Trojan Horse Agent 2JCS cannot be removed--please help!

[Drd]

I did all t his. Should I keep going? What's next?

Thanks

Dr. d'Elia

[Drd]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:13 PM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
E:\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
E:\reza\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\freecell.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TBPanel] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "E:\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\reza\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Innerpass] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe autostart
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] E:\reza\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199258053546
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFCF1F9A-D083-495F-868C-0F6558AD7FE5}: NameServer = 85.15.1.13 85.15.1.10
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9667 bytes

[evilfantasy]

This entry.

O4 - HKCU\..\Run: [Innerpass] C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe

Appears to be from Skype and is labeled as adware. See here http://www.prevx.com/filenames/X1987307338720066266-X1/INNERPASSFILESHARING.EXE.html

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[Drd]

Wow! I downloaded that thing myself. It was supposed to be a real time conference and document sharing.  It seemed to work okay for me, but the person who was trying to join me in the "room" said that her browser crashed when she tried to use this program. I guess that should have been a sign....
 Now, I will go and do what you said.

Thanks again.

In peace
Dr. D.

P.S. should I tell the skype people that the program they are offering as an option has adware?

[Drd]

ComboFix 09-05-31.06 - Irani 06/02/2009  0:14.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1256.1.1033.18.3582.2901 [GMT 4.5:30]
Running from: c:\documents and settings\Irani\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
D:\Autorun.inf
E:\Autorun.inf
H:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2009-05-01 to 2009-06-01  )))))))))))))))))))))))))))))))
.

2009-06-01 17:30 . 2009-06-01 17:30   3371383   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-01 15:54 . 2009-06-01 15:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-01 15:54 . 2009-06-01 15:54   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-06-01 15:54 . 2009-06-01 15:54   --------   d-----w-   c:\documents and settings\Irani\Application Data\SUPERAntiSpyware.com
2009-06-01 14:49 . 2009-06-01 14:49   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-06-01 02:15 . 2009-06-01 02:15   --------   d-----w-   c:\windows\system32\config\systemprofile\Application Data\PC Suite
2009-05-21 14:43 . 2009-05-21 14:43   69632   ----a-w-   c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\zInnerPassUninstall.exe
2009-05-21 14:43 . 2009-05-21 14:43   258048   ----a-w-   c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe
2009-05-21 14:43 . 2009-05-21 14:43   242496   ----a-w-   c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\tssCPopupNotify.dll
2009-05-21 14:43 . 2009-05-21 14:43   1828176   ----a-w-   c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\Skype4COM.dll
2009-05-20 04:28 . 2009-05-03 07:49   2051864   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-20 04:28 . 2009-05-03 07:48   354584   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-20 04:28 . 2009-05-03 07:48   424472   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-20 04:28 . 2009-05-03 07:48   177432   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-20 04:28 . 2009-05-03 07:49   486168   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-20 04:28 . 2009-05-03 07:49   3288344   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-20 04:28 . 2009-05-03 07:48   312088   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-20 04:27 . 2009-05-03 07:45   1437464   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-20 04:27 . 2009-05-03 07:45   755992   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-16 10:48 . 2009-05-03 07:49   2302232   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-16 10:48 . 2009-05-03 07:49   3399960   ----a-w-   c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-16 02:18 . 2009-06-01 17:43   --------   d-----w-   c:\documents and settings\Irani\Application Data\skypePM
2009-05-16 02:18 . 2009-05-16 02:18   56   ---ha-w-   c:\windows\system32\ezsidmv.dat
2009-05-16 02:16 . 2009-06-01 19:43   --------   d-----w-   c:\documents and settings\Irani\Application Data\Skype
2009-05-16 02:15 . 2009-05-16 02:15   --------   d-----w-   c:\program files\Common Files\Skype
2009-05-16 02:15 . 2009-05-16 02:15   --------   d-----r-   c:\program files\Skype
2009-05-16 02:15 . 2009-05-16 02:15   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2009-05-15 05:57 . 2009-05-15 05:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\CyberLink
2009-05-05 18:41 . 2009-05-05 18:41   --------   d-----w-   c:\documents and settings\Irani\Local Settings\Application Data\WinZip
2009-05-05 18:40 . 2009-05-05 18:41   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 18:54 . 2009-02-09 23:07   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-06-01 17:32 . 2008-09-19 00:00   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-05-31 10:48 . 2008-01-01 08:07   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-05-31 03:21 . 2009-02-04 15:54   4330   ----a-w-   c:\documents and settings\Irani\Application Data\wklnhst.dat
2009-05-26 08:50 . 2008-09-19 00:00   40160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 08:49 . 2008-09-19 00:00   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-05-22 19:19 . 2008-01-02 02:17   --------   d-----w-   c:\documents and settings\Irani\Application Data\Canon
2009-05-20 03:11 . 2008-10-27 19:08   --------   d-----w-   c:\program files\MSECache
2009-05-09 16:16 . 2009-02-06 12:32   --------   d-----w-   c:\documents and settings\Irani\Application Data\AVGTOOLBAR
2009-05-03 07:49 . 2009-02-05 19:58   11952   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-05-03 07:49 . 2008-09-17 19:46   325896   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-05-03 07:49 . 2008-09-17 19:46   27784   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-05-03 07:49 . 2009-02-06 12:32   108552   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-05-01 18:41 . 2009-05-01 18:41   50   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\6172\track.dll
2009-05-01 18:41 . 2009-05-01 18:41   2562   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\6172\hitcounter.dll
2009-05-01 18:41 . 2009-05-01 18:41   2020   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\6172\externalredirect.dll
2009-05-01 18:41 . 2009-05-01 18:41   50   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\4902\track.dll
2009-05-01 18:41 . 2009-05-01 18:41   2562   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\4902\hitcounter.dll
2009-05-01 18:41 . 2009-05-01 18:41   2020   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\4902\externalredirect.dll
2009-05-01 13:00 . 2009-05-01 13:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Elaborate Bytes
2009-05-01 13:00 . 2009-05-01 12:55   48   --sh--w-   c:\windows\S6E389119.tmp
2009-05-01 12:55 . 2009-05-01 12:55   --------   d-----w-   c:\program files\Elaborate Bytes
2009-04-30 07:22 . 2009-04-30 07:22   --------   d-----w-   c:\documents and settings\Irani\Application Data\CyberLink
2009-04-28 02:16 . 2008-09-19 10:58   4   ----a-w-   C:\timeStmp.tmp
2009-04-22 07:08 . 2009-04-22 07:08   --------   d-----w-   c:\documents and settings\Irani\Application Data\Apple Computer
2009-04-21 21:18 . 2009-04-21 21:18   9676   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\4370\prscript.dll
2009-04-21 21:18 . 2009-04-21 21:17   9676   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\15718\prscript.dll
2009-04-21 21:16 . 2009-04-21 21:16   1895   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\4370\adsadclient31.dll
2009-04-20 22:06 . 2008-09-17 14:03   --------   d-----w-   c:\program files\Common Files\Adobe
2009-04-17 19:10 . 2009-04-17 19:10   8523   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\7930\prscript.dll
2009-04-17 19:10 . 2009-04-17 19:10   8523   ----a-w-   c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\zotero\storage\48\prscript.dll
2009-04-10 00:21 . 2009-04-07 15:36   60744   ----a-w-   c:\documents and settings\Irani\g2mdlhlpx.exe
2009-03-11 18:53 . 2009-03-11 18:53   9728   ----a-w-   c:\documents and settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Installations\CommonCustomActions\UninstPCS.exe
2009-03-11 18:53 . 2009-03-11 18:53   8192   ----a-w-   c:\documents and settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Installations\CommonCustomActions\UninstCCD.exe
2009-03-11 18:53 . 2009-03-11 18:53   15360   ----a-w-   c:\documents and settings\All Users\Application Data\Installations\{57A48477-92F0-4C1F-ADF9-4806C4EC3CF2}\Installations\CommonCustomActions\UninstPCSFEMsi.exe
2009-03-06 14:22 . 2004-08-04 01:56   284160   ----a-w-   c:\windows\system32\pdh.dll
2001-10-22 08:33 . 2001-10-22 08:33   425984   ----a-w-   c:\program files\nokcvtr.exe
2001-09-29 15:16 . 2001-09-29 15:16   961   ----a-w-   c:\program files\menu.dat
2001-08-23 20:17 . 2001-08-23 20:17   1314719   ----a-w-   c:\program files\nokhelp.hlp
2001-08-23 20:16 . 2001-08-23 20:16   304   ----a-w-   c:\program files\nokhelp.cnt
2001-07-29 15:29 . 2009-03-12 08:43   96256   ----a-w-   c:\program files\UnGins.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]
"Innerpass"="c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\9E0D937F462E4362A83B254A9F8AB3F8\InnerPassFileSharing.exe" [2009-05-21 258048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPanel"="c:\program files\XpertVision\TBPanel.exe" [2008-01-29 2157064]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-03 13508608]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-03 86016]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 644696]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="E:\OpwareSE4.exe" [2007-02-04 79400]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"PCSuiteTrayApplication"="e:\reza\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-01 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-02-13 16857600]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-03 1626112]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="e:\reza\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-1-14 525664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 06:35   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 07:49   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Documents and Settings\\Irani\\My Documents\\reza p\\BlueSoleil.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/18/2008 12:16 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/6/2009 5:02 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/15/2009 4:17 PM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/15/2009 4:17 PM 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/6/2009 5:02 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/6/2009 12:28 AM 298776]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [9/19/2008 4:54 AM 33752]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/15/2009 4:17 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-05-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:04]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {BFCF1F9A-D083-495F-868C-0F6558AD7FE5} = 85.15.1.13 85.15.1.10
FF - ProfilePath - c:\documents and settings\Irani\Application Data\Mozilla\Firefox\Profiles\eisu2rnz.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-02 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,7b,56,9d,92,f4,
   b7,bf,04,e2,63,26,f1,3f,c8,ff,68,04,0f,49,10,65,c9,a0,b2,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,d6,b0,36,72,91,
   6d,b3,0b,6a,9c,d6,61,af,45,84,18,80,59,6f,cc,97,4f,f6,73,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,f3,9d,89,01,e9,
   30,39,d3,ff,7c,85,e0,43,d4,0e,fe,a0,a7,9d,cf,05,0f,f6,b6,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,58,7a,68,ea,29,
   0e,66,d0,86,8c,21,01,be,91,eb,e7,83,13,05,42,88,ca,19,5e,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,63,0f,12,69,b6,
   36,9c,04,f5,1d,4d,73,a8,13,5c,05,fd,51,fb,05,f1,e1,03,48,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:50,93,e5,ab,ec,6a,4e,ab,d2,af,95,b3,6b,
   68,a0,62,df,20,58,62,78,6b,cf,c8,d5,aa,a9,bb,39,07,ab,0e,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,29,16,4e,27,3a,
   1d,c4,7f,fb,a7,78,e6,12,2f,9a,ea,df,53,fe,94,ae,4c,32,c9,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,81,4d,1b,af,18,
   18,bc,35,01,3a,48,fc,e8,04,4a,f1,69,ce,41,e8,23,6f,f4,8d,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,07,eb,58,9c,46,
   8d,b4,2c,f6,0f,4e,58,98,5b,89,c9,2b,ad,e3,be,4b,66,1c,dc,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,6c,3f,29,8c,5e,
   e1,64,2f,3d,ce,ea,26,2d,45,aa,78,08,aa,00,e1,9f,cb,b0,48,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,ff,5a,43,90,b9,
   f6,94,9e,2a,b7,cc,b5,b9,7f,41,e7,73,94,d8,8f,32,d8,46,31,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,df,35,f4,ba,d6,
   1f,61,40,6c,43,2d,1e,aa,22,2f,9c,ae,0a,ee,6a,ae,8c,7b,24,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-06-01  0:17
ComboFix-quarantined-files.txt  2009-06-01 19:47

