Backdoor:Win32/Agent from windows\browser.exe

Welcome Guest ( Log In | Register )

Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs

Backdoor:Win32/Agent from windows\browser.exe

towelb0y View Member Profile	Jul 9 2008, 08:00 AM Post #1
Newbie Group: Members Posts: 3 Joined: 9-July 08 Member No.: 59,853	So today Windows Defender and Ad-Aware picked up Backdoor:Win32/Agent from an AutoIT file that was created last year...and I scan twice weekly. Also today after some random minor windows update, I was unable to browse the internet (but had an active connection) until I opened up ZoneAlarm and changed the Internet Zone security level from high to medium. I deleted the \windows\browser.exe file and scanned again (clean) but i'm still a little concerned. heres my HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:00:49 AM, on 7/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\ctfmon.exe E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe E:\Program Files\Bonjour\mDNSResponder.exe E:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE E:\WINDOWS\System32\svchost.exe E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\Tablet.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe E:\Program Files\Logitech\G-series Software\LGDCore.exe E:\Program Files\Logitech\G-series Software\LCDMon.exe E:\Program Files\PowerISO\PWRISOVM.EXE E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe E:\Program Files\Razer\Copperhead\razerhid.exe E:\Program Files\BroadJump\Client Foundation\CFD.exe E:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe E:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\iTunes\iTunesHelper.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe E:\Program Files\Windows Media Player\WMPNSCFG.exe E:\Program Files\SEC\MagicTune3.6_Client_pivot\GammaTray.exe E:\Program Files\SEC\Natural Color\NaturalColorLoad.exe E:\WINDOWS\system32\WTablet\TabUserW.exe E:\Program Files\OpenOffice.org 2.3\program\soffice.exe E:\Program Files\OpenOffice.org 2.3\program\soffice.BIN E:\Program Files\SBC Self Support Tool\bin\mpbtn.exe E:\Program Files\Razer\Copperhead\razertra.exe E:\Program Files\Razer\Copperhead\razerofa.exe E:\Program Files\iPod\bin\iPodService.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe E:\Program Files\uTorrent\uTorrent.exe E:\Program Files\Windows Defender\MsMpEng.exe E:\Program Files\Windows Defender\MSASCui.exe E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Launch LGDCore] "E:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [Launch LCDMon] "E:\Program Files\Logitech\G-series Software\LCDMon.exe" O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [razer] E:\Program Files\Razer\Copperhead\razerhid.exe O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] E:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "E:\WINDOWS\TEMP\E_S90.tmp" /EF "HKCU" O4 - HKCU\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: OpenOffice.org 2.3.lnk = E:\Program Files\OpenOffice.org 2.3\program\quickstart.exe O4 - Global Startup: AT&T Self Support Tool.lnk = E:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: Color Calibration.lnk = ? O4 - Global Startup: MagicTune3.6.lnk = ? O4 - Global Startup: NaturalColorLoad.lnk = ? O4 - Global Startup: TabUserW.exe.lnk = E:\WINDOWS\system32\WTablet\TabUserW.exe O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193554825327 O17 - HKLM\System\CCS\Services\Tcpip\..\{C094D013-7F2B-4DAE-BE0A-5D2213BF79FB}: NameServer = 206.13.28.12,206.13.31.13 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = att.net O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = att.net O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = att.net O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - E:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10945 bytes thanks in advance.