# Malware Win32.agent.pz



## fishluvsav8tor (Jun 23, 2007)

Hi, I hope someone could help me with this malware. Icons are showing up on my destop, and a page is loading up saying that I am infected. I had run spybot, it detected but could not delete it, I had tried several anti virus and anti spyware software but none of them was able to delete it. The name is win32.agent.pz.

I did the hijack this and the result are as follows

Logfile of HijackThis v1.99.1
Scan saved at 12:20:14 AM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Logfile of HijackThis v1.99.1
Scan saved at 12:20:14 AM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MSVPS System - {218B7D50-BC37-4FA8-A57F-6E8DE692BD79} - C:\WINDOWS\vpsnetwork.dll
O2 - BHO: (no name) - {36ADA89D-2440-4DC4-820A-3A05E8630935} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ò×È¤¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×È¤¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D35F5A6A-1C28-40CC-95F3-6156E17ADDFC}: NameServer = 210.14.16.5 210.14.16.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O21 - SSODL: vpssup - {7F7311AE-13FF-4CD5-8A92-821B90E7E378} - C:\WINDOWS\vpssup.dll
O21 - SSODL: expro - {3A6056B7-B1CA-4985-BE9B-C7AB86EA40FA} - C:\WINDOWS\expro.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

Thanks.


----------



## fishluvsav8tor (Jun 23, 2007)

Hi here is a hijack log in from smithfraudfix

mitFraudFix v2.195

Scan done at 0:46:58.12, Sun 06/24/2007
Run from C:\Documents and Settings\Diony\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Diony

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Diony\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Diony\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 210.14.16.5
DNS Server Search Order: 210.14.16.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D35F5A6A-1C28-40CC-95F3-6156E17ADDFC}: NameServer=210.14.16.5 210.14.16.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D35F5A6A-1C28-40CC-95F3-6156E17ADDFC}: NameServer=210.14.16.5 210.14.16.2

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Hope someone could help, thanks.


----------



## MFDnNC (Sep 7, 2004)

That is an old version of smitfraudfix remove it

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a *folder* named *SmitfraudFix*) to your Desktop.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder again and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at *C:\rapport.txt*

Warning: running option #2 on a non infected computer will remove your Desktop background.
================
Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
·	Restart your computer
·	After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
·	Instead of Windows loading as normal, the Advanced Options Menu should appear;
·	Select the first option, to run Windows in Safe Mode, then press Enter.
·	Choose your usual account.
·	Open the extracted SDFix folder and double click RunThis.bat to start the script.
·	Type Y to begin the cleanup process.
·	It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
·	Press any Key and it will restart the PC.
·	When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
·	Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
·	Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
===============
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.


----------



## fishluvsav8tor (Jun 23, 2007)

Hey thank you. I used option 2, and it worked . It was able to remove the malware. Both spybot and Super antispyware does not detect it now. And the annoying icons, windows are not popping up and I could control my homepage now. Thank you very much again for the information. Here is the latest hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:22 AM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {36ADA89D-2440-4DC4-820A-3A05E8630935} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ò×È¤¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×È¤¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D35F5A6A-1C28-40CC-95F3-6156E17ADDFC}: NameServer = 210.14.16.5 210.14.16.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe


----------



## MFDnNC (Sep 7, 2004)

You did not post the requested logs


----------



## fishluvsav8tor (Jun 23, 2007)

Sir, Im sorry that I wasnt able to post the correct hijackthis.log, i got several of them here, it seems that I have alot of them here. Im sorry if they are still incorrect. But for the log in result for the superantispyware, here are as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/24/2007 at 00:21 AM

Application Version : 3.8.1002

Core Rules Database Version : 3242
Trace Rules Database Version: 1253

Scan type : Quick Scan
Total Scan Time : 00:25:03

Memory items scanned : 313
Memory threats detected : 0
Registry items scanned : 592
Registry threats detected : 99
File items scanned : 14846
File threats detected : 14

