Hello. Spybot detected Win32.Agent.Deot on my machine, and I have followed the steps given by you. I attach the log files you wanted. This trojan keeps on reinstalling itself, so it must be some kind of rootkit. Help is appreciated.

6478

6479

6480


DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 19:15:25,94 on 2010-12-23
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3069.1589 [GMT 1:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\LG Software\LG OSD\HotKey.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CA\SharedComponents\CA_LIC\lic98Service.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\cryptainersrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Eraser\Eraser.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\Program Files\SpyDig\spydig.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Users\Thomas J Ekman\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Personal\bin\Personal.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Users\Thomas J Ekman\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\Explorer.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Thomas J Ekman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V2NDCMPL\dds[1].com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.se/ig?hl=en
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.lge.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Trellian BHO Impl: {24180b00-2eb6-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Trellian &Toolbar: {71aaabe5-1f0f-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\thomas j ekman\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SansaDispatch] c:\users\thomas j ekman\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [mRouterConfig] "c:\program files\intuwave\shared\mrouterruntime\mRouterConfig.exe"
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition premium\avgnt.exe" /min
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [KeybdUtility] c:\program files\lg software\lg osd\HotKey.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [BatteryMiser 5] c:\program files\lg software\batterymiser\BatteryMiser5.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
mRun: [PC Suite for Smartphones] "c:\program files\sony ericsson\mobile4\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [spydig.exe] c:\program files\spydig\spydig.exe
StartupFolder: c:\users\thomas~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\notepa~1.lnk - c:\program files\notepad++\notepad++.exe
StartupFolder: c:\users\thomas~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\passwo~1.lnk - c:\program files\password safe\pwsafe.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bankid~1.lnk - c:\program files\personal\bin\Personal.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: avsda.dll
Trusted Zone: canon-europe.com\self-service
Trusted Zone: logivia.se
Trusted Zone: sourceforge.net
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
SEH: BatteryMiser PSAP Class: {26f5978f-6493-4ee3-b114-c0c3accf9d4d} - c:\windows\system32\bmpsap.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition premium\avgio.sys [2008-6-4 11608]
R2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;c:\program files\avira\antivir personaledition premium\avmailc.exe [2008-6-4 164097]
R2 AntiVirScheduler;AntiVir PersonalEdition Premium Scheduler;c:\program files\avira\antivir personaledition premium\sched.exe [2008-6-4 68865]
R2 AntiVirService;AntiVir PersonalEdition Premium Guard;c:\program files\avira\antivir personaledition premium\avguard.exe [2008-6-4 151297]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;c:\program files\avira\antivir personaledition premium\avwebgrd.exe [2008-6-4 258305]
R2 AVEService;AntiVir PersonalEdition Premium MailGuard helper service;c:\program files\avira\antivir personaledition premium\avesvc.exe [2008-6-4 41217]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2008-5-20 75016]
R2 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2008-6-23 24192]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-26 1153368]
R2 ssoftnt4;ssoftnt4;c:\windows\system32\drivers\ssoftnt4.sys [2008-6-6 100728]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition premium\avgntflt.sys [2008-6-4 52056]
R3 EUCR;USB Mass Storage;c:\windows\system32\drivers\EUCR6SK.sys [2007-3-19 40064]
R3 R5BaseSmc;USB Token Holder Service;c:\windows\system32\drivers\smccard.sys [2007-4-3 14592]
R3 RkHit;RkHit;c:\windows\system32\drivers\RKHit.sys [2010-12-23 29312]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe [2010-5-19 68096]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-27 27488]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-4 21504]
S3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr28.sys [2009-1-19 517120]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 msvsmon90;Visual Studio 2008 Remote Debugger;c:\program files\microsoft visual studio 9.0\common7\ide\remote debugger\x86\msvsmon.exe [2007-11-7 3004416]

=============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-12-23 18:09:22 -------- d-----w- C:\ERDNT
2010-12-23 18:06:41 791393 ----a-w- c:\temp\erunt-setup.exe
2010-12-23 13:47:08 29312 ----a-w- c:\windows\system32\drivers\RKHit.sys
2010-12-23 13:47:07 -------- d-----w- c:\program files\SpyDig
2010-12-21 17:10:14 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{59b0b429-f67f-4578-aebb-88c0efba858d}\mpengine.dll
2010-12-15 02:56:03 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-15 02:56:01 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-15 02:56:01 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-15 02:56:01 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-15 02:55:59 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-15 02:54:07 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-12-12 15:28:43 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-12-11 14:49:09 -------- d-----w- c:\program files\common files\CA
2010-12-11 14:49:06 -------- d-----w- c:\users\thomas~1\appdata\roaming\CA
2010-12-11 14:48:26 -------- d-----w- c:\progra~2\CA
2010-12-11 14:47:24 -------- d-----w- c:\program files\common files\Crystal Decisions
2010-12-11 14:46:57 -------- d-----w- c:\program files\CA
2010-11-29 16:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 16:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-25 01:54:20 -------- d-----w- c:\windows\Internet Logs
2010-11-24 17:57:25 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

