« previous next »
Pages: [1]   Go Down

Author Topic: Another agent 4e infection, help needed...  (Read 965 times)

0 Members and 1 Guest are viewing this topic.

Offline va-va

  • Newbie
  • *
  • Posts: 3
Another agent 4e infection, help needed...
« on: November 17, 2008, 03:21:20 PM »
Dear everybody,

The agent 4e has infected my computer, just like it did at yours. Please give me instructions how to remove,
this are my logs;

log:
Logfile of random's system information tool 1.04 (written by random/random)
Run by Eigenaar at 2008-11-17 17:15:39
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 13 GB (67%) free of 20 GB
Total RAM: 703 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:56, on 17-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eigenaar\Bureaublad\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Eigenaar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: afisicx  Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: mabidwe  Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Music Media Services (msuswesd) - Unknown owner - C:\WINDOWS\system32\msuswe.exe
O23 - Service: noytcyr  Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: roytctm  Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe (file missing)
O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: soxpeca  Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: tdydowkc  Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe (file missing)
O23 - Service: wsldoekd  Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)

--
End of file - 5031 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2008-11-12 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Aanmelden - Help - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2004-09-01 53248]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2004-09-16 69632]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2008-11-12 1234712]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\WINDOWS\system32\winver.exe"="C:\WINDOWS\system32\winver.exe:*:Enabled:winver"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 3 months======

2008-11-17 17:15:39 ----D---- C:\rsit
2008-11-12 23:24:01 ----D---- C:\Program Files\Trend Micro
2008-11-12 16:09:47 ----HD---- C:\$AVG8.VAULT$
2008-11-12 16:07:36 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2008-11-12 16:07:08 ----D---- C:\Program Files\AVG
2008-11-12 16:07:07 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-10-22 09:01:29 ----A---- C:\WINDOWS\system32\winver.bat
2008-10-20 13:32:16 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-20 13:31:18 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2008-10-20 13:31:01 ----D---- C:\Program Files\Common Files\Adobe
2008-10-20 13:31:01 ----D---- C:\Program Files\Adobe
2008-10-17 23:15:26 ----D---- C:\ConvertTemp
2008-10-17 23:14:34 ----D---- C:\Documents and Settings\Eigenaar\Application Data\Samsung
2008-10-17 23:09:41 ----A---- C:\WINDOWS\system32\framedyn.dll
2008-10-17 22:59:07 ----D---- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-10-17 22:59:03 ----D---- C:\Program Files\Samsung

======List of files/folders modified in the last 3 months======

2008-11-17 17:15:27 ----D---- C:\WINDOWS\system32
2008-11-17 15:06:24 ----D---- C:\WINDOWS\Temp
2008-11-16 17:23:00 ----D---- C:\WINDOWS\Prefetch
2008-11-14 18:05:53 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-13 21:28:40 ----D---- C:\Documents and Settings\Eigenaar\Application Data\uTorrent
2008-11-13 14:51:24 ----D---- C:\WINDOWS
2008-11-12 23:24:01 ----RD---- C:\Program Files
2008-11-12 23:20:22 ----D---- C:\WINDOWS\system32\Restore
2008-11-12 16:07:35 ----D---- C:\WINDOWS\system32\drivers
2008-11-12 16:07:01 ----SHD---- C:\WINDOWS\Installer
2008-11-12 16:07:00 ----D---- C:\WINDOWS\WinSxS
2008-11-12 16:07:00 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-11-12 16:06:44 ----SD---- C:\Documents and Settings\Eigenaar\Application Data\Microsoft
2008-10-26 12:28:31 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-22 13:06:02 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-10-20 13:55:56 ----D---- C:\Documents and Settings\Eigenaar\Application Data\Winamp
2008-10-20 13:33:06 ----D---- C:\Documents and Settings\Eigenaar\Application Data\Adobe
2008-10-20 13:32:16 ----D---- C:\Program Files\Common Files
2008-10-17 23:07:26 ----HD---- C:\WINDOWS\inf
2008-10-17 23:07:26 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-17 22:59:29 ----D---- C:\WINDOWS\system32\CatRoot2