Pre-Run: 2,489,245,696 bytes free
Post-Run: 2,482,802,688 bytes free

256   --- E O F ---   2009-05-16 16:32

[evilfantasy]

P.S. should I tell the skype people that the program they are offering as an option has adware?

Actually Skype doesn't have anything to do with it. It's third party software from https://www.innerpass.com/?

Can you give me the file path of the trojan AVG is finding? I don't see anything.

[nomi49]

Hello: Last night I received a warning from my AVG Anti-Virus Free security that the computer was being attacked. I did a scan and found that there were two infections:
Both were Trojan Horse Agent 2JCS. One was lodged here:
C:\\Windows\System32\dllcache\logagent.exe  That was "removed and healed"
Another was lodged here:
C:\\Windows\system32\logagent.exe  This is listed in the AVG as "not healed" . When I click on the "infections" tab in the scan report, it says, "Object is white listed critical system file that should not be removed.

 So what happens next?  How do I get rid of the infection? Is it safe to keep using the computer when the infection hasn't been dealt with?

 I'm using XP professional, version 5, service pack 3. I usually use a Firefox browser, although I also have IE on the system.

Thanks for your help.
In peace
Dr. D.

I am using XP Professional. This evening AVG warned about this file "C:\\Windows\system32\logagent.exe " infected.

I restarted in safe mode.
Deleted the file manually.
Inserted the Windows CD to recover the original file.

And it worked for me. No more Trojan warnings.

[Drd]

 This is where they were. But I think that the Superspyware may have deleted the file. I couldn't delete it from the AVG because it was "white listed" and there was no choice offered to delete it. 
C:\\Windows\System32\dllcache\logagent.exe  That was "removed and healed"
Another was lodged here:
C:\\Windows\system32\logagent.exe  This is listed in the AVG as "not healed" . When I click on the "infections" tab in the scan report, it says, "Object is white listed critical system file that should not be removed.

Is this cleared up now? Should I run another AVG scan or what?

Thanks

Dr. D

[evilfantasy]

Whitelisted means it is not a threat. Is there a way to add it to the ignore list?

logagent.exe - Windows Media Player Log Agent http://www.fileresearchcenter.com/L/LOGAGENT.EXE-3321.html

[TeddyKGB]

Hi there people.  Just got a warning for this myself on on AVG scan so I googled it  hitting this very thread and then also this one:-

http://freeforum.avg.com/read.php?4,188951,188987

Seems its a false positive.

Cheers,

Ted.

[Drd]

I'm a little confused here. Did I have a problem with my computer?  Do I  have one now or am I safe?

Thank you

In peace
Dr D

[evilfantasy]

It's a FP so no there is not a problem.

Go here to report it to AVG so they will remove it from their blacklist. YOU SUSPECT A FILE TO BE A FALSE POSITIVE

[Drd]

OK . So thanks for all your help.  I'm outta here.

In peace

Dr. D'Elia

[Valeegurl]

Re: trojan hoarse agent2.jcs
Posted by: sevcikp - AVG Team (IP Logged)
Date: June 1, 2009 09:53PM

Hello,

no need to sent the file to AVG Tech. We can confirm, that this detection really is false alarm. Update fixing this false is currently being prepared and should be released soon.