==================== Find3M ====================

2010-12-23 14:07:14 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 09:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002

CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 nt!IofCallDriver[0x8284714B] -> \Device\Harddisk0\DR0[0x863ADAC8]
3 CLASSPNP[0x8B2B28B3] -> nt!IofCallDriver[0x8284714B] -> [0x84E80900]
5 acpi[0x8AA446BC] -> nt!IofCallDriver[0x8284714B] -> \Device\Ide\IAAStorageDevice-0[0x84E84028]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user != kernel MBR !!!

============= FINISH: 19:18:23,93 ===============

--- Search result list ---
Win32.Agent.deot: [SBI $124634AE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lac97inf


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-10-05 Includes\Adware.sbi (*)
2010-11-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2010-12-14 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2010-11-30 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2010-12-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-12-14 Includes\Malware.sbi (*)
2010-12-22 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-12-14 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-12-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-12-14 Includes\Spyware.sbi (*)
2010-12-14 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-11-02 Includes\Trojans.sbi (*)
2010-12-17 Includes\TrojansC-02.sbi (*)
2010-12-16 Includes\TrojansC-03.sbi (*)
2010-12-16 Includes\TrojansC-04.sbi (*)
2010-12-21 Includes\TrojansC-05.sbi (*)
2010-12-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Reminder, to avoid topic being archived. :) The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)

Hi,

Please post fresh dds logs.

Fresh DDS.txt and Attach.zip have been attached to this thread.

BR
Thomas
Sweden

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

ComboFix reports that CA Antivirus is installed on this machine and cannot continue. I have no CA Antivirus, only CA ErWin, a database modelling tool. I uninstalled it, but there is still a folder called "C:\Program Files\CA\SharedComponents\CA_LIC"
which I cannot remove, most likely due to a service locking one of the files there.
I then went into the registry to look for candidate services for removal with no avail. How can I completely be rid of the service? It is not listed in "Administrative Tools/Services" either.

Hi,

Could you try to run ComboFix in safe mode?

I managed to remove the hidden service by means of a discreet utility program that was located in the CA_LOC folder.
This can be useful information: ComboFix erroneously detects any CA program as being a virus scanner. In my case it was a database design tool.

I enclose the requested dds.txt and c:\ComboFix.txt

BR
Thomas
Sweden

Hi Thomas,

Thanks for letting me know about issue with CA ErWin. I've informed ComboFix author about it.


Open notepad and copy/paste the text in the quotebox below into it:



Driver::
lac97inf
File::
c:\users\THOMAS~1\AppData\Local\Temp\lac97inf.sys



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 23 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.



Post back ESET report, a fresh dds.txt log and above mentioned ComboFix resultant log. Any issues left?

Here comes the logs you requested. As you can see, the machine was infected with cracking utilities to programs which I can remove plus other stuff.

BR
Thomas
Sweden

Hi,

Delete those ESET findings. Could you do us a favour and reinstall ERwin? Then download a fresh copy of ComboFix and see if you're able to run it without the notification you had earlier.

I also have a folder in the root called ComboFix. The contents of that folder is the entire Desktop, which in turn contains a C: Drive with Combofix as its folder, i.e. it goes on recursively.

Hi,

Yes, that's normal. Don't worry about it for now :)

Hi,

Did you reinstall ERWin and then run new ComboFix version?

Hi,

Delete those ESET findings. Could you do us a favour and reinstall ERwin? Then download a fresh copy of ComboFix and see if you're able to run it without the notification you had earlier.

Hi. I no longer have access to ErWin. I did a complete uninstall of licensing service and program (I never needed it) - can't help you there, sorry.

That's ok. Please post fresh dds log and let me know if there're any issues left :)

The files you requested are attached.

Remaining issues:

* ComboFix being a directory that links to the Desktop. This goes on recursively.
* The icon for Windows Defender has vanished from the SysTray, so I don't know if it's running or not.

What is Trellian Toolbar? Do I need it? If not, how do I get rid of it?

Hi,

You won't need that toolbar. Let's try to remove it.

Uninstall ToolbarBrowser. Uninstall also all Javas except Java 6 Update 23.

Open notepad and copy/paste the text in the quotebox below into it:



DDS::
BHO: Trellian BHO Impl: {24180b00-2eb6-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
TB: Trellian &Toolbar: {71aaabe5-1f0f-11d7-bd6f-004854603dce} - c:\program files\trellian\toolbar\toolbar.dll
Folder::
c:\program files\trellian



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Hi. I didn't find any ToolbarBrowser to uninstall, but now Java has been uninstalled, except for the latest release. Trellian is gone. All that remains now are:

* ComboFix being a link to c:\
* Why the icon for Windows Defender has disappeared from the systray. I have checked that it is set to be on.

Here is the log file anyhow.

/Thomas

Hi,

Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK

Hi,

I executed the command you gave me, combobox disappeared from the desktop. I then rebooted the machine, since it was still present in the file explorer, but combobox is still present in the file explorer, but with a standard icon, see enclosed image. Something obviously went wrong...

/Thomas

Hi,

Please download & run this (http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE) after disabling protection first.

After running the program you supplied, ComboFix is now gone from the left hand side of the file explorer.
The last remaining issue is why the Windows Defender icon does not show in the SysTray anymore. I tried toggling between 1) if it should only be shown if a threat has been detected and 2) always, and then it displayed. It was set to always display and is set to be on (active).

Something may have reseted setting related to visibility. Did it work when you set it to "always" setting again?

Yes it did, but when I rebooted the computer, the Windows Defender icon is still missing...

Hi,

Click start-> and type cmd.exe into search textbox. Right click command prompt icon on the list that appears and select run as administrator.

Please type the following command in the black command prompt window that opened up:
regedit /e "%userprofile%\desktop\runExport.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

After that you should have runExport.txt file on your desktop. Attach it to your post.

runExport.txt is enclosed.

Hi,


Download ERUNT (http://www.softpedia.com/get/Tweak/Registry-Tweak/Erunt-g.shtml)
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="\"c:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"



It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

Let's see how it goes with that icon after that.

The icon is now back in the SysTray!

When I put the computer back on after a few hours rest, the icon did NOT appear in the SysTray.

I checked the Run section under HKLM\...\Run, and the command is indeed there, but is not displayed in the SysTray. I also tried executing the command, but it won't display.

Hi,

I read that icon may disappear sometimes even if it was set to show always. No 100% working solution was provided to any of those cases. If protection is running properly and there're no issues with the system I'd suggest to let the thing be. The icon should appear if some action is needed (WD needs updating, detects something etc).

Yes, I'd have to agree with you. The protection is still there (assuming you have configured it so). Where did you read about the icon sometimes disappearing?

I think that this was the last issue on the list.

Thank you very much for Excellent support. :present:

(I only checked without taking any action):

1) I can no longer create shortcuts on the desktop

2) I ran SpyBot, and it still detected Win32.Agent.Deot:
Win32.Agent.deot: [SBI $124634AE] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lac97inf

Right Media: Tracking cookie (Internet Explorer: Thomas J Ekman) (Cookie, nothing done)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


AdBrite: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)


WebTrends live: Tracking cookie (Chrome: Chrome) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-01-26 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-10-05 Includes\Adware.sbi (*)
2010-11-30 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2010-12-14 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2010-11-30 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2010-12-14 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-12-14 Includes\Malware.sbi (*)
2011-01-04 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-12-14 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-12-14 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-12-28 Includes\Spyware.sbi (*)
2010-12-28 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2010-12-17 Includes\TrojansC-02.sbi (*)
2010-12-16 Includes\TrojansC-03.sbi (*)
2010-12-16 Includes\TrojansC-04.sbi (*)
2011-01-04 Includes\TrojansC-05.sbi (*)
2010-12-28 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Hi,

That 2) service appears to be Logitech related. So looks like it can be ignored. Could you describe a bit more that shortcut issue?

When I drag/drop an URL from Internet Explorer, a shortcut is created, but when I right-click on the Desktop and choose New->Shortcut, nothing happens. I can create a new Folder on the Desktop, so all "New" choices are not corrupt. Can Combofix be the culprit here? I suspect my user profile is corrupt.

...and as a more serious issue, the lac97inf.sys problem is back!

Hi,

Let's see that shortcut issue. Download this (http://www.winhelponline.com/fileasso/lnkfix_vista.zip) and extract its contents to your desktop. Double-click the extracted file and allow merging.


..and as a more serious issue, the lac97inf.sys problem is back!
As told above, it's related to Logitech and should be ignored.

Hi. Links now work! :thanks:

Regarding the other issue, the one that you say belongs to Logitech, there is a service locking the file in my temporary folder, just as the trojan with the same name and place did. I also did a scan (but did not remove anything) with SpyBot, and it detected it as Win32.Agent.Deot by examining the registry. I then right-clicked the file and selected "Scan Using Spybot Search&Destroy", but that did not find anything. I am not convinced that the file is benign and come from Logitech - why should they place a service file in the temporary area when they have their "Program Files" to play with? :confused:

Hi,

You can read about it here (http://forum.avast.com/index.php?topic=34712.0). I don't know why Logitech is using temporary location for the file.

OK. I think we are done then. Then SpyBot needs to be updated to take care of that false positive.

I thank you for your time you've spent helping me solve this case.

Best Regards
Thomas
SWEDEN

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.