:29 ----A----

C:\WINDOWS\system32\rmoc3260.dll
2008-10-26 20:25:22 ----A----

C:\WINDOWS\system32\pndx5032.dll
2008-10-26 20:25:22 ----A----

C:\WINDOWS\system32\pndx5016.dll
2008-10-26 20:25:21 ----D---- C:\Program Files\Real
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-26 20:25:17 ----D---- C:\Program Files\Common

Files\Real
2008-10-26 20:25:11 ----D---- C:\Documents and

Settings\admin\Application Data\Real
2008-10-24 06:19:13 ----HDC----

C:\WINDOWS\$NtUninstallKB958644$
2008-10-20 16:56:46 ----D---- C:\Program Files\Netflix

======List of files/folders modified in the last 1

months======

2008-11-18 18:37:45 ----D---- C:\WINDOWS\Temp
2008-11-18 18:35:17 ----D---- C:\WINDOWS\system32
2008-11-18 18:35:16 ----D---- C:\WINDOWS
2008-11-18 18:35:14 ----RD---- C:\Program Files
2008-11-18 18:34:13 ----D---- C:\WINDOWS\Prefetch
2008-11-18 18:33:00 ----D---- C:\downloads
2008-11-18 18:31:17 ----D---- C:\Program Files\Mozilla

Firefox
2008-11-17 21:05:35 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-17 19:22:20 ----A---- C:\WINDOWS\Brownie.ini
2008-11-17 19:21:48 ----D---- C:\WINDOWS\system32\drivers
2008-11-17 19:21:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-13 23:40:09 ----D---- C:\Program Files\Vstplugins
2008-11-13 22:20:53 ----RSHDC----

C:\WINDOWS\system32\dllcache
2008-11-13 21:02:04 ----HD---- C:\WINDOWS\inf
2008-11-13 21:02:04 ----D---- C:\WINDOWS\Help
2008-11-13 19:52:45 ----SHD---- C:\WINDOWS\Installer
2008-11-13 16:59:52 ----D---- C:\Program Files\Sony
2008-11-13 16:47:43 ----D---- C:\Documents and

Settings\admin\Application Data\Sony
2008-11-13 16:46:23 ----D---- C:\Program Files\Sony Setup
2008-11-12 23:18:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 23:18:36 ----A---- C:\WINDOWS\imsins.BAK
2008-11-10 22:29:46 ----D---- C:\Documents and

Settings\admin\Application Data\LimeWire
2008-11-04 16:47:44 ----HD---- C:\Program

Files\InstallShield Installation Information
2008-11-03 16:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-02 23:09:05 ----RSD---- C:\WINDOWS\assembly
2008-11-02 23:09:05 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-02 22:50:45 ----A----

C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-02 13:27:24 ----D---- C:\WINDOWS\WinSxS
2008-11-02 13:25:18 ----RSD---- C:\WINDOWS\Fonts
2008-11-02 13:25:16 ----D---- C:\WINDOWS\system32\en-US
2008-11-02 13:24:19 ----D---- C:\WINDOWS\system32\spool
2008-10-26 20:25:36 ----D---- C:\Program Files\Common Files
2008-10-26 20:25:21 ----A----

C:\WINDOWS\system32\msvcr71.dll
2008-10-26 20:25:21 ----A----

C:\WINDOWS\system32\msvcp71.dll
2008-10-26 14:14:06 ----SD---- C:\Documents and

Settings\admin\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot,

1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86;

C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-10 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-10

26824]
R1 intelppm;Intel Processor Driver;

C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver;

C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys

[2003-05-28 17005]
R2 tifsfilter;Acronis True Image FS Filter;

C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-08-22 44384]
R3 ADIHdAudAddService;ADI UAA Function Driver for High

Definition Audio Service;

C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-22

230400]
R3 Arp1394;1394 ARP Client Protocol;

C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag;

C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-07-27

2371584]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP

Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys

[2006-11-21 45568]
R3 GEARAspiWDM;GEAR ASPI Filter Driver;

C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17

15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition

Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13

144384]
R3 hidusb;Microsoft HID Class Driver;

C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MAFW;%FW.SvcDesc%; C:\WINDOWS\system32\DRIVERS\mafw.sys

[2008-10-15 186368]
R3 mouhid;Mouse HID Driver;

C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
R3 NIC1394;1394 Net Driver;

C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SenFiltService;SenFilt Service;

C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller

Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys

[2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver;

C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport

Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13

17152]
R3 usbprint;Microsoft USB PRINTER Class;

C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbccgp;Microsoft USB Generic Parent Driver;

C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver;

C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver

Framework Platform Driver;

C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver

Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys

[2006-09-28 82944]
S4 IntelIde;IntelIde;

C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot,

1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program

Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe [2008-10-01

116040]
R2 Ati HotKey Poller;Ati HotKey Poller;

C:\WINDOWS\System32\Ati2evxx.exe [2007-07-27 483328]
R2 avg8wd;AVG Free8 WatchDog;

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-10 231704]
R2 Bonjour Service;Bonjour Service; C:\Program

Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 MDM;Machine Debug Manager; C:\Program Files\Common

Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R3 iPod Service;iPod Service; C:\Program

Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe

[2007-07-27 593920]
S3 aspnet_state;ASP.NET State Service;

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.

exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization

Service v2.0.50727_X86;

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

[2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font

Cache 3.0.0.0;

C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFon

tCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel

32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace;

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows

Communication Foundation\infocard.exe [2007-10-11 864256]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; C:\Program

Files\Sony\Shared Plug-Ins\Media

Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17

7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program

Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe

[2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common

Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28

89136]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;

C:\Program Files\Sony\Shared Plug-Ins\Media

Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17

311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing

Service; C:\Program Files\Windows Media Player\WMPNetwk.exe

[2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver

Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13

14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows

Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 19th, 2008, 5:43 am

The formatting of your post is messed up. This is caused by having Word Wrap checked.
1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears unchecked.

After that, please re-run rsit and post back its log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 19th, 2008, 9:43 pm

All right here it is without the word wrap:

Logfile of random's system information tool 1.04 (written by random/random)
Run by admin at 2008-11-19 17:41:40
Microsoft Windows XP Professional Service Pack 3
System drive C: has 40 GB (52%) free of 76 GB
Total RAM: 2014 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:49 PM, on 11/19/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\admin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O3 - Toolbar: (no name) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1188961546
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A41FFC-C63C-40A4-A406-67722FCD1532}: Domain = aesgeo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3A41FFC-C63C-40A4-A406-67722FCD1532}: NameServer = 10.0.0.13 10.0.0.33 10.0.0.33 10.0.0.13
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6702 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-10-26 308832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-10-10 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{71576546-354D-41c9-AAE8-31F2EC22BF0D}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-05-01 843776]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-10-10 1234712]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"M-Audio Taskbar Icon"=C:\WINDOWS\System32\MAFWTray.exe [2008-03-03 252424]
"MAFWTaskbarApp"=C:\WINDOWS\system32\MAFWTray.exe [2008-03-03 252424]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"BrStsWnd"=C:\Program Files\Brownie\BrstsWnd.exe [2008-01-08 864256]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"=C:\Program Files\Google\Gmail Notifier\gnotify.exe [2005-07-15 479232]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-26 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"RocketDock"=C:\Program Files\RocketDock\RocketDock.exe [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-07-27 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-11-18 18:35:14 ----D---- C:\_OTMoveIt
2008-11-17 19:27:09 ----D---- C:\rsit
2008-11-17 18:15:56 ----D---- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-11-17 18:15:47 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-17 18:15:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-14 16:45:42 ----A---- C:\Pro-53fx.dll
2008-11-14 16:45:41 ----A---- C:\Pro-53.dll
2008-11-13 17:06:55 ----D---- C:\Program Files\Pro-53
2008-11-12 23:18:39 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 23:18:33 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 23:18:24 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-12 17:10:46 ----D---- C:\Program Files\Trend Micro
2008-11-11 20:36:59 ----D---- C:\ACID_Loops
2008-11-10 22:25:45 ----D---- C:\Program Files\SpeedTest
2008-11-10 22:25:41 ----HD---- C:\$AVG8.VAULT$
2008-11-10 21:05:20 ----D---- C:\Documents and Settings\admin\Application Data\DivX
2008-11-07 17:15:11 ----D---- C:\WINDOWS\Sun
2008-11-02 13:25:21 ----D---- C:\Program Files\MSBuild
2008-11-02 13:25:11 ----D---- C:\WINDOWS\system32\XPSViewer
2008-11-02 13:24:57 ----D---- C:\Program Files\Reference Assemblies
2008-11-02 13:24:08 ----N---- C:\WINDOWS\system32\spmsg2.dll
2008-11-02 13:20:19 ----D---- C:\Program Files\RegScrubXP
2008-11-01 21:22:31 ----D---- C:\WINDOWS\system32\custom matrices
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\QuickTime
2008-11-01 21:22:24 ----D---- C:\WINDOWS\system32\C2MP
2008-11-01 16:03:53 ----D---- C:\Documents and Settings\admin\Application Data\Move Networks
2008-10-26 20:26:42 ----A---- C:\WINDOWS\cdplayer.ini
2008-10-26 20:25:36 ----D---- C:\Program Files\Common Files\xing shared
2008-10-26 20:25:29 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2008-10-26 20:25:22 ----A---- C:\WINDOWS\system32\pndx5032.dll
2008-10-26 20:25:22 ----A---- C:\WINDOWS\system32\pndx5016.dll
2008-10-26 20:25:21 ----D---- C:\Program Files\Real
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\pncrt.dll
2008-10-26 20:25:17 ----D---- C:\Program Files\Common Files\Real
2008-10-26 20:25:11 ----D---- C:\Documents and Settings\admin\Application Data\Real
2008-10-24 06:19:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-20 16:56:46 ----D---- C:\Program Files\Netflix

