Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: worm agent.sps

Original Message
Name: spark
Date: September 30, 2007 at 23:30:38 Pacific
Subject: worm agent.sps
OS: XP
CPU/Ram: core 2 duo 2.13ghz
Model/Manufacturer: enspire
Comment:
My trend micro anti-virus found the following worm.

http://www.trendmicro.com/vinfo/vir...

It deleted the files and I followed the solution procedures.

I think I got the worm from my USB key which I use at uni. The USB key is still playing up, files dont copy properly and the same problems are now happening on a second USB key.

I havent used either of them with another computer to risk spreading the worm, but this means I dont know if the worm is localised to my computer or if it has spread to the USB keys.

No scanning program has found anymore problems (Trend, AVG).

Im a bit stumped as to what is causing the problems.

Will any scanlogs help? hijackthis etc

Cheers.



Report Offensive Message For Removal

Response Number 1
Name: jabuck
Date: October 1, 2007 at 03:35:02 Pacific
Subject: worm agent.sps
Reply: (edit)
Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report Offensive Follow Up For Removal

Response Number 2
Name: spark
Date: October 1, 2007 at 19:03:59 Pacific
Subject: worm agent.sps
Reply: (edit)
Combofix Log

ComboFix 07-10-02.2 - Neil 2007-10-02 11:53:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1282 [GMT 10:00]
Running from: C:\Documents and Settings\Neil\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 11:49 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 15:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 15:06 <DIR> d-------- C:\Documents and Settings\Neil\.housecall6.6
2007-09-29 18:49 <DIR> d-------- C:\Program Files\iTunes
2007-09-29 18:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-29 18:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-29 15:43 <DIR> d-------- C:\Program Files\ImageJ
2007-09-29 15:09 <DIR> dr------- C:\Program Files\Centricity
2007-09-26 14:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-09-26 13:21 72,672 --a------ C:\WINDOWS\system32\drivers\LxrSII1d.sys
2007-09-26 13:21 49,152 --a------ C:\WINDOWS\system32\LxrSII1s.exe
2007-09-26 13:21 28,672 --a------ C:\WINDOWS\system32\LxrUnplug.exe
2007-09-26 13:21 139,264 --a------ C:\WINDOWS\system32\LxrSII1.dll
2007-09-25 19:26 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\Ceedo
2007-09-21 21:34 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\teamspeak2
2007-09-05 21:35 42,672 --a------ C:\WINDOWS\system32\wbsys.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 1rogram Files\Trend Micro
2007-10-01 1ocuments and Settings\All Users\Application Data\Microsoft Help
2007-09-29 1rogram Files\iPod
2007-09-20 1rogram Files\InstallShield Installation Information
2007-09-14 2rogram Files\Common Files\Wise Installation Wizard
2007-09-14 1rogram Files\MSN Messenger
2007-08-27 1rogram Files\AGEIA Technologies
2007-08-27 11:24 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-13 1ocuments and Settings\Neil\Application Data\Soldat
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 09:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 09:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 09:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 09:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 09:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 09:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 09:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 09:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 09:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 09:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 09:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 09:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 09:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 09:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 09:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 09:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 09:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-06 21:33 1 --a------ C:\Documents and Settings\Neil\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 11:17]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-23 06:22]
"nwiz"="nwiz.exe" [2006-10-23 06:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-23 06:22]
"NWEReboot"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Version Cue CS2"="E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 17:58]
"Acrobat Assistant 8.0"="E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2006-12-08 09:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"PowerBar"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]

C:\Documents and Settings\Neil\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-30 18:20:46]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-12-06 16:19:55]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-05 17:36 140976 E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
"C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

R2 LxrSII1d;Secure II Driver;\??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
R3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys
R3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Neil\LOCALS~1\Temp\sony_ssm.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 11:57:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-02 11:59:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 11:59
.
--- E O F ---

HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51, on 2007-10-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Program Files\AllChars\AllChars.exe
E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\sed.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - E:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - E:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AllChars.lnk = E:\Program Files\AllChars\AllChars.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FreshDownload - {0C6A3455-C7AA-4837-9D4D-ACF9A9E78281} - E:\Program Files\FreshDevices\FreshDownload\fd.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - E:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10909 bytes


AVG picked up another one, trojan.hider.i

this file is present on all external harddrives (USB key), each folder on the key becomes a .exe, it even found it on my ipod heh.

cheers for your help jabuck. greatly appreciated.


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: October 1, 2007 at 19:26:47 Pacific
Subject: worm agent.sps
Reply: (edit)
Are the external drives "jump" or "flash" drives that plug into a usb port?

If so do the following.

Please download Flash_Disinfector.exe by sUBs and save to your desktop.

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.


Report Offensive Follow Up For Removal

Response Number 4
Name: spark
Date: October 2, 2007 at 00:44:35 Pacific
Subject: worm agent.sps
Reply: (edit)
yeah sorry i call them usb keys, they are flash drives indeed.

i ran flashdisinfector on both drives, one with infected files quarantined one without..no problems on the clean drive.

appeared not to do much with the infected one however. the infected files are still there. i took screen shots to try and explain it a bit better ( i dont think i did a very good job )

http://img250.imageshack.us/img250/...
http://img250.imageshack.us/img250/...

the malicious code seems to replace the folders with an odd looking folder icon and they are now .exe (i know not to open them now)

once the file/folders are quarantined the flash drive shows its still full but there are no folders visible. can i salvage whats on the flash drive? (there are some files i need from it)

i seem to have rid the trojan from my computer however


Report Offensive Follow Up For Removal

Response Number 5
Name: jabuck
Date: October 2, 2007 at 16:09:11 Pacific
Subject: worm agent.sps
Reply: (edit)
plug the infected jump drive into the computer and run combofix and post the log.

Remove the jump drive once you have a log.


Report Offensive Follow Up For Removal

Response Number 6
Name: spark
Date: October 2, 2007 at 19:59:08 Pacific
Subject: worm agent.sps
Reply: (edit)
ComboFix 07-10-02.2 - Neil 2007-10-03 12:50:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1179 [GMT 10:00]
Running from: C:\Documents and Settings\Neil\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-02 17:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-10-02 17:15 <DIR> drahs---- C:\autorun.inf
2007-10-01 15:08 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 15:06 <DIR> d-------- C:\Documents and Settings\Neil\.housecall6.6
2007-09-29 18:49 <DIR> d-------- C:\Program Files\iTunes
2007-09-29 18:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-29 18:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-29 15:43 <DIR> d-------- C:\Program Files\ImageJ
2007-09-29 15:09 <DIR> dr------- C:\Program Files\Centricity
2007-09-26 14:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-09-26 13:21 72,672 --a------ C:\WINDOWS\system32\drivers\LxrSII1d.sys
2007-09-26 13:21 49,152 --a------ C:\WINDOWS\system32\LxrSII1s.exe
2007-09-26 13:21 28,672 --a------ C:\WINDOWS\system32\LxrUnplug.exe
2007-09-26 13:21 139,264 --a------ C:\WINDOWS\system32\LxrSII1.dll
2007-09-25 19:26 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\Ceedo
2007-09-21 21:34 <DIR> d-------- C:\Documents and Settings\Neil\Application Data\teamspeak2
2007-09-05 21:35 42,672 --a------ C:\WINDOWS\system32\wbsys.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 1rogram Files\Trend Micro
2007-10-01 1ocuments and Settings\All Users\Application Data\Microsoft Help
2007-09-29 1rogram Files\iPod
2007-09-20 1rogram Files\InstallShield Installation Information
2007-09-14 2rogram Files\Common Files\Wise Installation Wizard
2007-09-14 1rogram Files\MSN Messenger
2007-08-27 1rogram Files\AGEIA Technologies
2007-08-27 11:24 107888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-08-13 1ocuments and Settings\Neil\Application Data\Soldat
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 09:06 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-27 09:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-27 09:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-27 09:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-27 09:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-27 09:06 120056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-07-27 09:06 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-07-27 09:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-27 09:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-27 09:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-27 09:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-27 09:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-27 09:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-27 09:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-27 09:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-27 09:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-27 09:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-27 09:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-27 09:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-12-06 21:33 1 --a------ C:\Documents and Settings\Neil\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" []
"IntelAudioStudio"="C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" [2006-08-03 11:17]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-23 06:22]
"nwiz"="nwiz.exe" [2006-10-23 06:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-23 06:22]
"NWEReboot"="" []
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" [2006-03-08 13:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Adobe Version Cue CS2"="E:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 17:58]
"Acrobat Assistant 8.0"="E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47]
"AS01_Netgear"="C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe" [2006-12-08 09:45]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-04-01 14:41]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 19:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 22:00]
"PowerBar"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]