Adware.Tracking Cookie
C:\Documents and Settings\Diony\Cookies\[email protected][1].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][1].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][2].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][2].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][2].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][2].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][1].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][1].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][1].txt
C:\Documents and Settings\Lemuel\Cookies\[email protected][1].txt
C:\Documents and Settings\Technician\Cookies\[email protected][2].txt

Adware.Zango Toolbar/Hb
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\InprocServer32#ThreadingModel
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\ProgID
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\Programmable
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\TypeLib
HKCR\CLSID\{8109FD3D-D891-4F80-8339-50A4913ACE6F}\VersionIndependentProgID
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\ProxyStubClsid
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\ProxyStubClsid32
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\TypeLib
HKCR\Interface\{06784C15-B640-40F8-AEE8-3C1A3C7A899C}\TypeLib#Version
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\ProxyStubClsid
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\ProxyStubClsid32
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\TypeLib
HKCR\Interface\{195EF37C-0FF4-4AEF-B51B-47D326F01978}\TypeLib#Version
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\ProxyStubClsid
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\ProxyStubClsid32
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\TypeLib
HKCR\Interface\{1D5DF418-73EA-4B20-B0D1-5F9C6C949CB0}\TypeLib#Version
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\ProxyStubClsid32
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib
HKCR\Interface\{3A6691EA-C844-46F2-9237-1386A85CE119}\TypeLib#Version
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\ProxyStubClsid32
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib
HKCR\Interface\{3D2E7662-85FB-4CC1-875C-A624B1AA5D96}\TypeLib#Version
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\ProxyStubClsid
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\ProxyStubClsid32
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\TypeLib
HKCR\Interface\{72FEEB09-BB27-46D3-A06D-930D4D544227}\TypeLib#Version
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\ProxyStubClsid32
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib
HKCR\Interface\{736918FE-2349-4230-BA9A-1F23649E32AD}\TypeLib#Version
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\ProxyStubClsid32
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib
HKCR\Interface\{85E06077-C824-43D0-A8DC-5EFB17BC348A}\TypeLib#Version
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\ProxyStubClsid
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\ProxyStubClsid32
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\TypeLib
HKCR\Interface\{89D36231-6BD9-4E20-BBA0-FD28C3A83C40}\TypeLib#Version
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\ProxyStubClsid
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\ProxyStubClsid32
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\TypeLib
HKCR\Interface\{972BC913-312C-44B7-AA91-4AE3EC2E264B}\TypeLib#Version
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\ProxyStubClsid
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\ProxyStubClsid32
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\TypeLib
HKCR\Interface\{A0BA9F0F-BCEF-49CF-8A8E-D87E19E066F3}\TypeLib#Version
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\ProxyStubClsid32
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib
HKCR\Interface\{A53762B6-30F7-469F-BA92-13D63CF09A93}\TypeLib#Version
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\ProxyStubClsid
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\ProxyStubClsid32
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\TypeLib
HKCR\Interface\{BD31DF26-7178-41F4-88DD-F16B82D827CA}\TypeLib#Version
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\ProxyStubClsid
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\ProxyStubClsid32
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\TypeLib
HKCR\Interface\{C4DB76D5-B430-4652-8599-7CD2C8FE6CC6}\TypeLib#Version
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\ProxyStubClsid
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\ProxyStubClsid32
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\TypeLib
HKCR\Interface\{E4662B0A-DA6B-4408-A73B-5A2BBB2B0CC8}\TypeLib#Version
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\ProxyStubClsid32
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib
HKCR\Interface\{E977DE7C-34EA-4876-B333-207C4504589E}\TypeLib#Version
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\ProxyStubClsid32
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib
HKCR\Interface\{F5FC30C3-68AD-451B-8BC1-8ABD98F2C69A}\TypeLib#Version
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{0EBACAF2-E0F9-47A9-98CF-0ECCE30B654C}

Trojan.Media-Codec/V3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer Security Plug-in#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Secure Bar#UninstallString

Trojan.ErrorSafe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UERS_9999_N91S2507NETINSTALLER.EXE

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA7P_0001_N91M0809NETINSTALLER.EXE

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\NTOS.EXE


----------



## MFDnNC (Sep 7, 2004)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


----------

