Agobot Fun-HiJackThis Log

Unknown · November 2005

I have just encountered the W32.AGOBOT.GH and have gone through the highjackthis instruction on this forum. I now have the Log File and need input on what to remove.

I am not running Ad Aware or Spybot S&D at this time.

Here is the log:

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP2\System32\smss.exe
C:\WINXP2\system32\csrss.exe
C:\WINXP2\SYSTEM32\winlogon.exe
C:\WINXP2\system32\services.exe
C:\WINXP2\system32\lsass.exe
C:\WINXP2\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINXP2\system32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\alg.exe
C:\WINXP2\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\WINXP2\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINXP2\System32\svchost.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINXP2\system32\HPZipm12.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\DOCUME~1\Lisa\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094103252827
O20 - Winlogon Notify: avldr - C:\WINXP2\SYSTEM32\avldr.dll
O23 - Service: LanScsi Helper Service (LanScsiHelper) - XiMeta, Inc. - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP2\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINXP2\system32\snmptrap.exe (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

Trogan · November 2005

Thread re-opened

Why was your thread marked resolved?

I've reopened it as i'm sure you want help but let me know. Post a new HJT aswell please

AlfaGiulia · November 2005

I went through and read in depth the post on "defeasting spyware". I ran CWShredder (found nothing), AdAware (found about 125 cookies), SpyBot (found nothing) and then ran my antivirus (found nothing).

I noticed the problem becasue the computer is running slower and slower. When an application is opened up it sometimes takes up to a minute for it to finally launch. I went to Task Manager where there were (and still are) 42 processes running. I found a suspicious file, searched on that and got links to agobot virus.

After the cleaning above and finding no virus I rechecked the Task Mgr. The file I thought was bad appears to have been csrss.exe which is a windows deal. I don't know if I miss typed the original file I was looking for or what.

Given my confusion, I closed the thread so as not to waste peoples time. The CPU still runs fairly slowley and still has about 42 apps running - nothing looks suspicious though.

Here is the latest HJT output:

Logfile of HijackThis v1.99.1
Scan saved at 3:56:14 PM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP2\System32\smss.exe
C:\WINXP2\system32\csrss.exe
C:\WINXP2\SYSTEM32\winlogon.exe
C:\WINXP2\system32\services.exe
C:\WINXP2\system32\lsass.exe
C:\WINXP2\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINXP2\system32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\alg.exe
C:\WINXP2\Explorer.EXE
C:\WINXP2\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINXP2\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP2\system32\HPZipm12.exe
C:\Program Files\Intuit\QuickBooks Pro\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1\AXLBRI~1.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Downloads\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094103252827
O20 - Winlogon Notify: avldr - C:\WINXP2\SYSTEM32\avldr.dll
O23 - Service: LanScsi Helper Service (LanScsiHelper) - XiMeta, Inc. - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP2\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINXP2\system32\snmptrap.exe (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

Trogan · November 2005

Thanks for getting back to me. Your not wasting anyones time, thats why this forum is here

OK, good news is that your log is clean.

Your computer may just need a bit of cleaning to help boost its speed.

I'm on my laptop at the moment but when I get on my main pc, i'l post some things for you to try. Stay tuned!

AlfaGiulia · November 2005

I look forward to any info on boosting speed.

Thanks!

Trogan · November 2005

The next tool is not to boost your computer speed but to clean out any malware.

Download Ewido Security Suite

Install ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit for now.

===

Go into Safe Mode - explained here
===

Open Ewido and do a full system scan by clicking 'Scanner' on the left and choosing 'Complete System Scan'
====

Reboot into Normal Mode and scan your PC with the following:

Panda ActiveScan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Make sure you tick Disinfect automatically under Scan Options.

Post the results of what could not be removed from the ActiveScan

AlfaGiulia · November 2005

OK, I finally was able to go through and do all things listed above. Here are the results:

Ewido found and deleted the following file:
heuristic.win32.morphine-crypted

Panda found nothing.

The problem I am having is still extremely slow functioning. When I hit the icon for any program, it takes up to 1 minute to launch the program. I just seems to go "silent." Once I am in the program all seems to be normal. When exiting the program it again takes a very long time to do this.

Thanks

Trogan · November 2005

Enable everything on startup and post a new HJT log so I can have one more look.

Go to Start > Run > Type msconfig
Click the Startup Tab
Click Enable All
Reboot when prompted

AlfaGiulia · November 2005

Done, here is the new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:07:53 PM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP2\System32\smss.exe
C:\WINXP2\system32\csrss.exe
C:\WINXP2\SYSTEM32\winlogon.exe
C:\WINXP2\system32\services.exe
C:\WINXP2\system32\lsass.exe
C:\WINXP2\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
C:\WINXP2\system32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\XiMeta\NetDisk\LDServ.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\alg.exe
C:\WINXP2\Explorer.EXE
C:\WINXP2\System32\mshta.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\XiMeta\NetDisk\Admin.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\WINXP2\system32\devldr32.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\WebProxy.exe
C:\WINXP2\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\hijackthis_199\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s
O4 - HKLM\..\RunOnce: [HPWebUpdate] "C:\Program Files\HP\HP Software Update\ShellExWin.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NetDisk Administrator.lnk = C:\Program Files\XiMeta\NetDisk\Admin.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094103252827
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINXP2\SYSTEM32\avldr.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LanScsi Helper Service (LanScsiHelper) - XiMeta, Inc. - C:\Program Files\XiMeta\NetDisk\LDServ.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINXP2\system32\HPZipm12.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINXP2\system32\snmptrap.exe (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe

Trogan · November 2005

Your HJT log still looks clean. I'm going to ask someone else to have a look and see what they think.

Crunchie · November 2005

I don't see anything in your log either.

Go here and download then run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

AlfaGiulia · November 2005

Here is the silent runners log:

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE" /s" ["Panda Software International"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINXP2\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS]
"{6ec2e0e3-1116-4d47-b0c2-5bdaf4e4c308}" = "eFax Messenger Plus - Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus 3.3\J2GShell.dll" ["j2 Global Communications, Inc."]
"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL" ["Panda Software International"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * smrgdf C:\Program Files\iolo2\System Mechanic 4 Professional\" [file not found], [MS], [file not found], [null data], [file not found], [file not found], [file not found], [file not found], [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! avldr\DLLName = "avldr.dll" ["Panda Software"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
HotShellExt\(Default) = "{6EC2E0E3-1116-4d47-B0C2-5BDAF4E4C308}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus 3.3\J2GShell.dll" ["j2 Global Communications, Inc."]
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL" ["Panda Software International"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL" ["Panda Software International"]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Lisa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Lisa" & "All Users" startup folders:

C:\Documents and Settings\All Users.WINXP2\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"eFax Live Menu 3.3" -> shortcut to: "C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe /R /K "C:\Program Files\eFax Messenger Plus 3.3\J2GPfcW.dll",JSPFCWSetHooking,1,0,0,0" ["j2 Global Communications, Inc."]
"eFax Tray Menu 3.3" -> shortcut to: "C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe" ["j2 Global Communications, Inc."]
"Exif Launcher" -> shortcut to: "C:\Program Files\Exif Launcher\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"NetDisk Administrator" -> shortcut to: "C:\Program Files\XiMeta\NetDisk\Admin.exe" ["XiMeta, Inc."]
"QuickBooks 2002 Delivery Agent" -> shortcut to: "C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe" [empty string]

Enabled Scheduled Tasks:

"HP DArC Task #Hewlett-Packard#hp officejet 5500 series#1097357835" -> launches: "C:\Program Files\HP\hpcoretech\comp\hpdarc.exe /#Hewlett-Packard#hp officejet 5500 series#1097357835" ["Hewlett-Packard Company"]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavlsp.dll ["Panda Software "], 01 - 03, 23
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08

Toolbars, Explorer Bars, Extensions:

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
LanScsi Helper Service, LanScsiHelper, ""C:\Program Files\XiMeta\NetDisk\LDServ.exe"" ["XiMeta, Inc."]
Panda anti-virus service, PAVSRV, ""C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe"" ["Panda Software"]
Panda Function Service, PAVFNSVR, ""C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe"" ["Panda Software"]
Panda IManager Service, PSIMSVC, ""C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PsImSvc.exe"" ["Panda Software Internacional"]
Panda Network Manager, PNMSRV, "C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE" ["Panda Software"]
Panda Process Protection Service, PavPrSrv, ""C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]
Panda TPSrv, TPSrv, ""C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe"" ["Panda Software"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINXP2\system32\HPZipm12.exe" ["HP"]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
PDF Port\Driver = "C:\WINXP2\System32\pdfports.dll" ["Adobe Systems Incorporated."]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 82 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.

(total run time: 137 seconds)

Crunchie · November 2005

Still nothing bad there. Try doing some online scans just for precaution.

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
Make sure you tick AutoClean under Scan Options.

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
Make sure you tick Auto Clean.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

==

Other than that you can try disabling all startups in msconfig and boot up. See if there is any difference. If there is, restart them one at a time and try to locate the cause of the problem that way.

Agobot Fun-HiJackThis Log

Comments