Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Agent.Pax trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 Help21

Help21

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 06 July 2009 - 08:43 PM

For some reason this virus keeps coming back and with friends. I may have more than one of these viruses. Thank you ahead of time for your help.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 20:37:12.11 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.435 [GMT -5:00]

AV: ESET Smart Security 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hometab.bellsouth.net/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240384655546
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1243481173437
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\vbxbtj6p.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2009-4-22 17920]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R2 DLPORTIO;DLPORTIO;c:\windows\DLPORTIO.sys [2009-5-28 3584]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-4-9 731840]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-16 12672]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-4-22 659456]
S3 VCenterDriver;VCenterDriver;c:\program files\msi\vcenter\NTGLM7X.sys [2009-5-14 26112]
S3 Vsp;Vsp;c:\windows\system32\drivers\vsp.sys [2009-4-22 3351]

=============== Created Last 30 ================

2009-07-06 20:27 <DIR> --d----- c:\program files\Trend Micro
2009-06-30 00:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-30 00:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-29 19:32 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-06-29 15:09 <DIR> --d----- c:\program files\Odds Maker
2009-06-28 21:18 <DIR> --d----- c:\program files\FlashGet
2009-06-27 05:37 69 a------- c:\windows\NeroDigital.ini
2009-06-26 17:21 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-06-26 17:08 <DIR> --d----- c:\program files\Microsoft Games
2009-06-24 06:07 2,146,304 -------- c:\windows\UNNMP.exe
2009-06-24 06:07 52,521 -------- c:\windows\UNNMP.cfg
2009-06-24 06:05 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-06-24 06:04 110,791 -------- c:\windows\UNNeroVision.cfg
2009-06-24 06:04 2,023,424 -------- c:\windows\UNNeroVision.exe
2009-06-24 06:04 24,064 -------- c:\windows\system32\msxml3a.dll
2009-06-24 06:04 1,568,768 -------- c:\windows\system32\ImagX7.dll
2009-06-24 06:04 476,320 -------- c:\windows\system32\ImagXpr7.dll
2009-06-24 06:04 471,040 -------- c:\windows\system32\ImagXRA7.dll
2009-06-24 06:04 364,544 -------- c:\windows\system32\TwnLib4.dll
2009-06-24 06:04 262,144 -------- c:\windows\system32\ImagXR7.dll
2009-06-24 06:04 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-06-24 06:04 38,912 -------- c:\windows\system32\picn20.dll
2009-06-23 16:13 <DIR> --d----- c:\program files\Bin Checker
2009-06-22 13:57 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-20 15:57 130,048 a------- C:\agutoq.exe
2009-06-20 15:57 2 a------- C:\604517882
2009-06-20 15:57 8,704 a------- C:\pdejohst.exe
2009-06-20 07:55 <DIR> --d----- c:\docume~1\admini~1\applic~1\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-06-20 07:55 <DIR> --d----- c:\program files\TweetDeck
2009-06-14 08:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Virtual Mechanics
2009-06-14 08:52 <DIR> --d----- c:\docume~1\admini~1\applic~1\Virtual Mechanics
2009-06-14 08:51 <DIR> --d----- c:\program files\Virtual Mechanics
2009-06-13 16:56 <DIR> --d----- c:\program files\Vista Tecnologie
2009-06-11 05:57 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitTorrent
2009-06-11 05:57 <DIR> --d----- c:\program files\DNA
2009-06-11 05:57 <DIR> --d----- c:\program files\BitTorrent
2009-06-11 05:57 <DIR> --d----- c:\docume~1\admini~1\applic~1\DNA
2009-06-11 04:49 <DIR> --d----- c:\program files\IrfanView
2009-06-10 19:40 5,248 a------- c:\windows\system32\giveio.sys

==================== Find3M ====================

2009-06-29 19:32 360,320 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-06-21 11:15 503 a------- C:\Stats.dat
2009-06-21 11:11 2,078 a------- C:\quick.dat
2009-06-21 06:38 136 a------- C:\cert.dat
2009-06-09 04:47 34 a------- c:\documents and settings\administrator\jagex_runescape_preferences.dat
2009-06-06 12:00 85,504 a------- c:\windows\system32\ff_vfw.dll
2009-06-06 12:00 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-05-28 03:12 34,816 a------- c:\windows\system32\Dlportio.dll
2009-05-28 03:12 27,460 a------- c:\windows\system32\loaddrv.exe
2009-05-03 06:59 0 a------- C:\skiplist.dat
2009-05-03 06:59 0 a------- C:\favorite.dat
2009-04-28 06:58 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-23 13:37 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-22 03:11 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 20:37:45.99 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:44 AM

Posted 13 July 2009 - 05:05 PM

Hello, Help21.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:07:44 AM

Posted 16 July 2009 - 04:29 AM

Hello Help21
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:44 PM

Posted 18 July 2009 - 02:23 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users