Thread: Spy-Agent.bw!.mem
View Single Post
Old 04-29-2009, 10:31 PM   #1 (permalink)
Cyberwombat
Registered User
 
Join Date: Apr 2009
Posts: 1
OS: Windows XP Pro


Spy-Agent.bw!.mem
I am helping my wife track down a trojan that is preventing her from opening IE. She has run the diagnostics and came up with the following logs:

from DDS.TXT



DDS (Ver_09-03-16.01) - NTFSx86
Run by MLeClair at 2148.45 on Wed 04/29/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05

============== Pseudo HJT Report ===============

uStart Page = hxxp://smithlink.smith.com/default.aspx
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://smithlink.smith.com/default.aspx
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=userinit.exe
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: : {6c145e73-5596-4d3d-a605-f98cfca79915} - c:\windows\system32\hhvswup.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\Msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [DL32] DL32
uRunOnce: [SpybotDeletingB9206] command.com /c del "c:\windows\system32\796525\796525.dll_old"
uRunOnce: [SpybotDeletingD3529] cmd.exe /c del "c:\windows\system32\796525\796525.dll_old"
uRunOnce: [SpybotDeletingB7961] command.com /c del "c:\windows\system32\sdra64.exe"
uRunOnce: [SpybotDeletingD9573] cmd.exe /c del "c:\windows\system32\sdra64.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Device Detector] DevDetect.exe -autorun
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ScanSoft OmniPage SE 4.0-reminder] "c:\program files\scansoft\omnipagese4.0\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\omnipagese4.0\ereg\ereg.ini"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
mRun: [sysLDtray] c:\windows\ld08.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [SpybotDeletingA1395] command.com /c del "c:\windows\system32\796525\796525.dll_old"
mRunOnce: [SpybotDeletingC876] cmd.exe /c del "c:\windows\system32\796525\796525.dll_old"
mRunOnce: [SpybotDeletingA8398] command.com /c del "c:\windows\system32\sdra64.exe"
mRunOnce: [SpybotDeletingC3700] cmd.exe /c del "c:\windows\system32\sdra64.exe"
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: miswaco.com\*.prod
Trusted Zone: miswaco.com\*.web
Trusted Zone: miswaco.com\*.prod
Trusted Zone: miswaco.com\*.web
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {59D8A93A-CA6A-4F2B-9398-2E620678726F} - hxxp://siihardydev19.net.smith.com/osoft/installation/OSoftDiag.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FB1A5DF-578D-4302-BDD7-9E92BE61CA30} - hxxp://siihardydev19.net.smith.com/osoft/installation/OSoftInst.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18}
DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF}
DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} - hxxp://sii.apps.smith.com:8000/jinitiator/oajinit.exe
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {FD0A97F4-914F-4EB2-A43B-4371137D73CE} - hxxp://siihardydev17.net.smith.com/viewer507_ETAX/ee/MVEEPlugin.exe
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Notify: igfxcui - igfxdev.dll
Notify: xsuhqhfm - hhvswup.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-29 21:07 <DIR> --d----- c:\docume~1\mleclair\applic~1\diybtsou
2009-04-29 19:42 14,848 a------- c:\windows\system32\DL32.exe
2009-04-29 19:42 <DIR> --d----- c:\windows\system32\796525
2009-04-29 19:41 14,336 ----h--- c:\windows\ld08.exe
2009-04-29 18:20 <DIR> --dsh--- C:\found.002
2009-04-29 15:25 <DIR> --d----- c:\windows\system32\%%DATA_DIR%%
2009-04-27 11:11 <DIR> --d----- C:\BPC Database
2009-04-27 11:10 <DIR> --d----- C:\BPC
2009-04-22 21:05 <DIR> --d----- c:\program files\iPod
2009-04-22 21:05 <DIR> --d----- c:\program files\iTunes
2009-04-22 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 08:10 <DIR> --d----- c:\program files\MasteryNet
2009-04-13 08:09 <DIR> --d----- c:\documents and settings\mleclair\Tracing

==================== Find3M ====================

2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-11-14 15:14 60,744 a------- c:\documents and settings\mleclair\g2mdlhlpx.exe
2006-03-30 16:02 18,376 -c------ c:\docume~1\mleclair\applic~1\GDIPFONTCACHEV1.DAT
1999-12-22 19:28 540,203 ac------ c:\program files\_SETUP.1
1999-12-22 19:28 5 ac------ c:\program files\DISK1.ID
1999-12-22 19:28 103 ac------ c:\program files\SETUP.PKG
1999-12-22 19:28 35 ac------ c:\program files\SETUP.INI
1999-12-22 19:28 194,234 ac------ c:\program files\_SETUP.LIB
1999-12-22 18:34 6,242 ac------ c:\program files\ReadMe.txt
1998-06-18 13:43 70,711 ac------ c:\program files\SETUP.INS
1997-01-18 13:04 320,411 ac------ c:\program files\_INST32I.EX_
1997-01-18 12:53 45,312 a------- c:\program files\SETUP.EXE
1996-12-19 17:03 6,128 ac------ c:\program files\_SETUP.DLL
1995-09-07 21:22 8,192 a------- c:\program files\_ISDEL.EXE

============= FINISH: 21:10:05.07 ===============

ARK.TXT and ATTACH.TXT are attached as ATTACH.ZIP.

She says she was playing a game on Facebook when this happened. It started out as a false virus protection alert. She ran SpyBot, but it left Spy-Agent.bw!.mem on her machine. It is her work laptop so we're sorta in a bind.

Any help would be muchly appreciated.
Attached Files
File Type: zip Attach.zip (3.2 KB, 1 views)
Cyberwombat is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here