BleepingComputer.com: Watchdog / Trojan.Agent-124177 infection

On the scan log of ClamWin Antivirus, it shows "C:\WINDOWS\SoftwareDistribution\Download\394c2fb5f22abce811de0a1e7c286919\wextract.exe: Trojan.Agent-124177 FOUND". On a-squared, it shows "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run --> WatchDog detected: Trace.Registry.WatchDog v8.5!A2". I cannot quarantine WatchDog or delete it.

Also, my computer sometimes restarts by itself after I shut it down. There are no error messages. I am not sure whether this has to do with the reported infection(s).

Thank you for taking the time to help!


DDS (Ver_09-10-13.01) - NTFSx86
Run by HP at 22:25:23.79 on 2009/10/18 星期日
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.950.886.1028.18.2039.1238 [GMT 8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\360\360Safe\safemon\360tray.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PPStream\ppsap.exe
C:\Program Files\Mindjet\MindManager 7\PDF-XChange\pdfSaver\pdfSaver3.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\a-squared Free\a2free.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Documents and Settings\HP\桌面\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=zh_tw&c=91&bd=all&pf=cmnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=zh_tw&c=91&bd=all&pf=cmnb
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=zh_tw&c=91&bd=all&pf=cmnb
BHO: CmjBrowserHelperObject Object: {07a11d74-9d25-4fea-a833-8b0d76a5577a} - c:\program files\mindjet\mindmanager 7\Mm7InternetExplorer.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SafeMon Class: {b69f34dd-f0f9-42dc-9edd-957187da688d} - c:\program files\360\360safe\safemon\safemon.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PPS Accelerator] c:\program files\ppstream\ppsap.exe
uRun: [pdfSaver3] "c:\program files\mindjet\mindmanager 7\pdf-xchange\pdfsaver\pdfSaver3.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [zCpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [HPCam_Menu] "c:\program files\hewlett-packard\hp webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\hp webcam" updatewithcreateonce "software\cyberlink\hp webcam\1.0"
mRun: [CJIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\changjie\CINTLCFG.EXE /CJIMETIPSync
mRun: [PHIMETIPSYNC] c:\program files\common files\microsoft shared\ime\imtc65\phonetic\TINTLCFG.EXE /PHIMETIPSync
mRun: [360Safetray] "c:\program files\360\360safe\safemon\360tray.exe" /start
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [MMReminderService] c:\program files\mindjet\mindmanager 7\MMReminderService.exe
mRun: [pdfSaver3]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\「開始~1\程式集\啟動\snsicon.lnk - c:\program files\second nature\Snsicon.exe
IE: &使用 FlashGet 下載 - c:\program files\flashget\jc_link.htm
IE: &全部使用 FlashGet 下載 - c:\program files\flashget\jc_all.htm
IE: 傳送到 &Bluetooth 裝置... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: 傳送到 Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - c:\program files\mindjet\mindmanager 7\Mm7InternetExplorer.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: PostBootReminder - - - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp\applic~1\mozilla\firefox\profiles\nc3s5221.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - plugin: c:\documents and settings\hp\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 HookPort;HookPort;c:\windows\system32\drivers\hookport.sys [2009-8-10 51328]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2008-3-28 24064]
R1 360SelfProtection;360SelfProtection;c:\windows\system32\drivers\360SelfProtection.sys [2009-8-10 87040]
R1 BFSDRV;BFSDRV;c:\windows\system32\drivers\bfsdrv.sys [2009-8-10 16904]
R1 BREGDRV;BREGDRV;c:\windows\system32\drivers\bregdrv.sys [2009-8-10 22272]
R1 EfiMon;EfiSystemMon;c:\windows\system32\drivers\EfiMon.sys [2009-8-6 19072]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-4-9 777240]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-9 222512]
S2 0119081250596050mcinstcleanup;McAfee Application Installer Cleanup (0119081250596050);c:\docume~1\hp\locals~1\temp\011908~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\hp\locals~1\temp\011908~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]

=============== Created Last 30 ================

2009-10-18 09:28 4,576 a------- c:\windows\system32\PerfStringBackup.TMP
2009-10-17 20:15 <DIR> --d----- c:\windows\pss
2009-10-13 20:10 <DIR> --d----- c:\program files\a-squared Free
2009-10-13 19:27 <DIR> --d----- c:\program files\Cobian Backup 9

==================== Find3M ====================

2009-10-18 12:39 407,350 a------- c:\windows\system32\prfh0404.dat
2009-10-18 12:39 208,634 a------- c:\windows\system32\prfc0404.dat
2009-09-11 22:07 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 22:07 136,192 a------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-08 15:05 87,040 a------- c:\windows\system32\drivers\360SelfProtection.sys
2009-09-05 04:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-05 04:45 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 18:27 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 18:27 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 13:18 634,648 -------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 13:18 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 16:14 246,814 a------- c:\windows\system32\strmdll.dll
2009-08-26 16:14 246,814 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-25 13:22 78,883 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-20 21:12 51,328 a------- c:\windows\system32\drivers\hookport.sys
2009-08-13 23:16 512,000 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 17:05 201,728 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 17:05 201,728 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 01:14 2,062,848 a------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-08-05 01:14 2,185,856 a------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-05 01:14 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-08-05 01:14 2,142,720 a------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-05 01:14 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-05 01:14 2,020,864 a------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-07-31 15:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-29 12:51 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 12:51 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-07-29 12:51 82,432 a------- c:\windows\system32\fontsub.dll
2009-07-29 12:51 82,432 a------- c:\windows\system32\dllcache\fontsub.dll
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 22:26:03.43 ===============

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
    
  • DDS.pif
  
  
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  
• Notepad will open with the results.
  
• Follow the instructions that pop up for posting the results.
  
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.