Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taskdir.exe And Downloaderzq Keep Popping Up In Mcafee


  • This topic is locked This topic is locked
4 replies to this topic

#1 FISHMAN

FISHMAN

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 25 January 2007 - 08:35 PM

New to this but am getting interested quickly. have looked with Autoruns and read alot just need a bit of help. I hope
Here is the log
Logfile of HijackThis v1.99.1
Scan saved at 4:02:45 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxWare\3DxSrv.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\SolidWorks (2)\SLDWORKS.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgttry.exe
C:\Documents and Settings\Admin\My Documents\spyware remover\HIJACK THIS\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: Shortcut to Map Werks6Drives.lnk = C:\Map Werks6Drives.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxWare\3DxSrv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.phdinc.com
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {3CAB827F-CB32-48AF-B68E-C68EC471F38D} (ActiveFormSDSE Control) - http://www.phdinc.com/apps/sizing/cab_files/PHDSizeSDSE.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (sldimdownloadiface Class) - http://www.solidworks.com/pages/services/s...dimdownload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C596422-4ED2-4FFF-A144-0F2D94DB8609}: NameServer = 72.35.32.161,64.85.164.161
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.0.0.358.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:29 AM

Posted 26 January 2007 - 03:59 AM

Hello,

Perform next steps in the right order...

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    I need that log later.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with a new Hijackthislog and log from SDfix.

Edited by miekiemoes, 26 January 2007 - 04:00 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 FISHMAN

FISHMAN
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 26 January 2007 - 04:38 PM

ok here are the logs. One thing I noticed is it Dr web had me move a file named myagtsvc.exe and now my virus protection is diabled.
Anyway here is the logs
Thanks and things seem much better now.
Logfile of HijackThis v1.99.1
Scan saved at 12:27:27 PM, on 1/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxWare\3DxSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\SolidWorks (2)\SLDWORKS.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\SolidWorksLicTemp.0001
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Admin\My Documents\spyware remover\HIJACK THIS\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
O4 - Startup: Shortcut to Map Werks6Drives.lnk = C:\Map Werks6Drives.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxWare\3DxSrv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.phdinc.com
O16 - DPF: {12545791-AC9A-44B2-8964-0DA216C4A4E5} (Cnsweb3d Control) - http://www.partcommunity.com/PARTcommunity...3D/cnsweb3d.cab
O16 - DPF: {3CAB827F-CB32-48AF-B68E-C68EC471F38D} (ActiveFormSDSE Control) - http://www.phdinc.com/apps/sizing/cab_files/PHDSizeSDSE.cab
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-431EE84A0886} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/So...in/myCioAgt.cab
O16 - DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} (sldimdownloadiface Class) - http://www.solidworks.com/pages/services/s...dimdownload.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C596422-4ED2-4FFF-A144-0F2D94DB8609}: NameServer = 72.35.32.161,64.85.164.161
O18 - Protocol: myrm - {4D034FC3-013F-4B95-B544-44D49ABE3E76} - C:\Program Files\McAfee\Managed VirusScan\Agent\MyRmProt4.0.0.358.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: McShield - McAfee, Inc. - C:\PROGRA~1\McAfee\MANAGE~1\VScan\McShield.exe
O23 - Service: McAfee Total Protection Agent Service (myAgtSvc) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SonicWALL Agent Service (SWAGENT) - McAfee, Inc. - C:\Program Files\McAfee\Managed VirusScan\Agent\swAgent.exe


and

myagtsvc.exe;c:\program files\mcafee\managed virusscan\agent;Probably BACKDOOR.Trojan;Will be moved after reboot.;
uewqeodr.cdo;c:\windows\system32;Trojan.Click.1242;Deleted.;
game0[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01234567;Trojan.Spambot;Deleted.;
game0[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF;Trojan.Spambot;Deleted.;
game0[2].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF;Trojan.Spambot;Deleted.;
game0[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN;Trojan.DownLoader.17823;Deleted.;
game[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GHIJKLMN;Trojan.Spambot;Deleted.;
game5[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV;Trojan.Spambot;Deleted.;
game[1].exe;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV;Trojan.Spambot;Deleted.;
CIO0.MCQ;C:\Program Files\McAfee\Managed VirusScan\VScan\Quarantine;Trojan.DownLoader.9572;Deleted.;
CIO1.MCQ;C:\Program Files\McAfee\Managed VirusScan\VScan\Quarantine;Trojan.DownLoader.9572;Deleted.;
CIO14.MCQ;C:\Program Files\McAfee\Managed VirusScan\VScan\Quarantine;Trojan.Spambot;Deleted.;
CIO15.MCQ;C:\Program Files\McAfee\Managed VirusScan\VScan\Quarantine;Trojan.Spambot;Deleted.;
CIO2.MCQ;C:\Program Files\McAfee\Managed VirusScan\VScan\Quarantine;Trojan.DownLoader.9572;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0000909.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP14;Trojan.Spambot;Deleted.;
A0000920.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;BackDoor.Groan;Deleted.;
A0000936.sys;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;BackDoor.Groan;Deleted.;
A0000949.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0000981.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0002009.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0002023.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0002063.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0003090.sys;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;BackDoor.Groan;Deleted.;
A0003104.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0004080.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0004081.sys;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;BackDoor.Groan;Deleted.;
A0004087.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP15;Trojan.Spambot;Deleted.;
A0004108.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005156.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005200.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005201.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005202.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005204.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005205.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.DownLoader.17823;Deleted.;
A0005206.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;Trojan.Spambot;Deleted.;
A0005209.sys;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP16;BackDoor.Groan;Deleted.;
A0000375.exe;C:\System Volume Information\_restore{B53B4B73-563F-48E8-BDB7-196801580DE5}\RP6;Tool.Prockill;;
ajquvzba.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
argbxhbn.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
sidlmkin.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;




SDFix: Version 1.62

Fri 01/26/2007 - 6:05:57.21

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32

Path:
\??\C:\WINDOWS\system32\wincom32.sys

wincom32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\system32\game0.exe.exe - Deleted
C:\WINDOWS\system32\game5p.exe.exe - Deleted
C:\WINDOWS\system32\google.png.exe - Deleted
C:\WINDOWS\system32\DAP.exe - Deleted
C:\WINDOWS\system32\game.exe - Deleted
C:\WINDOWS\system32\game0.exe - Deleted
C:\WINDOWS\system32\game5.exe - Deleted
C:\WINDOWS\system32\peers.ini - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted



Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe"="C:\\Program Files\\McAfee\\Managed VirusScan\\Agent\\myAgtSvc.exe:*:Enabled:McAfee Managed Services Agent"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\SolidWorks Downloads\SolidWorks2007SP1_0\CheckFile_sw2007-0.0-1.0-i.exe.txt
C:\SolidWorks Downloads\SolidWorks2007SP1_0\CheckFile_swexplorer.exe.txt
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp

Finished

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:29 AM

Posted 26 January 2007 - 05:00 PM

Hi,

You can move the file myagtsvc.exe from your C:\Documents and settings\Admin\DoctorWeb\quarantine folder back to the C:\Program Files\McAfee\Managed VirusScan\Agent-folder.

Strange DrWeb saw it as suspicious.

Did you add this to your trusted zone?

O15 - Trusted Zone: http://www.phdinc.com

If not, check and fix it in Hijackthis.

Delete next folder:

C:\SDFix <== folder, because this folder contains the backup of the bad files.

There's still something I would like to check though.. so perform next:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Edited by miekiemoes, 26 January 2007 - 05:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:29 AM

Posted 05 February 2007 - 06:46 PM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users