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-11-12 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-11-12 26824]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R2 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-11-12 76040]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-09-21 2278784]
R3 CmBatt;Stuurprogramma voor Microsoft AC-adapter; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2004-04-15 42496]
R3 RT2500;Sitecom Wireless Network PC Card 54G WL-112 Driver; C:\WINDOWS\System32\DRIVERS\RT2500.sys [2004-12-15 218368]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2004-09-01 171392]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet-adapter - NT-stuurprogramma; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 usbscan;Stuurprogramma voor USB-scanner; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;Stuurprogramma voor USB-massaopslag; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;Stuurprogramma voor systeemherstelfilter; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 noytcyr;noytcyr  Service; C:\WINDOWS\system32\noytcyr.exe [2001-09-07 45056]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 38912]
R3 usnjsvc;Messenger USN Journal Reader service voor Gedeelde mappen; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S2 afisicx;afisicx  Service; C:\WINDOWS\system32\afisicx.exe []
S2 mabidwe;mabidwe  Service; C:\WINDOWS\system32\mabidwe.exe []
S2 msuswesd;Music Media Services; C:\WINDOWS\system32\msuswe.exe [2004-08-04 65536]
S2 roytctm;roytctm  Service; C:\WINDOWS\system32\roytctm.exe []
S2 solewxte;solewxte  Service; C:\WINDOWS\system32\solewxte.exe []
S2 soxpeca;soxpeca  Service; C:\WINDOWS\system32\soxpeca.exe []
S2 tdydowkc;tdydowkc  Service; C:\WINDOWS\system32\tdydowkc.exe []
S2 wsldoekd;wsldoekd  Service; C:\WINDOWS\system32\wsldoekd.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-12-14 45056]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-12-14 57344]
S3 SonicStage Back-End Service;SonicStage Back-End Service; C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe [2007-02-05 112184]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-12-14 69632]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2007-02-05 75320]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

info:
info.txt logfile of random's system information tool 1.04 2008-11-17 17:15:58

======Uninstall list======

-->Dummy
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
-->VTUninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Timer'
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
BearShare-->C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
dBpoweramp FLAC Codec-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
K-Lite Codec Pack 3.8.0 Basic-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Professional Editie 2003-->MsiExec.exe /I{90110413-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
OpenMG Limited Patch 4.7-07-14-05-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.7-07-14-05-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.7.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{CCD663AE-610D-4BDF-AAB0-E914B044527D} UNINSTALL
Pack Vista Inspirat 2 1.0-->C:\WINDOWS\BricoPacks\Vista Inspirat 2\Remove.exe
S3 S3Display-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Display'
S3 S3Gamma2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Gamma2'
S3 S3Info2-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Info2'
S3 S3Overlay-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3Overlay'
S3 S3TrayPlus-->vtuninst.exe -reg 5 'HKLM\Software\S3\VT\S3Uninst\S3TrayPlus'
SAMSUNG Mobile Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 USB Driver Installer-->"C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -runfromtemp -l0x0013 -removeonly
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0013 -removeonly
SonicStage 4.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Live aanmeldhulp-->MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live installer-->MsiExec.exe /X{A258173E-F308-475A-951B-F1BF76A4451B}
Windows Live Messenger-->MsiExec.exe /X{A0C978B8-B82B-4FAD-8C31-EBEE8E57468A}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O23 - Service: roytctm  Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe (file missing)
O23 - Service: mabidwe  Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe (file missing)
O23 - Service: wsldoekd  Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)
O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: noytcyr  Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: tdydowkc  Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe (file missing)
O23 - Service: soxpeca  Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe (file missing)
O23 - Service: Music Media Services (msuswesd) - Unknown owner - C:\WINDOWS\system32\msuswe.exe
O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O23 - Service: roytctm  Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe (file missing)
O23 - Service: mabidwe  Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe (file missing)
O23 - Service: soxpeca  Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe (file missing)
O23 - Service: wsldoekd  Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)
O23 - Service: afisicx  Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe (file missing)
O23 - Service: noytcyr  Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: tdydowkc  Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe (file missing)
O23 - Service: noytcyr  Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: soxpeca  Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe (file missing)
O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O23 - Service: mabidwe  Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe (file missing)
O23 - Service: tdydowkc  Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe (file missing)
O23 - Service: roytctm  Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe (file missing)
O23 - Service: wsldoekd  Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe (file missing)
O23 - Service: afisicx  Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe (file missing)

======Security center information======

AV: AVG Anti-Virus Free

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Samsung\Samsung PC Studio 3\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 28 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=1c00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------


thanks in advance!
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Another agent 4e infection, help needed...
« Reply #1 on: November 17, 2008, 04:04:12 PM »
Hi, va-va.  Welcome to LandzDown Forum.

