Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: re-appearing Trojan-Dropper.VBS.Agent.bp  (Read 32063 times)

0 Members and 2 Guests are viewing this topic.

Abhay Goel

    Topic Starter


    Rookie

    • Experience: Beginner
    • OS: Unknown
    re-appearing Trojan-Dropper.VBS.Agent.bp
    « on: March 04, 2011, 01:52:31 AM »
    I have also run MBR check and the report is as follows:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:         
    Windows Version:      Windows XP Professional
    Windows Information:      Service Pack 3 (build 2600)
    Logical Drives Mask:      0x000000fc

    Kernel Drivers (total 112):
      0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
      0x806E5000 \WINDOWS\system32\hal.dll
      0xF7B07000 \WINDOWS\system32\KDCOM.DLL
      0xF7A17000 \WINDOWS\system32\BOOTVID.dll
      0xF74D8000 ACPI.sys
      0xF7B09000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
      0xF74C7000 pci.sys
      0xF7607000 isapnp.sys
      0xF7BCF000 pciide.sys
      0xF7887000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
      0xF7617000 MountMgr.sys
      0xF74A8000 ftdisk.sys
      0xF7B0B000 dmload.sys
      0xF7482000 dmio.sys
      0xF788F000 PartMgr.sys
      0xF7627000 VolSnap.sys
      0xF746A000 atapi.sys
      0xF7637000 disk.sys
      0xF7647000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
      0xF744A000 fltmgr.sys
      0xF7438000 sr.sys
      0xF7421000 KSecDD.sys
      0xF740E000 WudfPf.sys
      0xF7381000 Ntfs.sys
      0xF7354000 NDIS.sys
      0xF733A000 Mup.sys
      0xF77C7000 \SystemRoot\system32\DRIVERS\intelppm.sys
      0xF790F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
      0xF6E86000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
      0xF7917000 \SystemRoot\system32\DRIVERS\usbehci.sys
      0xF6E5E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
      0xF77D7000 \SystemRoot\system32\DRIVERS\serial.sys
      0xF7ACB000 \SystemRoot\system32\DRIVERS\serenum.sys
      0xF6E4A000 \SystemRoot\system32\DRIVERS\parport.sys
      0xF77E7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
      0xF791F000 \SystemRoot\system32\DRIVERS\mouclass.sys
      0xF7927000 \SystemRoot\system32\DRIVERS\kbdclass.sys
      0xF77F7000 \SystemRoot\system32\DRIVERS\imapi.sys
      0xF7807000 \SystemRoot\system32\DRIVERS\cdrom.sys
      0xF7817000 \SystemRoot\system32\DRIVERS\redbook.sys
      0xF6E27000 \SystemRoot\system32\DRIVERS\ks.sys
      0xF7BD0000 \SystemRoot\system32\DRIVERS\audstub.sys
      0xF7827000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
      0xF7AD3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
      0xF6E10000 \SystemRoot\system32\DRIVERS\ndiswan.sys
      0xF7837000 \SystemRoot\system32\DRIVERS\raspppoe.sys
      0xF7847000 \SystemRoot\system32\DRIVERS\raspptp.sys
      0xF792F000 \SystemRoot\system32\DRIVERS\TDI.SYS
      0xF6DFF000 \SystemRoot\system32\DRIVERS\psched.sys
      0xF7857000 \SystemRoot\system32\DRIVERS\msgpc.sys
      0xF7937000 \SystemRoot\system32\DRIVERS\ptilink.sys
      0xF793F000 \SystemRoot\system32\DRIVERS\raspti.sys
      0xF6DCF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
      0xF7867000 \SystemRoot\system32\DRIVERS\termdd.sys
      0xF7B29000 \SystemRoot\system32\DRIVERS\swenum.sys
      0xF6D71000 \SystemRoot\system32\DRIVERS\update.sys
      0xF7AEF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
      0xF7877000 \SystemRoot\System32\Drivers\NDProxy.SYS
      0xF7677000 \SystemRoot\system32\DRIVERS\usbhub.sys
      0xF7B2B000 \SystemRoot\system32\DRIVERS\USBD.SYS
      0xF7B2F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
      0xF7CE7000 \SystemRoot\System32\Drivers\Null.SYS
      0xF7B31000 \SystemRoot\System32\Drivers\Beep.SYS
      0xF795F000 \SystemRoot\System32\drivers\vga.sys
      0xF5FA0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
      0xF7B33000 \SystemRoot\System32\Drivers\mnmdd.SYS
      0xF7B35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
      0xF7967000 \SystemRoot\System32\Drivers\Msfs.SYS
      0xF796F000 \SystemRoot\System32\Drivers\Npfs.SYS
      0xF7AA3000 \SystemRoot\system32\DRIVERS\rasacd.sys
      0xF5F45000 \SystemRoot\system32\DRIVERS\ipsec.sys
      0xF5EEC000 \SystemRoot\system32\DRIVERS\tcpip.sys
      0xF5EC4000 \SystemRoot\system32\DRIVERS\netbt.sys