======List of files/folders modified in the last 1 months======

2008-11-19 17:41:49 ----D---- C:\WINDOWS\Temp
2008-11-19 17:37:14 ----D---- C:\Program Files\Mozilla Firefox
2008-11-18 19:10:34 ----D---- C:\WINDOWS\Prefetch
2008-11-18 18:35:17 ----D---- C:\WINDOWS\system32
2008-11-18 18:35:16 ----D---- C:\WINDOWS
2008-11-18 18:35:14 ----RD---- C:\Program Files
2008-11-18 18:33:00 ----D---- C:\downloads
2008-11-17 21:05:35 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-17 19:22:20 ----A---- C:\WINDOWS\Brownie.ini
2008-11-17 19:21:48 ----D---- C:\WINDOWS\system32\drivers
2008-11-17 19:21:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-13 23:40:09 ----D---- C:\Program Files\Vstplugins
2008-11-13 22:20:53 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-13 21:02:04 ----HD---- C:\WINDOWS\inf
2008-11-13 21:02:04 ----D---- C:\WINDOWS\Help
2008-11-13 19:52:45 ----SHD---- C:\WINDOWS\Installer
2008-11-13 16:59:52 ----D---- C:\Program Files\Sony
2008-11-13 16:47:43 ----D---- C:\Documents and Settings\admin\Application Data\Sony
2008-11-13 16:46:23 ----D---- C:\Program Files\Sony Setup
2008-11-12 23:18:39 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 23:18:36 ----A---- C:\WINDOWS\imsins.BAK
2008-11-10 22:29:46 ----D---- C:\Documents and Settings\admin\Application Data\LimeWire
2008-11-04 16:47:44 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-03 16:10:25 ----A---- C:\WINDOWS\system32\MRT.exe
2008-11-02 23:09:05 ----RSD---- C:\WINDOWS\assembly
2008-11-02 23:09:05 ----D---- C:\WINDOWS\Microsoft.NET
2008-11-02 22:50:45 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-11-02 13:27:24 ----D---- C:\WINDOWS\WinSxS
2008-11-02 13:25:18 ----RSD---- C:\WINDOWS\Fonts
2008-11-02 13:25:16 ----D---- C:\WINDOWS\system32\en-US
2008-11-02 13:24:19 ----D---- C:\WINDOWS\system32\spool
2008-10-26 20:25:36 ----D---- C:\Program Files\Common Files
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\msvcr71.dll
2008-10-26 20:25:21 ----A---- C:\WINDOWS\system32\msvcp71.dll
2008-10-26 14:14:06 ----SD---- C:\Documents and Settings\admin\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-10-10 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-10-10 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2003-05-28 17005]
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-08-22 44384]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-22 230400]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2007-07-27 2371584]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\System32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MAFW;%FW.SvcDesc%; C:\WINDOWS\system32\DRIVERS\mafw.sys [2008-10-15 186368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-08-29 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2007-07-27 483328]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-10 231704]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-06-19 322120]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-07-27 593920]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe [2002-12-17 7520337]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2002-12-17 66112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR; C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE [2002-12-17 311872]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 20th, 2008, 4:58 am

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 21st, 2008, 11:26 am

Here you go:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, November 20, 2008 23:13:22
Records in database: 1398088
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 69642
Threat name: 2
Infected objects: 12
Suspicious objects: 0
Duration of the scan: 01:18:56


File name / Threat name / Threats count
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\4VUU1JH6\tb7[1].exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\JKTKBEC9\tb1[1].exe Infected: Trojan-Downloader.Win32.Agent.aopb 1
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\JKTKBEC9\tb6[1].exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\L4EPJP67\tb9[1].exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\OJWROHUN\tb10[1].exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\cor704836.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\ee3362.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\eo4.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\j414.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\lik02.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\tj85.exe Infected: Trojan-Downloader.Win32.VB.iqv 1
C:\_OTMoveIt\MovedFiles\11182008_183514\WINDOWS\tjyvb346054.exe Infected: Trojan-Downloader.Win32.Agent.aopb 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:16 AM, on 11/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\MAFWTray.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - (no file)
O3 - Toolbar: (no name) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\MAFWTray.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1188961546
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6643 bytes
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby Shaba » November 21st, 2008, 12:50 pm

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Empty this folder:

C:\_OTMoveIt\MovedFiles\

Empty Recycke Bin.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: spyware f4f.exe trojan horse agent ALGJ

Unread postby spiraldaddy » November 21st, 2008, 10:52 pm

Well I suppose I am winding towards the end of this process because Kaspersky had nothing to report in the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 19:46:33
Records in database: 1400036
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 53205
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:03:21

No malware has been detected. The scan area is clean.

The selected area was scanned.


And here is the hijackthis:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, November 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 21, 2008 19:46:33
Records in database: 1400036
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 53205
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:03:21

No malware has been detected. The scan area is clean.

The selected area was scanned.


Do you have any recommendations for anti-virus and anti-malware to run ongoing on my system? I am using AVG but perhaps Kaspersky is better. Thanks again for all of your expertise and help! :alien:
spiraldaddy
Active Member
 
Posts: 12
Joined: November 12th, 2008, 9:28 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 325 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware