17 replies to this topic

[jakob]

I did an Ad-Aware scan and it came up with this:
Ad-Aware SE Build 1.06r1
Logfile Created on:den 5 juni 2007 11:11:39
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R131 09-11-2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
Win32.TrojanDownloader.Agent.am(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2007-06-05 11:11:39 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\Dator\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\Dator\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-2217162126-2458292975-824216447-1006\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-2217162126-2458292975-824216447-1006\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 584
ThreadCreationTime : 2007-06-05 09:07:19
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 804
ThreadCreationTime : 2007-06-05 09:07:23
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 836
ThreadCreationTime : 2007-06-05 09:07:25
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 880
ThreadCreationTime : 2007-06-05 09:07:26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Tjenester og controllerprogrammer
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 892
ThreadCreationTime : 2007-06-05 09:07:26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1088
ThreadCreationTime : 2007-06-05 09:07:26
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1104
ThreadCreationTime : 2007-06-05 09:07:26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1156
ThreadCreationTime : 2007-06-05 09:07:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1300
ThreadCreationTime : 2007-06-05 09:07:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1440
ThreadCreationTime : 2007-06-05 09:07:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1500
ThreadCreationTime : 2007-06-05 09:07:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1764
ThreadCreationTime : 2007-06-05 09:07:27
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [aluschedulersvc.exe]
FilePath : C:\Programmer\Symantec\LiveUpdate\
ProcessID : 1888
ThreadCreationTime : 2007-06-05 09:07:28
BasePriority : Normal
FileVersion : 3.0.0.171
ProductVersion : 3.0.0.171
ProductName : LiveUpdate
CompanyName : Symantec Corporation
FileDescription : Automatic LiveUpdate Scheduler Service
InternalName : Automatic LiveUpdate Scheduler Service
LegalCopyright : Copyright © 1996-2005 Symantec Corporation
OriginalFilename : ALUSchedulerSvc.exe

#:14 [ccproxy.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 172
ThreadCreationTime : 2007-06-05 09:07:28
BasePriority : Normal
FileVersion : 104.0.13.2
ProductVersion : 104.0.13.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 196
ThreadCreationTime : 2007-06-05 09:07:28
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Windows Stifinder
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : EXPLORER.EXE

#:16 [ccsetmgr.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 212
ThreadCreationTime : 2007-06-05 09:07:28
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:17 [iaantmon.exe]
FilePath : C:\Programmer\Intel\Intel Application Accelerator\
ProcessID : 260
ThreadCreationTime : 2007-06-05 09:07:28
BasePriority : Normal
FileVersion : 4.5.0.6515
ProductVersion : 4.5.0.6515
ProductName : Intel IAANTmon
CompanyName : Intel Corporation
FileDescription : Intel Application Accelerator RAID Monitor
InternalName : IAANTmon
LegalCopyright : Copyright© Intel Corporation 2003-04
OriginalFilename : IAANTmon.exe

#:18 [mdm.exe]
FilePath : C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\
ProcessID : 304
ThreadCreationTime : 2007-06-05 09:07:29
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:19 [navapsvc.exe]
FilePath : C:\Programmer\Norton Internet Security\Norton AntiVirus\
ProcessID : 408
ThreadCreationTime : 2007-06-05 09:07:29
BasePriority : Normal
FileVersion : 12.7.0.2
ProductVersion : 12.7.0
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:20 [sndsrvc.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 616
ThreadCreationTime : 2007-06-05 09:07:29
BasePriority : Normal
FileVersion : 6.0.6.604
ProductVersion : 6.0
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002 - 2007 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 780
ThreadCreationTime : 2007-06-05 09:07:29
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [symlcsvc.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\
ProcessID : 1116
ThreadCreationTime : 2007-06-05 09:07:30
BasePriority : Normal
FileVersion : 1.9.1.762
ProductVersion : 1.9.1.762
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:23 [ccevtmgr.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 528
ThreadCreationTime : 2007-06-05 09:07:32
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:24 [jusched.exe]
FilePath : C:\Programmer\Java\jre1.6.0_01\bin\
ProcessID : 1368
ThreadCreationTime : 2007-06-05 09:07:32
BasePriority : Normal


#:25 [smax4pnp.exe]
FilePath : C:\Programmer\Analog Devices\SoundMAX\
ProcessID : 1400
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 5, 0, 2, 0
ProductVersion : 5, 0, 2, 0
ProductName : SMax4PNP Application
CompanyName : Analog Devices, Inc.
FileDescription : SMax4PNP MFC Application
InternalName : SMax4PNP
LegalCopyright : Copyright © 2002-2004 Analog Devices
OriginalFilename : SMax4PNP.EXE

#:26 [iaanotif.exe]
FilePath : C:\Programmer\Intel\Intel Application Accelerator\
ProcessID : 1408
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 4.5.0.6515
ProductVersion : 4.5.0.6515
ProductName : IAA RAID Event Monitor
CompanyName : Intel Corporation
FileDescription : IAA Event Monitor User Notification Tool
InternalName : IAAnotif
LegalCopyright : Copyright© Intel Corporation 2003-04
OriginalFilename : IAAnotif.exe

#:27 [pcmservice.exe]
FilePath : C:\Programmer\Dell\Media Experience\
ProcessID : 1420
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 1.0.1611
ProductVersion : 1.0.1611
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE

#:28 [dvdlauncher.exe]
FilePath : C:\Programmer\r\CyberLink\PowerDVD\
ProcessID : 1596
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 3.00.0000
ProductVersion : 3.00.0000
ProductName : Cyberlink PowerCinema 3.0
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
LegalCopyright : Copyright © 2003 CyberLink Corp.
OriginalFilename : DVDLauncher.EXE

#:29 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 1740
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 1.04.08a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:30 [sgtray.exe]
FilePath : C:\Programmer\Fælles filer\Sonic\Update Manager\
ProcessID : 1820
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 1.01.33b
CompanyName : Sonic Solutions
FileDescription : Sonic Update Manager
LegalCopyright : Copyright © 2002 Sonic Solutions

#:31 [dlbtbmgr.exe]
FilePath : C:\Programmer\Dell Photo AIO Printer 922\
ProcessID : 1832
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 1.0.5.0
ProductVersion : 1.0.5.0
ProductName : Button Manager Executable
FileDescription : Dell Dell 922 Button Manager
InternalName : dlbtbmgr.exe
OriginalFilename : dlbtbmgr.exe

#:32 [ssaad.exe]
FilePath : C:\PROGRA~1\Sony\SONICS~1\
ProcessID : 1972
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 3.0.00.13241
FileDescription : SonicStage Atrac Hard Disk Monitor
InternalName : SonicStage Atrac Hard Disk Monitor
LegalCopyright : Copyright 2005 Sony Corporation

#:33 [dlbtbmon.exe]
FilePath : C:\Programmer\Dell Photo AIO Printer 922\
ProcessID : 2012
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 1.0.5.0
ProductVersion : 1.0.5.0
ProductName : Button Monitor Executable
FileDescription : Dell Dell 922 Button Monitor
InternalName : dlbtbmon.exe
OriginalFilename : dlbtbmon.exe

#:34 [ccapp.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 2028
ThreadCreationTime : 2007-06-05 09:07:33
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:35 [panel.exe]
FilePath : C:\Programmer\Trust\GM-4200 Gamer Mouse Optical\
ProcessID : 2052
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal


#:36 [ituneshelper.exe]
FilePath : C:\Programmer\iTunes\
ProcessID : 2116
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal
FileVersion : 7.1.0.59
ProductVersion : 7.1.0.59
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:37 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2136
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:38 [msnmsgr.exe]
FilePath : C:\Programmer\MSN Messenger\
ProcessID : 2200
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:39 [googletoolbarnotifier.exe]
FilePath : C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\
ProcessID : 2228
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal
FileVersion : 1, 2, 1128, 5462
ProductVersion : 1, 2, 1128, 5462
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright © 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe

#:40 [dna.exe]
FilePath : C:\Programmer\BitTorrent_DNA\
ProcessID : 2272
ThreadCreationTime : 2007-06-05 09:07:34
BasePriority : Normal


#:41 [wlan111t.exe]
FilePath : C:\Programmer\NETGEAR\WG111T Configuration Utility\
ProcessID : 2556
ThreadCreationTime : 2007-06-05 09:07:35
BasePriority : Normal


#:42 [ssscsisv.exe]
FilePath : C:\Programmer\Fælles filer\Sony Shared\AVLib\
ProcessID : 2044
ThreadCreationTime : 2007-06-05 09:07:45
BasePriority : Normal
FileVersion : 3.0.00.13241
ProductVersion : 3.0.00
ProductName : SonicStage
CompanyName : Sony Corporation
FileDescription : SonicStage Scsi I/F Server
InternalName : SSScsiSV
LegalCopyright : Copyright 2005 Sony Corporation
OriginalFilename : SSScsiSV.EXE

#:43 [ipodservice.exe]
FilePath : C:\Programmer\iPod\bin\
ProcessID : 2672
ThreadCreationTime : 2007-06-05 09:07:53
BasePriority : Normal
FileVersion : 7.1.0.59
ProductVersion : 7.1.0.59
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:44 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2948
ThreadCreationTime : 2007-06-05 09:07:53
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:45 [usnsvc.exe]
FilePath : C:\Programmer\MSN Messenger\
ProcessID : 3512
ThreadCreationTime : 2007-06-05 09:08:10
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger Sharing USN Journal Reader Service
InternalName : usnsvc.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : usnsvc.exe

#:46 [wuauclt.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 384
ThreadCreationTime : 2007-06-05 09:08:16
BasePriority : Normal
FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)
ProductVersion : 5.8.0.2469
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Automatiske opdateringer
InternalName : wuauclt.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : wuauclt.exe

#:47 [nscsrvce.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\Security Console\
ProcessID : 2968
ThreadCreationTime : 2007-06-05 09:08:22
BasePriority : Normal
FileVersion : 2006.1.8.2
ProductVersion : 2006.1.8
ProductName : Norton Security Console
CompanyName : Symantec Corporation
FileDescription : Norton Security Console Norton Protection Center Service
InternalName : NSCService
LegalCopyright : Norton Security Console 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.
OriginalFilename : NSCSrvce.exe

#:48 [iexplore.exe]
FilePath : C:\Programmer\Internet Explorer\
ProcessID : 248
ThreadCreationTime : 2007-06-05 09:09:29
BasePriority : Normal
FileVersion : 7.00.6000.16441 (vista_gdr.070219-1500)
ProductVersion : 7.00.6000.16441
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:49 [ad-aware.exe]
FilePath : C:\Programmer\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2648
ThreadCreationTime : 2007-06-05 09:11:31
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 7


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.TrojanDownloader.Agent.am Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 8


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
<STOP>
11:11:59 Scan stopped by user

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:00:19.657
Objects scanned:69613
Objects identified:1
Objects ignored:0
New critical objects:1

I barley know anything about getting rid of viruses but when I used ad-aware the virus did not go away :S.
I've done several scans but none of them seem to be hleping. The virus i located in regedit and I do not wish to go in there deleting all sorts of files... Here is what hijackthis v1.99.1 came up wtih...
Logfile of HijackThis v1.99.1
Scan saved at 11:36:34, on 2007-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Intel\Intel Application Accelerator\iaantmon.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe
C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programmer\Intel\Intel Application Accelerator\iaanotif.exe
C:\Programmer\Dell\Media Experience\PCMService.exe
C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmer\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Programmer\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\Programmer\Trust\GM-4200 Gamer Mouse Optical\Panel.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Programmer\BitTorrent_DNA\dna.exe
C:\Programmer\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\DOCUME~1\Dator\LOKALE~1\Temp\Rar$EX00.735\HijackThis.exe
C:\Programmer\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programmer\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar5.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmer\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmer\Fælles filer\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programmer\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar5.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Programmer\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programmer\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Programmer\r\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Programmer\Fælles filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Programmer\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BearShare] "C:\Programmer\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmer\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Trust Gaming mouse] "C:\Programmer\Trust\GM-4200 Gamer Mouse Optical\Panel.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Programmer\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [swg] C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Programmer\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [DNA] "C:\Programmer\BitTorrent_DNA\dna.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: Personal.lnk = C:\Programmer\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload464a.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.dans...B/e-Safekey.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Programmer\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Symantec Corporation - C:\Programmer\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programmer\Norton Internet Security\comHost.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmer\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Programmer\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programmer\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\Security Center\SymWSC.exe

PLZ PLZ PLZ HELP ME! I'm in dire need for help.

[Oldfrog]

Hi, jakob. Open Notepad and copy/paste the code in the box below into the open file. Save the file to your desktop as regcs.bat. Double click on the regcs.bat icon. A notepad window will open with the results. Copy/paste the contents of that window into a reply.

regedit /e regcs.txt "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}"
start notepad.exe regcs.txt
exit

[jakob]

I did what you asked for and here is what came up...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}]
"stubpath"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,\
5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,75,00,70,00,64,\
00,6d,00,67,00,72,00,2e,00,65,00,78,00,65,00,20,00,73,00,00,00

[Oldfrog]

Nicely done. Now, please check to see if the following file is on your system: C:\WINDOWS\system32\updmgr.exe

If so, navigate to it, right click on it, and select Properties. Under the file properties select the Version tab and report the data shown for File version, Description, and Copyright.

I had expected to see additional data under that key. The fact that it is missing makes me wonder if this is a leftover from a prior removal. I don't like the fact that the stub path was obfuscated, however, so want to proceed cautiously before advising any further removal.

[jakob]

I can't seem to find the right folder sorry if I'm no good at this . I attached a print screen so u can see the different folders...

Edited by LS CalamityJane, 19 June 2007 - 05:43 PM.
resized screenshot as a gif rather than a bmp

[Oldfrog]

Sorry, I should have told you to unhide the hidden files and folders first.

From your Desktop, right click on My Computer and select Explore.

In the command section at the very top click on Tools | Folder Options.

In the Folder Options dialog box select the View tab. Under Advanced settings scroll down to Hidden files and folders and select the radio button for Show hidden files and folders. Then click OK to close the box.

You should now be able to see both the Windows folder and the System32 folder within it.

The file that I asked you about may or may not exist. If it doesn't, just report that.

[jakob]

File version: 5.4.2600.0 (XPClient.010817-1148)
Copyright: © Microsoft Corporation. Alle rettigheder forbeholdes
Description: Styring af Windows Update til NT
I'm sorry that it's in Danish if you need help translating just tell me... ^^

[Oldfrog]

Good job, jakob. I want to show this to someone else and will be back after I have talked with them.

[Oldfrog]

The file properties indicate that updmgr.exe is a Microsoft file, but I am not convinced. There are a couple of places where we can submit individual files for online analysis. I would like for you to submit it to either or both of the following:Jotti

VirusTotal
Please post back with the results of the scan(s).

Also, use regedit to see if the following registry subkeys exist. Don't delete them, just see if they are there.

• HKEY_CURRENT_USER\Software\Wget
• HKEY_LOCAL_MACHINE\SOFTWARE\Wget

I would also like to see if that file is executing from any other registry key when you start your system. Open Notepad and copy/paste the code in the box below into the open file. Save the file to your desktop as regcs1.bat. Double click on the regcs1.bat icon. A notepad window will open with the results. Copy/paste the contents of that window into your reply.

regedit /e regcs1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
start notepad.exe regcs1.txt
exit

So, in your reply please include the results of the file scan, whether or not the two registry keys exist, and the registry key export from the code above.

[jakob]

When I try to attach the file to an email a message comes up saying that: The file that you want to attach contains a virus that cannot be cleaned. The file cannot be attached to your message.

Neither of the two files exist.

Windows Registry Editor Version 5.00

And this is what came up with the wordpad...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="\"C:\\Programmer\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"SoundMAXPnP"="C:\\Programmer\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"IAAnotif"="C:\\Programmer\\Intel\\Intel Application Accelerator\\iaanotif.exe"
"PCMService"="\"C:\\Programmer\\Dell\\Media Experience\\PCMService.exe\""
"ATIPTA"="C:\\Programmer\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"DVDLauncher"="\"C:\\Programmer\\r\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Programmer\\Fælles filer\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Dell Photo AIO Printer 922"="\"C:\\Programmer\\Dell Photo AIO Printer 922\\dlbtbmgr.exe\""
"DAEMON Tools-1033"="\"C:\\Programmer\\D-Tools\\daemon.exe\" -lang 1033"
"BearShare"="\"C:\\Programmer\\BearShare\\BearShare.exe\" /pause"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"ccApp"="\"C:\\Programmer\\Fælles filer\\Symantec Shared\\ccApp.exe\""
"URLLSTCK.exe"="C:\\Programmer\\Norton Internet Security\\UrlLstCk.exe"
"Trust Gaming mouse"="\"C:\\Programmer\\Trust\\GM-4200 Gamer Mouse Optical\\Panel.exe\""
"QuickTime Task"="\"C:\\Programmer\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Programmer\\iTunes\\iTunesHelper.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[Oldfrog]

Thanks very much for your patience, jakob. We are getting close to being done.

Please go to http://upload.lavaso...submit_file.php and follow the instructions for submitting the updmgr.exe file to Lavasoft research. In the explanation box please copy the text from the code below.

Requested by Oldfrog for Calamity Jane:
From http://www.lavasoftsupport.com/index.php?showtopic=9411

I noticed that you had stopped the Ad-Aware scan that you copied into your first post here. After you have submitted the file to Lavasoft Research please run a full Ad-Aware scan and paste the log file into your next reply.

[jakob]

Ad-Aware SE Build 1.06r1
Logfile Created on:den 11 juni 2007 12:36:35
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R131 09-11-2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Win32.TrojanDownloader.Agent.am(TAC index:10):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2007-06-11 12:36:35 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 592
ThreadCreationTime : 2007-06-11 08:24:21
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 812
ThreadCreationTime : 2007-06-11 08:24:25
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 844
ThreadCreationTime : 2007-06-11 08:24:27
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 888
ThreadCreationTime : 2007-06-11 08:24:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Tjenester og controllerprogrammer
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 900
ThreadCreationTime : 2007-06-11 08:24:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1096
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1112
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1164
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1308
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1440
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1508
ThreadCreationTime : 2007-06-11 08:24:28
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1764
ThreadCreationTime : 2007-06-11 08:24:29
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:13 [aluschedulersvc.exe]
FilePath : C:\Programmer\Symantec\LiveUpdate\
ProcessID : 1900
ThreadCreationTime : 2007-06-11 08:24:29
BasePriority : Normal
FileVersion : 3.0.0.171
ProductVersion : 3.0.0.171
ProductName : LiveUpdate
CompanyName : Symantec Corporation
FileDescription : Automatic LiveUpdate Scheduler Service
InternalName : Automatic LiveUpdate Scheduler Service
LegalCopyright : Copyright © 1996-2005 Symantec Corporation
OriginalFilename : ALUSchedulerSvc.exe

#:14 [ccproxy.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 176
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 104.0.13.2
ProductVersion : 104.0.13.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Network Proxy Service
InternalName : ccProxy
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccProxy.exe

#:15 [ccsetmgr.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 212
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Settings Manager Service
InternalName : ccSetMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccSetMgr.exe

#:16 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 228
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operativsystem
CompanyName : Microsoft Corporation
FileDescription : Windows Stifinder
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rettigheder forbeholdes.
OriginalFilename : EXPLORER.EXE

#:17 [iaantmon.exe]
FilePath : C:\Programmer\Intel\Intel Application Accelerator\
ProcessID : 324
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 4.5.0.6515
ProductVersion : 4.5.0.6515
ProductName : Intel IAANTmon
CompanyName : Intel Corporation
FileDescription : Intel Application Accelerator RAID Monitor
InternalName : IAANTmon
LegalCopyright : Copyright© Intel Corporation 2003-04
OriginalFilename : IAANTmon.exe

#:18 [mdm.exe]
FilePath : C:\Programmer\Fælles filer\Microsoft Shared\VS7Debug\
ProcessID : 340
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
ProductName : Microsoft Development Environment
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
LegalCopyright : Copyright © Microsoft Corp. 1997-2000
OriginalFilename : mdm.exe

#:19 [navapsvc.exe]
FilePath : C:\Programmer\Norton Internet Security\Norton AntiVirus\
ProcessID : 416
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 12.7.0.2
ProductVersion : 12.7.0
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Norton AntiVirus 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE

#:20 [sndsrvc.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 576
ThreadCreationTime : 2007-06-11 08:24:30
BasePriority : Normal
FileVersion : 6.0.6.604
ProductVersion : 6.0
ProductName : Symantec Security Drivers
CompanyName : Symantec Corporation
FileDescription : Network Driver Service
InternalName : SndSrvc
LegalCopyright : Copyright 2002 - 2007 Symantec Corporation
OriginalFilename : SndSrvc.exe

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 736
ThreadCreationTime : 2007-06-11 08:24:31
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [symlcsvc.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\
ProcessID : 776
ThreadCreationTime : 2007-06-11 08:24:31
BasePriority : Normal
FileVersion : 1.9.1.762
ProductVersion : 1.9.1.762
ProductName : Symantec Core Component
CompanyName : Symantec Corporation
FileDescription : Symantec Core Component
InternalName : symlcsvc
LegalCopyright : Copyright © 2003
OriginalFilename : symlcsvc.exe

#:23 [jusched.exe]
FilePath : C:\Programmer\Java\jre1.6.0_01\bin\
ProcessID : 1552
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal


#:24 [smax4pnp.exe]
FilePath : C:\Programmer\Analog Devices\SoundMAX\
ProcessID : 1572
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 5, 0, 2, 0
ProductVersion : 5, 0, 2, 0
ProductName : SMax4PNP Application
CompanyName : Analog Devices, Inc.
FileDescription : SMax4PNP MFC Application
InternalName : SMax4PNP
LegalCopyright : Copyright © 2002-2004 Analog Devices
OriginalFilename : SMax4PNP.EXE

#:25 [iaanotif.exe]
FilePath : C:\Programmer\Intel\Intel Application Accelerator\
ProcessID : 1596
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 4.5.0.6515
ProductVersion : 4.5.0.6515
ProductName : IAA RAID Event Monitor
CompanyName : Intel Corporation
FileDescription : IAA Event Monitor User Notification Tool
InternalName : IAAnotif
LegalCopyright : Copyright© Intel Corporation 2003-04
OriginalFilename : IAAnotif.exe

#:26 [pcmservice.exe]
FilePath : C:\Programmer\Dell\Media Experience\
ProcessID : 1784
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 1.0.1611
ProductVersion : 1.0.1611
ProductName : PCM2Launcher Application
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
LegalCopyright : Copyright c 2003 CyberLink Corp.
OriginalFilename : PCM2Launcher.EXE

#:27 [dvdlauncher.exe]
FilePath : C:\Programmer\r\CyberLink\PowerDVD\
ProcessID : 788
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 3.00.0000
ProductVersion : 3.00.0000
ProductName : Cyberlink PowerCinema 3.0
CompanyName : CyberLink Corp.
FileDescription : CyberLink PowerCinema Resident Program
InternalName : CyberLink PowerCinema Resident Program
LegalCopyright : Copyright © 2003 CyberLink Corp.
OriginalFilename : DVDLauncher.EXE

#:28 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ProcessID : 1016
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 1.04.08a
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
LegalCopyright : Copyright © 2004 Sonic Solutions

#:29 [dlbtbmgr.exe]
FilePath : C:\Programmer\Dell Photo AIO Printer 922\
ProcessID : 2028
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 1.0.5.0
ProductVersion : 1.0.5.0
ProductName : Button Manager Executable
FileDescription : Dell Dell 922 Button Manager
InternalName : dlbtbmgr.exe
OriginalFilename : dlbtbmgr.exe

#:30 [ssaad.exe]
FilePath : C:\PROGRA~1\Sony\SONICS~1\
ProcessID : 2068
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 3.0.00.13241
FileDescription : SonicStage Atrac Hard Disk Monitor
InternalName : SonicStage Atrac Hard Disk Monitor
LegalCopyright : Copyright 2005 Sony Corporation

#:31 [ccapp.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 2076
ThreadCreationTime : 2007-06-11 08:24:34
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec User Session
InternalName : ccApp
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccApp.exe

#:32 [dlbtbmon.exe]
FilePath : C:\Programmer\Dell Photo AIO Printer 922\
ProcessID : 2088
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal
FileVersion : 1.0.5.0
ProductVersion : 1.0.5.0
ProductName : Button Monitor Executable
FileDescription : Dell Dell 922 Button Monitor
InternalName : dlbtbmon.exe
OriginalFilename : dlbtbmon.exe

#:33 [panel.exe]
FilePath : C:\Programmer\Trust\GM-4200 Gamer Mouse Optical\
ProcessID : 2112
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal


#:34 [ituneshelper.exe]
FilePath : C:\Programmer\iTunes\
ProcessID : 2148
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal
FileVersion : 7.1.0.59
ProductVersion : 7.1.0.59
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iTunesHelper Module
InternalName : iTunesHelper
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iTunesHelper.exe

#:35 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2188
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:36 [msnmsgr.exe]
FilePath : C:\Programmer\MSN Messenger\
ProcessID : 2236
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

#:37 [googletoolbarnotifier.exe]
FilePath : C:\Programmer\Google\GoogleToolbarNotifier\1.2.1128.5462\
ProcessID : 2348
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal
FileVersion : 1, 2, 1128, 5462
ProductVersion : 1, 2, 1128, 5462
ProductName : GoogleToolbarNotifier
CompanyName : Google Inc.
FileDescription : GoogleToolbarNotifier
LegalCopyright : Copyright © 2005-2006
OriginalFilename : GoogleToolbarNotifier.exe

#:38 [dna.exe]
FilePath : C:\Programmer\BitTorrent_DNA\
ProcessID : 2356
ThreadCreationTime : 2007-06-11 08:24:35
BasePriority : Normal


#:39 [wlan111t.exe]
FilePath : C:\Programmer\NETGEAR\WG111T Configuration Utility\
ProcessID : 2532
ThreadCreationTime : 2007-06-11 08:24:36
BasePriority : Normal


#:40 [ccevtmgr.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\
ProcessID : 3404
ThreadCreationTime : 2007-06-11 08:24:43
BasePriority : Normal
FileVersion : 104.0.14.2
ProductVersion : 104.0.14.2
ProductName : Client and Host Security Platform
CompanyName : Symantec Corporation
FileDescription : Symantec Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright © 2000-2005 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe

#:41 [ssscsisv.exe]
FilePath : C:\Programmer\Fælles filer\Sony Shared\AVLib\
ProcessID : 3736
ThreadCreationTime : 2007-06-11 08:24:45
BasePriority : Normal
FileVersion : 3.0.00.13241
ProductVersion : 3.0.00
ProductName : SonicStage
CompanyName : Sony Corporation
FileDescription : SonicStage Scsi I/F Server
InternalName : SSScsiSV
LegalCopyright : Copyright 2005 Sony Corporation
OriginalFilename : SSScsiSV.EXE

#:42 [ipodservice.exe]
FilePath : C:\Programmer\iPod\bin\
ProcessID : 3904
ThreadCreationTime : 2007-06-11 08:24:45
BasePriority : Normal
FileVersion : 7.1.0.59
ProductVersion : 7.1.0.59
ProductName : iTunes
CompanyName : Apple Inc.
FileDescription : iPodService Module
InternalName : iPodService
LegalCopyright : © 2003-2007 Apple Inc. All Rights Reserved.
OriginalFilename : iPodService.exe

#:43 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2604
ThreadCreationTime : 2007-06-11 08:24:52
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:44 [nscsrvce.exe]
FilePath : C:\Programmer\Fælles filer\Symantec Shared\Security Console\
ProcessID : 2404
ThreadCreationTime : 2007-06-11 08:25:31
BasePriority : Normal
FileVersion : 2006.1.8.2
ProductVersion : 2006.1.8
ProductName : Norton Security Console
CompanyName : Symantec Corporation
FileDescription : Norton Security Console Norton Protection Center Service
InternalName : NSCService
LegalCopyright : Norton Security Console 2006 for Windows 2000/XP Copyright © 2005 Symantec Corporation. All rights reserved.
OriginalFilename : NSCSrvce.exe

#:45 [usnsvc.exe]
FilePath : C:\Programmer\MSN Messenger\
ProcessID : 3616
ThreadCreationTime : 2007-06-11 08:25:40
BasePriority : Normal
FileVersion : 8.1.0178.00
ProductVersion : 8.1.0178
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger Sharing USN Journal Reader Service
InternalName : usnsvc.exe
LegalCopyright : Copyright © Microsoft Corporation. All rights reserved.
OriginalFilename : usnsvc.exe

#:46 [iexplore.exe]
FilePath : C:\Programmer\Internet Explorer\
ProcessID : 468
ThreadCreationTime : 2007-06-11 10:21:08
BasePriority : Normal
FileVersion : 7.00.6000.16441 (vista_gdr.070219-1500)
ProductVersion : 7.00.6000.16441
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:47 [ad-aware.exe]
FilePath : C:\Programmer\Lavasoft\Ad-Aware SE Personal\
ProcessID : 748
ThreadCreationTime : 2007-06-11 10:25:16
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:48 [msmsgs.exe]
FilePath : C:\Programmer\Messenger\
ProcessID : 3592
ThreadCreationTime : 2007-06-11 10:34:57
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.TrojanDownloader.Agent.am Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\active setup\installed components\{9b71d88c-c598-4935-c5d1-43aa4db90836}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 1




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

12:56:37 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:20:01.907
Objects scanned:261657
Objects identified:1
Objects ignored:0
New critical objects:1

[Oldfrog]

Thanks, jakob. I wanted to see if Ad-Aware would detect the file in addition to the registry key. It did not, so it is good that you submitted it to the research group.

I would like to get a copy myself, so please do the following:

• Go to http://www.castlecop...e...wtopic&f=81
• For Username use jakob
• For Subject use updmgr.exe
• In the message box put Requested by Oldfrog
• Scroll down to Add an Attachment and click on Choose to browse to updmgr.exe
• Leave the comment field blank and click on Add Attachment
• Fill in the Image verification box and click Submit

We are now ready to remove this threat. We will let Ad-Aware deal with the registry key but will have to deal with the file ourselves.

Make the file safe:

• Find updmgr.exe
• Right click on the file and click on Rename
• Rename the file as updmgr.bak. This changes it so that it will not execute.

Remove the Registry Key: The safest way to do this is to run an Ad-Aware scan and quarantine the threat. This effectively removes the key but saves it in the quarantine area in case it needs to be restored.

We also need to ensure that this registry key will not return if you restore your computer to an earlier time. To do this in WindowsXP perform the following:

• Right click My Computer.
• Click Properties.
• On the System Restore tab, check Turn off System Restore.
• Click Apply
• Click Yes in the pop up warning. (This removes all prior restore points)
• Uncheck Turn off System Restore
• Click Apply (This turns system restore back on and creates a restore point)
• Click OK to close the System Properties dialog box

After all of this, restart your computer and run another Ad-Aware scan. This scan should be clean.

Let me know if you have any problems with any of this.

[jakob]

THANK YOU!!!
I just want to thank you for fixing my problem the virus is gone and it's all because of you

[Oldfrog]

I am happy that I was able to help you, jakob. Thanks are also due to Lavasoft for making these forums available and for creating the application that found the problem to begin with.

[jakob]

Yes ofcourse give my thanks to the Lavasoft corp.

[LS CalamityJane]

Many thanks for helping this user, oldfrog .

The sample file was received and will be added to our detection database.

This is still not widely detected yet by many AVs so I will probably submit this to all AV vendors by email submission as well to get it more coverage.

@jakob,

You still have some signs of remaining adware/malware showing in your Hijackthis log that appear to be unrelated but they need to be fixed. We can use Hijackthis to fix those remnants, however, first please do the following:

You are running Hijackthis straight out of the zip file and that's not good. It needs to be extracted to it's own folder to make the proper backups.

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas....tehjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.

Unzip the file to the new folder you made and doubleclick on HijackThis.exe to open the program. On the newusers quickstart page, Choose * system scan only*

Close ALL browsers and any other open windows so that only Hijackthis is open.

Now, place a checkmark in the boxes next to each of the following entries:

O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
(Adware.MWSearch)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab

O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload464a.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.co...l/azesearch.cab

Then press the "Fix Checked" button.

Close Hijackthis and reboot/restart your computer.

Scan once more with Hijackthis and post a fresh scan log so I can see if anything else remains please

.....................................................


I feel it necessary to also give you the following information because the malware found initially was a backdoor trojan with remote access by an attacker possible, therefore your system may have been compromised and you should be aware of the risks of Remote Access Trojans (RATs)

A RAT is a program that allows a remote user to connect to the computer and issue commands.

Unless you can be sure that a remote user did not connect to the machine and run commands on it (which is almost always impossible to ascertain), you cannot know what damage the bad guy has done above and beyond installing the additional malware or making system changes.

That unknown is what accounts for the recommendation to rebuild the machine, depending on the uses and information stored on your computer.


What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/sec.....;/virusrat.mspx

Basically, your system has been compromised. Anyone may have had access to anything on your system or done whatever they want to it and hidden it from you.

Some helpful info if you choose that is the route you want to take to be safe:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

And this because there were some trojans that steal data off of the compromised PC - you should change all accounts, passwords, etc. See this FAQ:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

[LS CalamityJane]

I also need to add that you are using some very old update reference file from 2006:
From your Ad-Aware scan log posted:

Using definitions file:SE1R131 09-11-2006

You need to update your Adaware program with the latest reference file and do another full system scan as additional malware or system changes may be found.

The latest reference file update for Ad-Aware SE is:
SE1R176 19.06.2007