      0xF7697000 \SystemRoot\system32\DRIVERS\wanarp.sys
      0xF5E9E000 \SystemRoot\system32\DRIVERS\ipnat.sys
      0xF5E7C000 \SystemRoot\System32\drivers\afd.sys
      0xF76A7000 \SystemRoot\system32\DRIVERS\netbios.sys
      0xF7977000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
      0xF5E51000 \SystemRoot\system32\DRIVERS\rdbss.sys
      0xF5DE1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
      0xF76B7000 \SystemRoot\System32\Drivers\Fips.SYS
      0xF5DBB000 \SystemRoot\system32\DRIVERS\avipbb.sys
      0xF798F000 \SystemRoot\System32\Drivers\Modem.SYS
      0xF7B3D000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
      0xF7737000 \SystemRoot\System32\Drivers\Cdfs.SYS
      0xF5DA3000 \SystemRoot\System32\Drivers\dump_atapi.sys
      0xF7B53000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
      0xBF800000 \SystemRoot\System32\win32k.sys
      0xF6D20000 \SystemRoot\System32\drivers\Dxapi.sys
      0xF79A7000 \SystemRoot\System32\watchdog.sys
      0xBF000000 \SystemRoot\System32\drivers\dxg.sys
      0xF7CD8000 \SystemRoot\System32\drivers\dxgthk.sys
      0xBFF50000 \SystemRoot\System32\framebuf.dll
      0xF574E000 \SystemRoot\system32\DRIVERS\avgntflt.sys
      0xF7AAF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
      0xF54C9000 \SystemRoot\system32\DRIVERS\mrxdav.sys
      0xF7B11000 \SystemRoot\System32\Drivers\ParVdm.SYS
      0xF5241000 \SystemRoot\system32\DRIVERS\srv.sys
      0xF4DF0000 \SystemRoot\System32\Drivers\HTTP.sys
      0xF4A3F000 \SystemRoot\system32\DRIVERS\ewusbdev.sys
      0xF7947000 \SystemRoot\system32\DRIVERS\usbccgp.sys
      0xF4A25000 \SystemRoot\system32\DRIVERS\ewusbmdm.sys
      0xF7997000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
      0xF4DD0000 \SystemRoot\system32\DRIVERS\asyncmac.sys
      0xF4A01000 \SystemRoot\System32\Drivers\Fastfat.SYS
      0xF439C000 \SystemRoot\system32\drivers\RtkHDAud.sys
      0xF4378000 \SystemRoot\system32\drivers\portcls.sys
      0xF47C1000 \SystemRoot\system32\drivers\drmk.sys
      0xF4C50000 \SystemRoot\system32\drivers\sysaudio.sys
      0xF4315000 \SystemRoot\system32\drivers\wdmaud.sys
      0xF42EA000 \SystemRoot\system32\drivers\kmixer.sys
      0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 38):
           0 System Idle Process
           4 System
         400 C:\WINDOWS\system32\smss.exe
         456 csrss.exe
         480 C:\WINDOWS\system32\winlogon.exe
         524 C:\WINDOWS\system32\services.exe
         536 C:\WINDOWS\system32\lsass.exe
         724 C:\WINDOWS\system32\svchost.exe
         792 svchost.exe
         832 C:\WINDOWS\system32\svchost.exe
         872 C:\WINDOWS\system32\svchost.exe
         928 svchost.exe
         956 svchost.exe
        1112 C:\WINDOWS\system32\spoolsv.exe
        1160 C:\Program Files\Avira\AntiVir Desktop\sched.exe
        1208 svchost.exe
        1420 C:\WINDOWS\explorer.exe
        1440 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
        1544 C:\Program Files\Java\jre6\bin\jqs.exe
        1672 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
         168 C:\Program Files\Common Files\Java\Java Update\jusched.exe
         172 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
         180 C:\Program Files\Google\Google Talk\googletalk.exe
         224 C:\Program Files\Messenger\msmsgs.exe
         232 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
         248 C:\WINDOWS\system32\ctfmon.exe
         268 C:\Program Files\CraveWorldClock14\CWClock.exe
         436 C:\Program Files\CraveWorldClock14\CWClock.exe
        1076 C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
        2160 C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
        2188 alg.exe
        2464 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
        2532 C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
        3104 C:\Tata Photon+\Tata Photon+.exe
        2000 C:\WINDOWS\RTHDCPL.EXE
        1496 C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
        2948 C:\Program Files\Mozilla Firefox\firefox.exe
        2656 C:\Documents and Settings\Administrator\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000007`52c65e00  (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001f`bcabf600  (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200AAJS-60M0A0, Rev: 02.03E02

          Size  Device Name          MBR Status
      --------------------------------------------
        298 GB  \\.\PhysicalDrive0   Windows XP MBR code detected
                SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A


    Done!

    SuperDave

    • Malware Removal Specialist


    • Genius
    • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: re-appearing Trojan-Dropper.VBS.Agent.bp
    « Reply #1 on: March 05, 2011, 01:03:13 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *****************************************************
    SUPERAntiSpyware

    If you already have SUPERAntiSpyware be sure to check for updates before scanning!


    Download SuperAntispyware Free Edition (SAS)
    * Double-click the icon on your desktop to run the installer.
    * When asked to Update the program definitions, click Yes
    * If you encounter any problems while downloading the updates, manually download and unzip them from here
    * Next click the Preferences button.

    •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
    * Click the Scanning Control tab.
    * Under Scanner Options make sure only the following are checked:

    •Close browsers before scanning
    •Scan for tracking cookies
    •Terminate memory threats before quarantining
    Please leave the others unchecked

    •Click the Close button to leave the control center screen.

    * On the main screen click Scan your computer
    * On the left check the box for the drive you are scanning.
    * On the right choose Perform Complete Scan
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete a summary box will appear. Click OK
    * Make sure everything in the white box has a check next to it, then click Next
    * It will quarantine what it found and if it asks if you want to reboot, click Yes

    •To retrieve the removal information please do the following:
    •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
    •Click Preferences. Click the Statistics/Logs tab.

    •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

    •It will open in your default text editor (preferably Notepad).
    •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

    * Save the log somewhere you can easily find it. (normally the desktop)
    * Click close and close again to exit the program.
    *Copy and Paste the log in your post.
    *****************************************
    Please download Malwarebytes Anti-Malware from here.
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
    ***************************************************
    Download DDS from HERE or HERE and save it to your desktop.

    Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

    * XP users Double click on dds to run it.
    * If your antivirus or firewall try to block DDS then please allow it to run.
    * When finished DDS will open two (2) logs.

    1) DDS.txt
    2) Attach.txt

    * Save both logs to your desktop.
    * Please copy and paste the entire contents of both logs in your next reply.

    Note: DDS will instruct you to post the Attach.txt log as an attachment.
    Please just post it as you would any other log by copy and pasting it into the reply.
    Windows 8 and Windows 10 dual boot with two SSD's

    Abhay Goel

      Topic Starter


      Rookie

      • Experience: Beginner
      • OS: Unknown
      Re: re-appearing Trojan-Dropper.VBS.Agent.bp
      « Reply #2 on: March 08, 2011, 04:15:20 AM »
      Dear Dave,
      Thanks for you reply.
      Don't mind I have already scanned with both of antivirus/malware but subject virus is still there in system which makes shortcuts when I insert pen drive in the system.
      Recently I have been told to download and scan with http://free.antivirus.com/hijackthis/ (Trend Micro)
      and I have log report which i am pasting it here.


      Logfile of Trend Micro HijackThis v2.0.4
      Scan saved at 3:32:09 PM, on 3/8/2011
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
      Boot mode: Normal

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\csrss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\Ati2evxx.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\spoolsv.exe
      C:\Program Files\Java\jre6\bin\jqs.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\McAfee\Common Framework\FrameworkService.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\tcpsvcs.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\dmadmin.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\system32\ProxyPD.exe
      C:\Program Files\Common Files\Java\Java Update\jusched.exe
      C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
      C:\Program Files\Messenger\msmsgs.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\WINDOWS\system32\wuauclt.exe
      C:\WINDOWS\system32\NOTEPAD.EXE
      C:\WINDOWS\system32\msiexec.exe
      C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server.toolbar.rediff.com/toolbar/4.0/sidesearch.html?mode=toolbar
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
      R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://au.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://au.search.yahoo.com
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.apac.etn.com:8080
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = connect.eaton.com;rs.eportal.eaton.com;*tnv.com;*lmtas.com;htgapp*.dana.com;htgweb.v
      pn.dana.com;*.homeheartbeat.com;portal.pw.utc.com;business.isabel.be;*.
      corp.moeller.net;intranet.moeller.net;mis.moeller.
      net;wtt.moeller.net;was.moeller.net;ctx.moeller.net;yambs.moeller.net;crm.moeller.cz;vip.moeller.net;
      tintranet.moeller.net;statistik.moeller.net;www.moeller.net;legolas.
      moeller*cz.com;127*;255.*;192.168.*;198.151.
      185.90;192.251.51.118;192.149.86.0;198.147.174*;207.24.213*;206.18.202.35;209.195.
      147.53;209.195.147.57;209.195.147.60;162.74.90.10;162.74.22.196;162.74.80.200;193.228.200*;192.127.
      220.100;192.127.44.75;ecm.aero.bombardier.net;ecs.aero.
      bombardier.net;ecs2.aero.bombardier.net;ecs6.
      aero.bombardier.net;*.mau.dana.com;*.vpn.dana.com;*.wdl.dana.com;nacitrix.dana.com;*etn.
      com;151.110.*;148.179.*;166.99.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;
      172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;1
      R3 - Default URLSearchHook is missing
      F2 - REG:system.ini: UserInit=userinit.exe,c:\program files\microsoft\watermark.exe,
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
      O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
      O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
      O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
      O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
      O4 - HKLM\..\Run: [ProxyPD] %SystemRoot%\system32\ProxyPD.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O4 - HKCU\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe
      O4 - HKUS\S-1-5-21-602162358-1275210071-682003330-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
      O4 - HKUS\S-1-5-21-602162358-1275210071-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
      O4 - HKUS\S-1-5-21-602162358-1275210071-682003330-1004\..\Run: [Pareto_Update] C:\Program Files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe (User '?')
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
      O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O11 - Options group: [ETNPPD] Eaton Proxy Management Tools
      O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
      O15 - Trusted Zone: *.gmail.com
      O15 - Trusted Zone: http://www.rediffmail.com
      O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/WinNTChk.cab
      O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://easohsavos05.napa.ad.etn.com:4343/officescan/console/html/ClientInstall/setup.cab
      O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://easohsavos02.napa.ad.etn.com:4343/officescan/console/html/root/AtxEnc.cab
      O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/RemoveCtrl.cab
      O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = napa.ad.etn.com
      O17 - HKLM\Software\..\Telephony: DomainName = napa.ad.etn.com
      O17 - HKLM\System\CCS\Services\Tcpip\..\{E65BFAB3-FB23-4F9A-A08B-0CB9050B6CEC}: NameServer = 172.31.50.10,151.110.50.27
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = napa.ad.etn.com
      O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
      O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
      O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
      O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
      O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
      O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