As you can see in your log, the attempts to remove the services with HijackThis were not successful.  The first order of business is to install a software firewall.  The following firewalls are free for personal use:

Agnitum Outpost Firewall
Kerio Personal Firewall
Online Armor Free

Next, please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1
Link 2
Link 3

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline va-va

  • Newbie
  • *
  • Posts: 3
Re: Another agent 4e infection, help needed...
« Reply #2 on: November 17, 2008, 04:50:10 PM »
Thanks,

this is the combofixlog:
ComboFix 08-11-16.05 - Eigenaar 2008-11-17 18:36:38.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1043.18.444 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Eigenaar\Bureaublad\ComboFix.exe
 * Nieuw herstelpunt werd aangemaakt
.

((((((((((((((((((((((((((((((((((   Andere Verwijderingen   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\comsa32.sys
c:\windows\system32\noytcyr.exe
c:\windows\system32\tmp0_16177425935.bk
c:\windows\system32\tmp0_212730662958.bk
c:\windows\system32\tmp0_32062320895.bk
c:\windows\system32\tmp0_322632683033.bk
c:\windows\system32\tmp0_325249390910.bk
c:\windows\system32\tmp0_38819324454.bk
c:\windows\system32\tmp0_432190631887.bk
c:\windows\system32\tmp0_536088731243.bk
c:\windows\system32\tmp0_553606254099.bk
c:\windows\system32\tmp0_594732688495.bk
c:\windows\system32\tmp0_617569747687.bk
c:\windows\system32\tmp0_642773833045.bk
c:\windows\system32\tmp0_652276292569.bk
c:\windows\system32\tmp0_678448637953.bk
c:\windows\system32\tmp0_749360136007.bk
c:\windows\system32\tmp1_360439215686.bk

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((   Bestanden Gemaakt van 2008-10-17 to 2008-11-17  ))))))))))))))))))))))))))))))
.

