PDA

View Full Version : need help removing Win32.Agent.adb virus



Fluence
2013-04-12, 23:16
i got the virus after my scan and it keeps coming back, but as ive seen from other posts, this needs to be taken care of differently on everyones PC.

Here's the log:


--- Search result list ---
Win32.Agent.adb: [SBI $AAEB5E52] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-596342541-1993101699-2882779601-1001\Software\DC3_FEXEC


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2012-09-03 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2012-04-04 Includes\Adware.sbi (*)
2012-08-28 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-11-29 Includes\DialerC.sbi (*)
2012-01-31 Includes\HeavyDuty.sbi (*)
2012-06-19 Includes\Hijackers.sbi (*)
2012-07-31 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2012-03-13 Includes\Keyloggers.sbi (*)
2012-03-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2012-08-28 Includes\Malware.sbi (*)
2012-08-28 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2012-08-21 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2012-06-19 Includes\Security.sbi (*)
2011-12-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2012-07-23 Includes\Spyware.sbi (*)
2012-07-31 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2012-08-29 Includes\TrojansC-02.sbi (*)
2012-08-29 Includes\TrojansC-03.sbi (*)
2012-08-28 Includes\TrojansC-04.sbi (*)
2012-08-07 Includes\TrojansC-05.sbi (*)
2012-08-27 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Unknown Windows version 6.1 (Build: 7601) Service Pack 1 (6.1.7601)


--- Startup entries list ---
Located: HK_LM:RunOnce, Malwarebytes Anti-Malware
command: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
file: C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
size: 532040
MD5: D1D5DAB39DCB4BE0359943738D87409B

Located: HK_CU:Run, Sidebar
where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1174016
MD5: DCCA4B04AF87E52EF9EAA2190E06CBAC

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-19...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
size: 1174016
MD5: DCCA4B04AF87E52EF9EAA2190E06CBAC

Located: HK_CU:RunOnce, mctadmin
where: S-1-5-20...
command: C:\Windows\System32\mctadmin.exe
file: C:\Windows\System32\mctadmin.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (common), AsusVibeLauncher.lnk
where: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
file: C:\Program Files (x86)\ASUS\AsusVibe\AsusVibeLauncher.exe
size: 549040
MD5: C0017E791FFA01A7BD09683BA7A0F4D0

Located: Startup (user), Dropbox.lnk
where: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Users\Brad\AppData\Roaming\Dropbox\bin\Dropbox.exe
file: C:\Users\Brad\AppData\Roaming\Dropbox\bin\Dropbox.exe
size: 26043088
MD5: D5502D803CBA0CBD2F86F7D19DD4EA3E

Located: Startup (user), Stardock ObjectDock.lnk
where: C:\Users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup...
command: C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
file: C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
size: 3768176
MD5: EDE7D1C7EBCF214A5EF0BD99EC780C05



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 7/27/2012 4:51:32 PM
Date (last access): 9/16/2012 11:47:04 PM
Date (last write): 7/27/2012 4:51:32 PM
Filesize: 63944
Attributes: archive
MD5: BA0ED7AA3C36A8DA27DED1D6B3508158
CRC32: BFE061AC
Version: 10.1.4.38

{6D53EC84-6AAE-4787-AEEE-F4628F01010C} (Norton Vulnerability Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Norton Vulnerability Protection
CLSID name: Norton Vulnerability Protection
Path: C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\IPS\
Long name: ipsbho.dll
Short name:
Date (created): 2/5/2013 6:42:14 PM
Date (last access): 2/5/2013 6:42:14 PM
Date (last write): 6/20/2012 9:26:04 PM
Filesize: 210400
Attributes: readonly archive
MD5: FF3E0C3DCCE988EB391823F62F9397D0
CRC32: B74833D0
Version: 10.2.0.5

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (Java(tm) Plug-In SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In SSV Helper
Path: C:\Program Files (x86)\Java\jre7\bin\
Long name: ssv.dll
Short name:
Date (created): 3/6/2013 6:51:12 PM
Date (last access): 3/6/2013 6:51:12 PM
Date (last write): 3/6/2013 6:51:12 PM
Filesize: 461216
Attributes: archive
MD5: 0E0D229CC5AD08ADB848878FD167E0C5
CRC32: ADCA4A3F
Version: 10.17.2.2

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live ID Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live ID Sign-in Helper
Path: C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 3/28/2011 11:35:06 PM
Date (last access): 10/18/2011 1:28:40 PM
Date (last write): 3/28/2011 11:35:06 PM
Filesize: 441216
Attributes: archive
MD5: CF39A105CD553EED31E2255AFF4C6742
CRC32: 3D1149C5
Version: 7.250.4232.0

{B4F3A835-0E21-4959-BA22-42B3008E02FF} (URLRedirectionBHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: URLRedirectionBHO
CLSID name: Office Document Cache Handler
Path: C:\PROGRA~2\MICROS~1\Office14\
Long name: URLREDIR.DLL
Short name:
Date (created): 12/21/2010 1:05:22 AM
Date (last access): 7/28/2012 3:55:10 AM
Date (last write): 12/21/2010 1:05:22 AM
Filesize: 561552
Attributes: archive
MD5: A5D08B86E8A437AA6DEAF7A187BF6CA5
CRC32: CEA4973B
Version: 14.0.6015.1000

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files (x86)\Java\jre7\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 3/6/2013 6:51:12 PM
Date (last access): 3/6/2013 6:51:12 PM
Date (last write): 3/6/2013 6:51:12 PM
Filesize: 170912
Attributes: archive
MD5: 27861540F6A834218C9ED6E2FE75E32B
CRC32: F1C125FC
Version: 10.17.2.2



--- ActiveX list ---


--- Process list ---
PID: 0 ( 0) [System]
PID: 3512 (1800) C:\Program Files (x86)\Norton AntiVirus\Engine\19.9.1.14\ccSvcHst.exe
size: 138272
MD5: F2840DBFE9322F35557219AE82CC4597
PID: 3708 (3520) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
size: 5732992
MD5: 5BB1F77C8AF725A15EC9366498D275BB
PID: 3728 (3520) C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
size: 305792
MD5: BC3DA234CDA880578526DAB028F40268
PID: 3752 (3520) C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe
size: 503728
MD5: 266D0F89166BCAFF16BBD661FE0C64F2
PID: 3760 (3520) C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
size: 82944
MD5: 7D2C5F5A9DF7AE26B4E62E2D7032B96B
PID: 3776 (3520) C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe
size: 26600
MD5: DF2B67EBB5DB11B6AC7C5775F2582DD2
PID: 3804 (3552) C:\Users\Brad\AppData\Local\Temp\264197\svhost.exe
size: 1851296
MD5: BE520BA2C7F2A14EA115CFC5EA5CC19C
PID: 3320 (3812) C:\Users\Brad\AppData\Roaming\Dropbox\bin\Dropbox.exe
size: 26043088
MD5: D5502D803CBA0CBD2F86F7D19DD4EA3E
PID: 3420 (3812) C:\Program Files (x86)\Stardock\ObjectDockFree\ObjectDock.exe
size: 3768176
MD5: EDE7D1C7EBCF214A5EF0BD99EC780C05
PID: 4960 ( 816) C:\Windows\SysWOW64\ACEngSvr.exe
size: 155648
MD5: A391896CD406E6377F5CEF31FDC12019
PID: 4192 (3804) C:\Users\Brad\AppData\Local\Temp\264197\svhost.exe
size: 1851296
MD5: BE520BA2C7F2A14EA115CFC5EA5CC19C
PID: 4284 (3812) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 3484 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 3472 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 4536 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 5968 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 7156 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 3152 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 6196 (4284) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
size: 1312720
MD5: 4E9592BB2C100E571F82640E59E9ECD5
PID: 6484 (3420) C:\Program Files (x86)\iTunes\iTunes.exe
size: 9777040
MD5: E3E6D5B9644BED23492F2A8C1608AA69
PID: 2408 (6484) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
size: 55184
MD5: 00E4CE45FD1C5DE4122221D44289F4AC
PID: 1280 (2408) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
size: 13712
MD5: E794AE1D04FC098011CA5700F18D4840

tashi
2013-04-13, 08:26
Hello Fluence,

The latest version of Spybot is 2.0 (http://www.safer-networking.org/) however the main issue appears to be that your detections haven't been updated since 2012.

Please update Spybot, run another scan and then let us know if any items are flagged. :)

Detection updates (http://www.safer-networking.org/updates/files/spybotsd_includes.exe) for Spybot – Search & Destroy® 1.6.2 as a separate download

Best regards.