      --
      End of file - 8179 bytes



      Still  appreciate if you could suggest something on this.
      Thanks!!
      « Last Edit: March 08, 2011, 01:03:45 PM by SuperDave »

      SuperDave

      • Malware Removal Specialist


      • Genius
      • Thanked: 1020
      • Certifications: List
      • Experience: Expert
      • OS: Windows 10
      Re: re-appearing Trojan-Dropper.VBS.Agent.bp
      « Reply #3 on: March 08, 2011, 01:10:28 PM »
      I can't help you if you don't follow my instructions and run the scans I want you to run. Also. DO NOT RUN any other tools unless I request it.
      Windows 8 and Windows 10 dual boot with two SSD's

      Abhay Goel

        Topic Starter


        Rookie

        • Experience: Beginner
        • OS: Unknown
        Re: re-appearing Trojan-Dropper.VBS.Agent.bp
        « Reply #4 on: March 17, 2011, 04:55:59 AM »
        Dear Mr. Dave,
        I have following your instructions. I have completed following steps.
        1.  downloaed Superantispyware and malware bytes and saved on my Desktop.
        Before rurring superantivirus I checked following and left other options unchecked.
        Close browsers before scanning
        Scan for tracking cookies
        Terminate memory threats before quarantining

        Then rebooted system in safe mode and run superantivirus. 16 threats found. Restarted system
        then run malwarebytes and 2 infected file found and restarted system to delete trojan agent.
        But I believe virus is still there in system.

        NOW MY QUESTION IS WITHOUT RESTARTING WILL I NEED TO RUN DNS FILE?

        VIRUS NAME FOUND ON SYSTEM:
        TROJAN.AGENT
        HIJACK.USERINIT

        Please suggest what is to be done now?

        Thanks

        SuperDave

        • Malware Removal Specialist


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: re-appearing Trojan-Dropper.VBS.Agent.bp
        « Reply #5 on: March 17, 2011, 01:06:36 PM »
        Quote
        NOW MY QUESTION IS WITHOUT RESTARTING WILL I NEED TO RUN DNS FILE?
        No. Don't run anything unless I ask you to. I still need to see the DDS logs
        Windows 8 and Windows 10 dual boot with two SSD's

        Abhay Goel

          Topic Starter


          Rookie

          • Experience: Beginner
          • OS: Unknown
          Re: re-appearing Trojan-Dropper.VBS.Agent.bp
          « Reply #6 on: March 18, 2011, 02:22:33 AM »
          I am pasting here all reports.

          SUPERAntiSpyware Scan Log
          http://www.superantispyware.com

          Generated 03/17/2011 at 02:41 PM

          Application Version : 4.49.1000

          Core Rules Database Version : 6614
          Trace Rules Database Version: 4423

          Scan type       : Complete Scan
          Total Scan Time : 02:17:26

          Memory items scanned      : 215
          Memory threats detected   : 0
          Registry items scanned    : 6463
          Registry threats detected : 0
          File items scanned        : 60232
          File threats detected     : 16

          Trojan.Agent/Gen-FakeAlert
             C:\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFOMGR.EXE
             C:\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32MGR.EXE
             C:\PROGRAM FILES\ADOBE\READER 9.0\READER\LOGTRANSPORT2MGR.EXE
             C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLOREMGR.EXE
             C:\PROGRAM FILES\JAVA\JRE6\BIN\JAVACPLMGR.EXE
             C:\PROGRAM FILES\JAVA\JRE6\BIN\JAVAMGR.EXE
             C:\PROGRAM FILES\JAVA\JRE6\BIN\JAVAWMGR.EXE
             C:\PROGRAM FILES\JAVA\JRE6\BIN\JQSMGR.EXE
             C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\EXCELMGR.EXE
             C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE11\WINWORDMGR.EXE
             D:\BACKUP 02.04.08\OFCSCAN\ADMIN\IMGSETUPMGR.EXE
             D:\BACKUP 02.04.08\OFCSCAN\ADMIN\SETUPUSRMGR.EXE
             D:\BACKUP 02.04.08\OFCSCAN\AUTOPCCPMGR.EXE
             D:\BACKUP 02.04.08\OFCSCAN\OFCUPDMGR.EXE

          Trojan.Agent/Gen-Ramnit
             C:\PROGRAM FILES\ADOBE\READER 9.0\READER\CCME_BASE.DLL

          Trojan.Agent/Gen-AppX
             C:\PROGRAM FILES\NETTERM\NETFTPD.EXE




          Malwarebytes' Anti-Malware 1.50.1.1100
          www.malwarebytes.org

          Database version: 5363

          Windows 5.1.2600 Service Pack 3
          Internet Explorer 6.0.2900.5512

          3/17/2011 3:07:21 PM
          mbam-log-2011-03-17 (15-07-21).txt

          Scan type: Quick scan
          Objects scanned: 158477
          Time elapsed: 7 minute(s), 47 second(s)

          Memory Processes Infected: 0
          Memory Modules Infected: 0
          Registry Keys Infected: 0
          Registry Values Infected: 0
          Registry Data Items Infected: 1
          Folders Infected: 0
          Files Infected: 1

          Memory Processes Infected:
          (No malicious items detected)

          Memory Modules Infected:
          (No malicious items detected)

          Registry Keys Infected:
          (No malicious items detected)

          Registry Values Infected:
          (No malicious items detected)

          Registry Data Items Infected:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (userinit.exe,,c:\program files\microsoft\watermark.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

          Folders Infected:
          (No malicious items detected)

          Files Infected:
          c:\program files\microsoft\watermark.exe (Trojan.Agent) -> Delete on reboot.



          Abhay Goel

            Topic Starter


            Rookie

            • Experience: Beginner
            • OS: Unknown
            Re: re-appearing Trojan-Dropper.VBS.Agent.bp
            « Reply #7 on: March 18, 2011, 02:23:02 AM »
            .
            DDS (Ver_11-03-05.01) - NTFSx86 
            Run by C9986880 at 13:47:12.80 on Fri 03/18/2011
            Internet Explorer: 6.0.2900.5512
            .
            ============== Running Processes ===============
            .
            .
            ============== Pseudo HJT Report ===============
            .
            uStart Page = hxxp://www.google.co.in/
            uInternet Settings,ProxyServer = proxy.apac.etn.com:8080
            uInternet Settings,ProxyOverride = connect.eaton.com;rs.eportal.eaton.com;*tnv.com;*lmtas.com;htgapp*.dana.com;htgweb.vpn.dana.com;*.
            homeheartbeat.com;portal.pw.utc.com;business.isabel.be;*.
            corp.moeller.net;intranet.moeller.net;mis.moeller.net;wtt.moeller.net;was.moeller.net;ctx.moeller.net;yambs.moeller.net;crm.moeller.cz;
            vip.moeller.net;tintranet.moeller.net;
            statistik.moeller.net;www.moeller.
            net;legolas.moeller*cz.com;127*;255.*;192.168.*;198.151.185.90;192.251.51.118;192.149.86.0;198.147.174*;207.24.213*;206.18.202.
            35;209.195.147.53;209.195.147.57;209.195.147.60;162.74.90.10;1
            62.74.22.196;162.74.80.200;193.228.200*;192.127.220.100;192.127.44.75;ecm.aero.bombardier.net;ecs.aero.bombardier.net;ecs2.aero.
            bombardier.net;ecs6.aero.bombardier.net;*.mau.dana.com;*.vpn.dana.
            com;*.wdl.dana.com;nacitrix.dana.com;*etn.com;151.110.*;148.179.*;166.99.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;1
            72.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;
            172.30.*;172.31.*;10.*;<local>
            mWinlogon: Userinit=userinit.exe,,c:\program files\microsoft\watermark.exe
            BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
            BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
            BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
            BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
            uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
            mRun: [ProxyPD] %SystemRoot%\system32\ProxyPD.exe
            mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
            mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
            mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
            IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
            IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
            IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
            IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
            DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/WinNTChk.cab
            DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://easohsavos05.napa.ad.etn.com:4343/officescan/console/html/ClientInstall/setupini.cab
            DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://easohsavos05.napa.ad.etn.com:4343/officescan/console/html/ClientInstall/setup.cab
            DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://easohsavos02.napa.ad.etn.com:4343/officescan/console/html/root/AtxEnc.cab
            DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
            DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/RemoveCtrl.cab
            DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
            DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
            DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
            DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
            DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
            TCP: {E65BFAB3-FB23-4F9A-A08B-0CB9050B6CEC} = 172.31.50.10,151.110.50.27
            SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
            .
            ============= SERVICES / DRIVERS ===============
            .
            .
            =============== Created Last 30 ================
            .
            2011-03-18 08:13:48   388096   ----a-r-   c:\docume~1\c9986880\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
            2011-03-18 08:13:47   --------   d-----w-   c:\program files\Trend Micro
            2011-03-18 03:55:43   232813   ----a-w-   c:\program files\internet explorer\iexploremgr.exe
            2011-03-17 03:42:26   --------   d-----w-   c:\docume~1\c9986880\applic~1\Malwarebytes
            2011-03-16 11:36:17   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
            2011-03-16 11:36:12   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
            2011-03-16 11:36:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
            2011-03-11 08:23:48   5120   ------w-   c:\windows\system32\xpsp4res.dll
            2011-03-10 12:14:00   --------   d-----w-   c:\program files\Free Window Registry Repair
            2011-03-08 11:46:32   --------   d-----w-   c:\docume~1\c9986880\applic~1\GlarySoft
            2011-03-08 10:08:44   --------   d-----w-   c:\program files\Glary Utilities
            2011-03-04 05:50:11   --------   d-----w-   c:\program files\CCleaner
            2011-02-22 07:32:50   --------   d-----w-   c:\windows\system32\Adobe
            2011-02-21 11:17:55   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
            2011-02-16 09:32:41   --------   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
            .
            ==================== Find3M  ====================
            .
            2011-02-09 13:53:52   270848   ----a-w-   c:\windows\system32\sbe.dll
            2011-02-09 13:53:52   186880   ----a-w-   c:\windows\system32\encdec.dll
            2011-02-02 07:58:35   2067456   ----a-w-   c:\windows\system32\mstscax.dll
            2011-01-27 11:57:06   677888   ----a-w-   c:\windows\system32\mstsc.exe
            2011-01-21 14:44:37   439296   ----a-w-   c:\windows\system32\shimgvw.dll
            2011-01-07 14:09:02   290048   ----a-w-   c:\windows\system32\atmfd.dll
            2010-12-31 13:10:33   1854976   ----a-w-   c:\windows\system32\win32k.sys
            2010-12-22 12:34:28   301568   ----a-w-   c:\windows\system32\kerberos.dll
            2010-12-20 22:15:52   667136   ----a-w-   c:\windows\system32\wininet.dll
            2010-12-20 22:15:52   61952   ----a-w-   c:\windows\system32\tdc.ocx
            2010-12-20 22:15:51   81920   ----a-w-   c:\windows\system32\ieencode.dll
            2010-12-20 17:26:00   730112   ----a-w-   c:\windows\system32\lsasrv.dll
            2010-12-20 15:30:29   369664   ----a-w-   c:\windows\system32\html.iec
            .
            ============= FINISH: 13:47:52.75 ===============
            « Last Edit: March 18, 2011, 05:52:50 PM by SuperDave »