2008-11-17 17:15 . 2008-11-17 17:15   <DIR>   d--------   C:\rsit
2008-11-13 14:51 . 2008-11-13 14:51   7,680   --ahs----   c:\windows\Thumbs.db
2008-11-12 23:24 . 2008-11-12 23:24   <DIR>   d--------   c:\program files\Trend Micro
2008-11-12 16:09 . 2008-11-16 15:32   <DIR>   d--h-----   C:\$AVG8.VAULT$
2008-11-12 16:07 . 2008-11-17 15:10   <DIR>   d--------   c:\windows\system32\drivers\Avg
2008-11-12 16:07 . 2008-11-12 16:07   <DIR>   d--------   c:\program files\AVG
2008-11-12 16:07 . 2008-11-12 16:07   <DIR>   d--------   c:\documents and settings\All Users\Application Data\avg8
2008-11-12 16:07 . 2008-11-12 16:07   97,928   --a------   c:\windows\system32\drivers\avgldx86.sys
2008-11-12 16:07 . 2008-11-12 16:07   76,040   --a------   c:\windows\system32\drivers\avgtdix.sys
2008-11-12 16:07 . 2008-11-12 16:07   10,520   --a------   c:\windows\system32\avgrsstx.dll
2008-11-10 14:06 . 2008-11-10 14:06   244   --ah-----   C:\sqmnoopt04.sqm
2008-11-10 14:06 . 2008-11-10 14:06   232   --ah-----   C:\sqmdata04.sqm
2008-11-08 20:26 . 2008-11-08 20:26   244   --ah-----   C:\sqmnoopt03.sqm
2008-11-08 20:26 . 2008-11-08 20:26   232   --ah-----   C:\sqmdata03.sqm
2008-10-22 09:01 . 2008-10-22 09:01   145   --a------   c:\windows\system32\winver.bat
2008-10-20 13:32 . 2008-10-20 13:32   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2008-10-20 13:31 . 2008-10-20 13:31   <DIR>   d--------   c:\program files\Common Files\Adobe
2008-10-20 11:28 . 2008-10-20 11:28   244   --ah-----   C:\sqmnoopt02.sqm
2008-10-20 11:28 . 2008-10-20 11:28   232   --ah-----   C:\sqmdata02.sqm
2008-10-17 23:15 . 2008-10-17 23:15   <DIR>   d--------   C:\ConvertTemp
2008-10-17 23:14 . 2008-10-17 23:14   <DIR>   d--------   c:\documents and settings\Eigenaar\Application Data\Samsung
2008-10-17 23:09 . 2006-05-03 21:53   174,592   --a------   c:\windows\system32\framedyn.dll
2008-10-17 23:07 . 2006-07-24 15:05   5,632   --a------   c:\windows\system32\drivers\StarOpen.sys
2008-10-17 22:59 . 2008-10-17 22:59   <DIR>   d--------   c:\windows\system32\Samsung_USB_Drivers
2008-10-17 22:59 . 2008-10-17 23:07   <DIR>   d--------   c:\program files\Samsung
2008-10-17 22:59 . 2007-07-03 15:58   106,792   --a------   c:\windows\system32\drivers\sscdmdm.sys
2008-10-17 22:59 . 2007-07-03 15:54   80,552   --a------   c:\windows\system32\drivers\sscdbus.sys
2008-10-17 22:59 . 2007-07-03 15:57   11,944   --a------   c:\windows\system32\drivers\sscdmdfl.sys
2008-10-17 22:59 . 2007-07-03 16:00   9,256   --a------   c:\windows\system32\drivers\sscdwhnt.sys
2008-10-17 22:59 . 2007-07-03 16:00   9,256   --a------   c:\windows\system32\drivers\sscdwh.sys
2008-10-17 22:59 . 2007-07-03 15:56   9,256   --a------   c:\windows\system32\drivers\sscdcmnt.sys
2008-10-17 22:59 . 2007-07-03 15:56   9,256   --a------   c:\windows\system32\drivers\sscdcm.sys
2008-10-17 22:59 . 2005-08-28 19:51   766   --a------   c:\windows\system32\Uninstall.ico

.
(((((((((((((((((((((((((((((((((((((((   Find3M Rapport   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-13 20:28   ---------   d-----w   c:\documents and settings\Eigenaar\Application Data\uTorrent
2008-10-20 12:55   ---------   d-----w   c:\documents and settings\Eigenaar\Application Data\Winamp
2008-10-17 22:07   ---------   d--h--w   c:\program files\InstallShield Installation Information
.

(((((((((((((((((((((((((((((((((((((   Reg Opstartpunten   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-12 1234712]
"VTTimer"="VTTimer.exe" [2004-09-01 c:\windows\system32\VTTimer.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\winver.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-12 76040]
S2 msuswesd;Music Media Services;c:\windows\system32\msuswe.exe [2001-09-07 65536]
S2 solewxte;solewxte  Service;c:\windows\system32\solewxte.exe []
S4 hpt3xx;hpt3xx; []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 18:40:14
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Voltooingstijd: 2008-11-17 18:43:35 - machine werd herstart
ComboFix-quarantined-files.txt  2008-11-17 17:43:22

Pre-Run: 14.007.017.472 bytes beschikbaar
Post-Run: 14,040,657,920 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

151


and this is the hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:20, on 17-11-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Music Media Services (msuswesd) - Unknown owner - C:\WINDOWS\system32\msuswe.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 4473 bytes
Logged

Offline va-va

  • Newbie
  • *
  • Posts: 3
Re: Another agent 4e infection, help needed...
« Reply #3 on: November 17, 2008, 04:59:29 PM »
After this, i could delete O23 - Service: solewxte  Service (solewxte) - Unknown owner - C:\WINDOWS\system32\solewxte.exe (file missing)  also, with a batchfile (selfmade)

thanks for your help, everything is clean now :):):)
Logged
Pages: [1]   Go Up
« previous next »