C:\Documents and Settings\Neil\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-01-30 18:20:46]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2006-12-06 16:19:55]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
AllChars.lnk - E:\Program Files\AllChars\AllChars.exe [2007-07-25 21:28:46]
Smart Wizard Wireless Settings.lnk - E:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2007-03-21 22:20:21]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2007-03-05 17:36 140976 E:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
"C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{1290A33C-85F5-4164-A1BE-7DD299D4986A}]
"C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"

R2 LxrSII1d;Secure II Driver;\??\C:\WINDOWS\system32\Drivers\LxrSII1d.sys
R3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
R3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\system32\Drivers\Icam5USB.sys
R3 NETGEAR_WG311_SERVICE;NETGEAR WG311 Wireless PCI Adapter Service;C:\WINDOWS\system32\DRIVERS\wg311nd5.sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\Neil\LOCALS~1\Temp\sony_ssm.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 12:52:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 12:53:00
C:\ComboFix-quarantined-files.txt ... 2007-10-03 12:52
C:\ComboFix2.txt ... 2007-10-02 11:59
.
--- E O F ---


EDIT:

when running the flashdisinfector again (dont know why) I got the following error message

Processing Message c0000012 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c

It came up about 100 times before it said it was finished scanning...


Report Offensive Follow Up For Removal

Response Number 7
Name: jabuck
Date: October 3, 2007 at 19:57:26 Pacific
Subject: worm agent.sps
Reply: (edit)

Run the flash_disinfector from the link below but this time plug all the infected jump drives in at one time.Please download http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe and save to your desktop.

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Wait until the program has finished scanning, then please exit the program.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

With the jump drive connected run the following scan.

Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.


Report Offensive Follow Up For Removal

Response Number 8
Name: spark
Date: October 4, 2007 at 06:34:26 Pacific
Subject: worm agent.sps
Reply: (edit)
---------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 11:29:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 427021
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
W:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 153697
Number of viruses found: 2
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:36:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Neil\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\dfsr.db Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\fsr.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Messenger\minidaws@hotmail.com\SharingMetadata\Working\database_5EC4_95C7_C495_A1B7\tmp.edb Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows Live Contacts\minidaws@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Application Data\Microsoft\Windows Live Contacts\minidaws@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\History\History.IE5\MSHist012007100420071005\index.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DF5B63.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFCA8B.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFCA96.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFE6FA.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temp\~DFE705.tmp Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Neil\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Neil\ntuser.dat Object is locked skipped
C:\Documents and Settings\Neil\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CB0807AE-C5D5-4CB7-A60B-BB60583F7704}\RP11\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe WiseSFX: infected - 4 skipped
E:\Ben's Stuff\Downloads\BSINSTALL.exe WiseSFX Dropper: infected - 4 skipped
E:\Ben's Stuff\My Music\iTunes\iTunes Library.itl Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{CB0807AE-C5D5-4CB7-A60B-BB60583F7704}\RP11\change.log Object is locked skipped

Scan process completed.

OK, I think the trojan has finally gone. Flash drives seem ok. New drives arent being infected by the looks of things. However I think something has happened to change autoplay.

Some CD's/DVD's I put in the computer will not read and nothing autoplays. CD works fine on another computer.


Report Offensive Follow Up For Removal

Response Number 9
Name: jabuck
Date: October 4, 2007 at 17:55:53 Pacific
Subject: worm agent.sps
Reply: (edit)
Navigate to and delete this file if found:

E:\Ben's Stuff\Downloads\BSINSTALL.exe

Go to the following link and run the repair wizard:

Microsoft Autoplay Repair Wizard

Let me know how it works.


Report Offensive Follow Up For Removal

Response Number 10
Name: spark
Date: October 5, 2007 at 02:06:42 Pacific
Subject: worm agent.sps
Reply: (edit)
thanks so much for your advice jabuck. all problems now seemed to be fixed :)

that autofix did wonders.

cheers mate


Report Offensive Follow Up For Removal

Response Number 11
Name: jabuck
Date: October 5, 2007 at 03:41:20 Pacific
Subject: worm agent.sps
Reply: (edit)
Glad we could help.

Report Offensive Follow Up For Removal



Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: worm agent.sps

Comments:
         

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly
Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
 Click Here for a Free Scan

The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC