PDA

View Full Version : cannot remove win32.agent.pz



threadkiller
2007-09-14, 18:51
i'm running win xp sp2, i've had win32.agent.pz appearing on spybot for a while now, but it will not go away.
i'll start with the results of my kaspersky scan followed by the results of the hijack this report.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 14, 2007 5:48:16 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 14/09/2007
Kaspersky Anti-Virus database records: 418412
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 57796
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:26:37

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-02262007-181949.log Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\cert8.db Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\formhistory.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\history.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\key3.db Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\parent.lock Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Microsoft\Windows Defender\FileTracker\{A1796F62-FF55-480C-A77D-C528A026CCE3} Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Application Data\Mozilla\Firefox\Profiles\x1g0mcsk.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\Lokala inställningar\Tidigare\History.IE5\MSHist012007091420070915\index.dat Object is locked skipped
D:\Documents and Settings\Emma Nicoll\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Emma Nicoll\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\dbupdate.log Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\Qrt.log Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\cache.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\chandir.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\chandir.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\chn.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\chn.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\D0000000.FCS Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\fsbwupst.log Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\inuse.txt Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\L0000047.FCS Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\main.log Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_die.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_die.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_dnd.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_dnd.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_ext.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_ext.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_rcv.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\prs_rcv.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\storydb.dat Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Users\Default\Data\storydb.idx Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\Common\admin.pub Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\Common\policy.bpf Object is locked skipped
D:\Program\Telia\Telias sakerhetstjanster\Common\policy.ipf Object is locked skipped
D:\Program\XP Smoker\superfast.exe/file1 Infected: not-a-virus:RiskTool.Win32.Shutdown.c skipped
D:\Program\XP Smoker\superfast.exe Inno: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4A54D4EF-59DC-4A15-B788-7805F16B8723}\RP318\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{27B71AF6-7599-413D-9749-BD356CC215C8}.bin Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
D:\WINDOWS\system32\config\OSession.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
D:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\ntos.exe Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wsnpoem\audio.dll Object is locked skipped
D:\WINDOWS\system32\wsnpoem\video.dll Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Program\BitComet\Downloads\BitComet 0.70 + BitComet Acceleration Patch + Bitcomet Download Speeder 11\speeder.exe/msnmsgr.exe Infected: Backdoor.Win32.Bifrose.xx skipped
E:\Program\BitComet\Downloads\BitComet 0.70 + BitComet Acceleration Patch + Bitcomet Download Speeder 11\speeder.exe CreateInstall: infected - 1 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{4A54D4EF-59DC-4A15-B788-7805F16B8723}\RP318\change.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:58:21, on 2007-09-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program\Telia\TELIAS~1\backweb\7836882\Program\SERVIC~1.EXE
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exe
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\program\fsbwsys.exe
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\FSGK32.EXE
D:\Program\Telia\Telias sakerhetstjanster\Common\FSMA32.EXE
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fssm32.exe
D:\Program\Photodex\ProShowGold\ScsiAccess.exe
D:\Program\Telia\Telias sakerhetstjanster\Common\FSMB32.EXE
D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Program\fspex.exe
D:\WINDOWS\system32\svchost.exe
D:\Program\Telia\Telias sakerhetstjanster\Common\FCH32.EXE
D:\Program\Telia\Telias sakerhetstjanster\Common\FAMEH32.EXE
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsqh.exe
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsrw.exe
D:\WINDOWS\System32\alg.exe
D:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exe
D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsav32.exe
D:\Program\Telia\Telias sakerhetstjanster\Common\FSM32.EXE
D:\Program\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program\Windows Defender\MSASCui.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\system32\igfxpers.exe
D:\Program\ScanSoft\PaperPort\pptd40nt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\Telia\TELIAS~1\ANTI-S~1\fsaw.exe
D:\Program\Telia\Telias sakerhetstjanster\FSGUI\fsguidll.exe
D:\Program\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Emma Nicoll\Skrivbord\HijackThis.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\ntos.exe,
O2 - BHO: Länkhjälp till Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [F-Secure Manager] "D:\Program\Telia\Telias sakerhetstjanster\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "D:\Program\Telia\Telias sakerhetstjanster\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "D:\Program\Telia\Telias sakerhetstjanster\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [igfxhkcmd] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] D:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DRam prosessor] plscd.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program\Delade filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] D:\Program\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] D:\Program\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] D:\Program\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] D:\Program\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [userinit] D:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: FBBackup.exe
O4 - Global Startup: Telias säkerhetstjänster.lnk = D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\Program\fspex.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Blockera detta popup-fönster - D:\Program\Telia\Telias sakerhetstjanster\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: IE-sköld - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\Telia\Telias sakerhetstjanster\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE-sköld... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - D:\Program\Telia\Telias sakerhetstjanster\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5CF549B1-E178-4D8C-ADEF-73F226644F12} (Room328 Designer Setup) - http://www.se.room328.com/app/WebVDSetup.cab
O16 - DPF: {A0F3DE0D-9308-4650-82A0-53F0C17D7D65} (Web2D Control) - http://www.se.room328.com/app/WebVD.vcb
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Telias säkerhetstjänster (BackWeb Plug-in - 7836882) - BackWeb Technologies Inc. - D:\Program\Telia\TELIAS~1\backweb\7836882\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - D:\Program\Telia\Telias sakerhetstjanster\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - D:\Program\Telia\Telias sakerhetstjanster\backweb\7836882\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - D:\Program\Telia\Telias sakerhetstjanster\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - D:\Program\Telia\Telias sakerhetstjanster\Common\FSMA32.EXE
O23 - Service: ScsiAccess - Unknown owner - D:\Program\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7770 bytes

Mr_JAk3
2007-09-15, 20:54
Hi and welcome to the Forums :)

I must warn that one or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

threadkiller
2007-09-16, 13:38
Many thanks for the reply and the offer of assistance. I'm going to format and reinstal my OS.
Thanks again for the help.:)

Mr_JAk3
2007-09-16, 14:47
Hi :)

I'll respect your decision to do a clean install.


Please make sure that you know what to do before beginning the operation.

Here are a few links that may help.

Reformatting Windows XP by wng_z3r0 (http://spyware-free.us/tutorials/reformat/mainnopics.html)
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Windows XP Clean install (http://windowsxp.mvps.org/XPClean.htm)

Then there are a couple of things you should do immediately after installing Windows and before surfing the net... Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

These are good (free) firewalls:
- Kerio (http://www.sunbelt-software.com/Kerio.cfm)
- Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
- Outpost (http://www.majorgeeks.com/download.php?det=1056)

These are good (free) antiviruses:
- Antivir (http://www.free-av.com)
- Avast (http://www.avast.com)
- AVG (http://free.grisoft.com)

Get all Windows updates installed!
Please ask me if you have any questions :)

Then here are a few things that you can do in order to make your fresh computer more secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use Ewido (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?