Agent Koober/Frauder

**Ektion** · 2010-12-09, 15:29

Hello,

I keep receiving notifications from AVG Antivirus Free that my system has Agent Frauder or Koober. After "healing" the infection I am asked to restart the PC but it then reports that the Agent is back.

I also ran Super AntiSpyware which attempted to remove the problem. I have run this twice. I checked the computer with a full AVG scan, full Spybot scan, full Adaware scan and these programs did not return any results.

The account I usually run from is a Limited User account.

A log file provided by DDS is below:

DDS (Ver_10-12-05.01) - NTFSx86
Run by David at 14:12:36.81 on 09/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3067.289 [GMT 0:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM13Mon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\DigitalPersona\Bin\dpagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Executor\Executor.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\Documents and Settings\David\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\SysInternals\Desktops.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\FileHippo.com\UpdateChecker.exe
C:\ZendServer\ZendServer\bin\zendcontroller.exe
C:\ZendEclipse\eclipse.exe
C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\David\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe"
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Download Guard for Internet Explorer: {20c1a7f0-528e-444f-bac5-5804a61cca7f} - c:\program files\lavasoft\download guard for internet explorer\DownloadGuardBHO.dll
BHO: DigitalPersona Fingerprint Software Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Executor] "c:\program files\executor\Executor.exe" -s
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Orb]
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [OEM13Mon.exe] c:\windows\OEM13Mon.exe
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IAStorIcon] c:\program files\intel\intel(r) rapid storage technology\IAStorIcon.exe
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\david\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\david\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\documents and settings\david\start menu\programs\startup\hidden.ahk
StartupFolder: c:\documents and settings\david\start menu\programs\startup\Programming.ahk
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1270290015828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.euro.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15111/CTPID.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: DPWLN - c:\program files\digitalpersona\bin\DPWLEvHd.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli DPPWDFLT
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\
FF - prefs.js: browser.startup.homepage - hxxp://localhost/bascoupload/|http://www.egenes.co.uk/bascoupload/
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\uye0y23n.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\uye0y23n.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - component: c:\documents and settings\david\application data\mozilla\firefox\profiles\uye0y23n.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\digitalpersona\bin\firefoxext\components\dpffcli.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\david\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\david\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLCT4Player.dll
FF - plugin: c:\program files\opera\program\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
FF - Extension: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\FirefoxExt
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Page Speed Closure Compiler Extension: {70a9aa80-d283-4eae-8a87-ee7b769edf53} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{70a9aa80-d283-4eae-8a87-ee7b769edf53}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: LastPass: support@lastpass.com - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\support@lastpass.com
FF - Extension: Tamper Data: {9c51bd27-6ed8-4000-a2bf-36cb95c0c947} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
FF - Extension: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
FF - Extension: ProfileSwitcher: {fa8476cf-a98c-4e08-99b4-65a69cb4b7d4} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{fa8476cf-a98c-4e08-99b4-65a69cb4b7d4}
FF - Extension: CLEO: CLEO@guid.customsoftwareconsult.com - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\CLEO@guid.customsoftwareconsult.com
FF - Extension: Firebug: firebug@software.joehewitt.com - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\firebug@software.joehewitt.com
FF - Extension: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Extension: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Extension: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Extension: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Extension: YSlow: yslow@yahoo-inc.com - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\yslow@yahoo-inc.com
FF - Extension: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Extension: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Extension: HTTPS-Everywhere: https-everywhere@eff.org - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\https-everywhere@eff.org
FF - Extension: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
FF - Extension: CsFire: csfire@cs.kuleuven.be - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\csfire@cs.kuleuven.be
FF - Extension: FirePHP: FirePHPExtension-Build@firephp.org - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\FirePHPExtension-Build@firephp.org
FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Extension: VTzilla: vtzilla@virustotal.com - c:\docume~1\david\applic~1\mozilla\firefox\profiles\uye0y23n.default\extensions\vtzilla@virustotal.com
FF - Extension: DigitalPersona Extension: otis@digitalpersona.com - c:\program files\digitalpersona\bin\firefoxext

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 cumon;cumon;c:\windows\system32\drivers\cumon.sys [2010-8-29 235248]
R0 Evdd;evdd;c:\windows\system32\drivers\evdd.sys [2010-8-29 18920]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-3 64288]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
R1 SASDIFSV;SASDIFSV;\??\c:\docume~1\dbadmin\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\dbadmin\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
R1 SASKUTIL;SASKUTIL;\??\c:\docume~1\dbadmin\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\dbadmin\locals~1\temp\sas_selfextract\SASKUTIL.SYS [?]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-14 14336]
R2 Apache2.2-Zend;Apache2.2-Zend;c:\zendserver\apache2\bin\httpd.exe [2010-9-7 27240]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 CPMService;COMODO Programs Manager Service;c:\program files\comodo\comodo programs manager\CPMservice.exe [2010-7-22 79304]
R2 CruiseControl;CruiseControl Service;c:\program files\cruisecontrol\wrapper.exe [2010-1-25 126976]
R2 dgdersvc;Device Error Recovery Service;c:\windows\system32\dgdersvc.exe [2010-9-15 95568]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-10-17 217088]
R2 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-4-11 30192]
R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\intel\intel(r) rapid storage technology\IAStorDataMgrSvc.exe [2010-11-30 13336]
R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
R2 VisualSVNServer;VisualSVN Server;c:\program files\visualsvn server\bin\VisualSVNServer.exe [2010-7-13 23840]
R2 ZendJavaBridge;Zend Java Bridge;c:\zendserver\zendserver\bin\JavaServer.exe [2010-9-7 23544]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-4-2 112512]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2010-9-15 18120]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-10-17 36640]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-11 15264]
R3 O2MDGRDR;O2MDGRDR;c:\windows\system32\drivers\o2mdg.sys [2010-4-2 51616]
R3 O2SDGRDR;O2SDGRDR;c:\windows\system32\drivers\o2sdg.sys [2010-4-2 41760]
R3 OEM13Vfx;Creative Camera OEM013 Video VFX Driver;c:\windows\system32\drivers\OEM13Vfx.sys [2010-4-3 7424]
R3 OEM13Vid;Creative Camera OEM013 Driver;c:\windows\system32\drivers\OEM13Vid.sys [2010-4-3 235840]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-10-17 124648]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-4-10 27632]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2010-6-9 26112]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-29 136176]
S2 MySQL_ZendServer51;MySQL_ZendServer51;"c:\zendserver\mysql51\bin\mysqld" --defaults-file="c:\zendserver\mysql51\my.ini" mysql_zendserver51 --> c:\zendserver\mysql51\bin\mysqld [?]
S2 OpenVPNAccessClient;OpenVPN Access Client;c:\program files\openvpn technologies\openvpn client\core\capiws.exe [2010-6-25 24064]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-15 517448]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-7-27 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-7-27 8456]
S3 OEM13Afx;Provides a software interface to control audio effects of OEM013 camera.;c:\windows\system32\drivers\OEM13Afx.sys [2010-4-3 141376]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [2010-4-10 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [2010-4-10 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [2010-4-10 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [2010-4-10 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [2010-4-10 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [2010-4-10 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [2010-4-10 117544]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2010-10-17 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2010-10-17 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2010-10-17 121576]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2010-11-30 11232]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-8-15 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]

=============== Created Last 30 ================

2010-12-09 13:58:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-09 13:58:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-09 13:57:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-09 13:57:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-09 13:52:04 17920 ----a-w- c:\windows\system32\rpcnetp_AVG_RESTORED.exe
2010-12-09 13:52:00 17920 ----a-w- c:\windows\system32\rpcnetp.dll
2010-12-09 13:50:30 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2010-12-09 08:08:40 1893 ----a-w- c:\windows\bcmwltrytmp.reg
2010-12-09 00:58:59 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-09 00:14:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-06 16:02:12 -------- d-----w- c:\docume~1\david\applic~1\Trillian
2010-11-30 21:41:16 -------- d-----w- c:\docume~1\david\applic~1\BitMeter2
2010-11-30 21:20:59 -------- d-----w- c:\windows\DPDrv
2010-11-30 21:14:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Bitmeter2
2010-11-30 21:14:05 -------- d-----w- c:\program files\Codebox
2010-11-30 20:46:35 -------- d-----w- c:\docume~1\david\applic~1\Macrovision
2010-11-30 20:45:32 -------- d-----w- c:\docume~1\david\locals~1\applic~1\DigitalPersona
2010-11-30 20:45:32 -------- d-----w- c:\docume~1\david\applic~1\DigitalPersona
2010-11-30 20:34:30 -------- d-----w- c:\program files\DigitalPersona
2010-11-30 11:47:06 -------- d-----w- c:\docume~1\david\applic~1\Intel Corporation
2010-11-30 10:45:54 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-11-30 10:28:09 -------- d-----w- c:\windows\system32\dumps
2010-11-30 10:26:30 -------- d-----w- c:\program files\Athena
2010-11-30 10:24:15 175616 ----a-w- c:\windows\system32\st326277.dll
2010-11-30 10:24:12 -------- d-----w- c:\program files\IDT
2010-11-30 10:07:07 91304 ----a-w- c:\windows\system32\drivers\btserial.sys
2010-11-30 10:07:07 91176 ----a-w- c:\windows\system32\drivers\btwsecfl.sys
2010-11-30 09:56:35 11232 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2010-11-30 09:56:17 -------- d-----w- c:\program files\SlimDrivers
2010-11-30 09:55:46 -------- d-----w- c:\program files\Downloaded Installers
2010-11-30 09:54:52 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2010-11-30 09:54:52 -------- d-----w- c:\program files\Belarc
2010-11-30 09:13:08 -------- d-----w- c:\docume~1\david\applic~1\Executor
2010-11-29 22:22:59 -------- d-----w- c:\program files\Executor
2010-11-29 07:14:51 57752 ----a-w- c:\windows\system32\rpcnet.dll
2010-11-29 07:14:51 57752 ------w- c:\windows\system32\rpcnet.exe
2010-11-28 23:20:50 -------- d-----w- C:\ZendEclipse
2010-11-24 00:00:41 72536 ----a-w- c:\windows\system32\perf-MSSQLSERVER-sqlctr10.2.4000.0.dll
2010-11-23 22:53:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\PCDr
2010-11-18 19:54:01 -------- d---a-w- c:\windows\SACDesktop
2010-11-18 19:16:52 -------- d-----w- c:\windows\system32\msmq
2010-11-12 18:46:58 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-10 20:02:14 -------- d-----w- c:\windows\system32\System32

==================== Find3M ====================

2010-12-03 09:05:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-29 22:34:23 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-10-14 19:53:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 19:53:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-17 10:16:58 89944 ----a-w- c:\windows\system32\SQSRVRES.DLL
2010-09-17 10:16:56 2565976 ----a-w- c:\windows\system32\sqlncli10.dll
2010-09-15 08:37:40 95568 ----a-w- c:\windows\system32\dgdersvc.exe
2010-09-15 08:37:40 763216 ----a-w- c:\windows\system32\dgderapi.dll
2010-09-15 08:37:40 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-09-15 08:33:32 36640 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2010-09-15 08:33:32 217088 ----a-w- c:\windows\system32\FsUsbExService.Exe
2010-09-15 08:33:32 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2010-06-12 13:39:16 7839944 ----a-w- c:\program files\common files\lpuninstall.exe

============= FINISH: 14:13:57.54 ===============

**shelf life** · 2010-12-18, 01:06

hi Ektion,

Your post is a few days old. If you still need help reply back.

**Ektion** · 2010-12-18, 20:01

The antivirus popups do not report any problem any longer after several attempts to clear the trojan.

I am unsure if this necessarily means that the trojan is gone however the system seems stable for the moment!

**shelf life** · 2010-12-19, 16:37

hi,

Ok. You have AVG, MBAM, AdAware, SAS and Spybot. Maybe one of these took care of it, could have been a false positive on AVG's part also. In any case just post back if it returns.
You also have two antivirus running in the background, lavasoft and avg. Only need one AV running on a computer. You should disable the AV feature if possible or uninstall one of them.

Some tips to help you remain malware free:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?

More info/tips with pictures in links below.

Happy Safe Surfing.

Thread: Agent Koober/Frauder

Thread Tools

Display

Agent Koober/Frauder

Posting Permissions