Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan.Agent, Trojan-downloader.agent, Hacktool.spammer, nasty stuff

  • This topic is locked This topic is locked
3 replies to this topic

#1 Alexander Cholakov

Alexander Cholakov

  • Members
  • 2 posts
  • Local time:04:27 PM

Posted 26 April 2009 - 08:11 AM

Hi all,
Since 2 days I have a nasty thing on my laptop with XP and it really got on my nerves. Usually I can handle the most simple stuff "with a little help from my friends" (forums), but now it looks like I need a real-time help exactly for me.

The symptoms are:
- disabled registry;
- disabled task manager;
- disabled safe-mode;
- Runtime error 6002 on Media player classic and DC++ which requires replacing the *.exe files; also, Spybot doesn't run;
- random-named *.exe files created in \local settings\temp\
- the problematic line in HiJackThis keeps reoccuring:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1.

So the other day I learnt how to re-enable the TaskMan, RegEdit and SafeMode when i need to use them.
Spyware Doctor find the detects the things from the topic name: "Trojan.Agent, Trojan-downloader.agent, Hacktool.spammer".
The thing stays. I'd be very grateful to a little help.

BC AdBot (Login to Remove)


#2 Alexander Cholakov

Alexander Cholakov
  • Topic Starter

  • Members
  • 2 posts
  • Local time:04:27 PM

Posted 26 April 2009 - 08:12 AM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Alexander at 16:00:39.71 on неделя 26/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.1791.1190 [GMT 3:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\Datecs\FlexType 2K\FType2K.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Alexander\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.msn.com
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [RAMpage] "c:\program files\rampage\rampage.exe" u=1 m=40 t=50 a g=1 p="c:\program files\rampage\RAMpageConfig.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\program files\datecs\flextype 2k\FType2K.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
Trusted Zone: freedrweb.com\www
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
TCP: {8884912A-C198-46F0-8DFD-FD6A88D6BB3B} =,
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alexan~1\applic~1\mozilla\firefox\profiles\kbe8l2zb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.bg/

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-26 64160]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-23 425080]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\lkjdng.sys --> c:\windows\system32\drivers\lkjdng.sys [?]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2009-1-9 41376]
R4 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-4-25 186128]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-19 1026896]
S3 CRFILTER;USB Mass Storage Filter;c:\windows\system32\drivers\CRFILTER.sys [2009-1-9 6656]
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;c:\windows\system32\drivers\WebSTAR.sys [2009-1-19 15417]

=============== Created Last 30 ================

2009-04-26 15:09 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-26 15:07 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-26 15:06 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-04-26 15:06 <DIR> --d----- c:\program files\Lavasoft
2009-04-25 21:06 <DIR> --d----- C:\Rooter$
2009-04-25 19:35 <DIR> --d----- c:\program files\Puresoto Group
2009-04-25 15:31 <DIR> --d----- c:\docume~1\alexan~1\applic~1\Puresoto Group, INC
2009-04-25 15:03 2,526 a------- C:\rollback.ini
2009-04-25 14:57 161,792 a------- c:\windows\SWREG.exe
2009-04-25 14:57 98,816 a------- c:\windows\sed.exe
2009-04-25 14:26 948,000 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-25 14:26 93,728 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-25 14:26 15,824 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-25 14:26 11,888 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-25 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic Anti-Virus PLUS
2009-04-25 14:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-25 14:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-04-25 13:56 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-04-25 10:07 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-04-25 10:06 <DIR> --d----- c:\windows\Internet Logs
2009-04-25 10:04 <DIR> --d----- c:\program files\common files\PC Tools
2009-04-25 10:04 <DIR> --d----- c:\program files\Spyware Doctor
2009-04-24 20:16 <DIR> --d----- C:\TEMP
2009-04-24 18:34 <DIR> --d-h--- c:\windows\PIF
2009-04-24 18:13 <DIR> --d----- c:\program files\Unlocker
2009-04-24 18:07 335 a------- c:\windows\mozregistry.dat
2009-04-24 15:52 <DIR> --dsh--- C:\INCINERATE
2009-04-24 15:46 <DIR> --d----- c:\program files\XoftSpy
2009-04-24 15:26 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-24 15:13 <DIR> --d----- c:\program files\System Mechanic 4 Professional
2009-04-24 11:06 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-19 22:01 <DIR> --d----- c:\windows\Downloaded Installations
2009-04-17 15:37 135,168 a------- c:\windows\UNDPX1K.exe
2009-04-17 15:37 53,725 a------- c:\windows\UNDPX1K.sys
2009-04-17 15:37 15,429 a------- c:\windows\system32\drivers\Sacm1K.sys
2009-04-17 15:23 <DIR> --d----- c:\program files\nLite
2009-04-16 22:45 <DIR> --ds---- c:\documents and settings\alexander\UserData
2009-04-13 21:21 13,490 a------- c:\windows\UNDPX.EXE
2009-04-11 16:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Atheros
2009-04-09 00:07 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-09 00:07 1,409 a------- c:\windows\QTFont.for
2009-04-04 16:39 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2009-04-04 16:39 <DIR> --d----- c:\program files\Hamachi

==================== Find3M ====================

2009-04-24 18:51 15,360 a------- c:\windows\taskman.exe
2009-03-23 18:33 271,360 a------- c:\windows\system32\drivers\atksgt.sys
2009-03-23 18:33 18,048 a------- c:\windows\system32\drivers\lirsgt.sys
2009-03-22 18:46 12,400 a------- c:\windows\system32\drivers\secdrv.sys
2009-03-16 18:42 524,288 a------- c:\windows\opuc.dll
2009-03-08 19:59 223,128 a------- c:\windows\system32\drivers\vaxscsi.sys

============= FINISH: 16:01:26.70 ===============

Attached Files

#3 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:09:27 PM

Posted 28 April 2009 - 03:17 AM

Download avz4.zip from HERE and unzip it to your Desktop
  • Double click on AVZ.exe to run it.
  • Click File >> Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program

    SearchRootkit(true, true);

  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically, and post back with a new virusinfo_syscheck.htm.


Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..


  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply

Post these logs in your next reply..

1. Dr.Web CureIt
2. ComboFix
3. Attach virusinfo_syscheck.htm

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#4 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:09:27 PM

Posted 03 May 2009 - 05:47 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users