            Abhay Goel

              Topic Starter


              Rookie

              • Experience: Beginner
              • OS: Unknown
              Re: re-appearing Trojan-Dropper.VBS.Agent.bp
              « Reply #8 on: March 18, 2011, 02:23:48 AM »
              .
              UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
              IF REQUESTED, ZIP IT UP & ATTACH IT
              .
              DDS (Ver_11-03-05.01)
              .
              .
              ==== Disk Partitions =========================
              .
              .
              ==== Disabled Device Manager Items =============
              .
              ==== System Restore Points ===================
              .
              No restore point in system.
              .
              ==== Installed Programs ======================
              .
              Adobe Flash Player 10 ActiveX
              Adobe Reader 9.4.2
              ATI Display Driver
              Broadcom Gigabit Integrated Controller
              CCleaner
              Compatibility Pack for the 2007 Office system
              CustomerResearchQFolder
              DJ_AIO_03_F2200_Software
              Free Window Registry Repair
              Glary Utilities 2.32.0.1126
              HiJackThis
              Hotfix for Windows Media Format 11 SDK (KB929399)
              Hotfix for Windows XP (KB2443685)
              Hotfix for Windows XP (KB915800-v4)
              Hotfix for Windows XP (KB952287)
              hppFonts
              hppscan3390
              hppScanTo
              Hydraulic Training Simulations
              IE5 Registration
              Interactive Hydraulics Designer
              Java Auto Updater
              Java(TM) 6 Update 23
              LaserAIO
              Malwarebytes' Anti-Malware
              MarketResearch
              Microsoft .NET Framework 2.0
              Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
              Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
              Microsoft Office Professional Edition 2003
              Microsoft User-Mode Driver Framework Feature Pack 1.7
              Microsoft Visual C++ 2005 Redistributable
              MSVC80_x86
              MSXML 4.0 SP2 (KB936181)
              MSXML 4.0 SP2 (KB954430)
              MSXML 4.0 SP2 (KB973688)
              MSXML 6 Service Pack 2 (KB954459)
              QFolder
              QuickTime
              Scan
              Security Update for Windows Media Player (KB2378111)
              Security Update for Windows Media Player (KB952069)
              Security Update for Windows Media Player (KB954155)
              Security Update for Windows Media Player (KB968816)
              Security Update for Windows Media Player (KB973540)
              Security Update for Windows Media Player (KB975558)
              Security Update for Windows Media Player (KB978695)
              Security Update for Windows Media Player (KB979402)
              Security Update for Windows Search 4 - KB963093
              Security Update for Windows XP (KB2079403)
              Security Update for Windows XP (KB2115168)
              Security Update for Windows XP (KB2121546)
              Security Update for Windows XP (KB2124261)
              Security Update for Windows XP (KB2229593)
              Security Update for Windows XP (KB2259922)
              Security Update for Windows XP (KB2290570)
              Security Update for Windows XP (KB2296011)
              Security Update for Windows XP (KB2347290)
              Security Update for Windows XP (KB2360937)
              Security Update for Windows XP (KB2387149)
              Security Update for Windows XP (KB2393802)
              Security Update for Windows XP (KB2419632)
              Security Update for Windows XP (KB2423089)
              Security Update for Windows XP (KB2440591)
              Security Update for Windows XP (KB2443105)
              Security Update for Windows XP (KB2476687)
              Security Update for Windows XP (KB2478960)
              Security Update for Windows XP (KB2478971)
              Security Update for Windows XP (KB2479628)
              Security Update for Windows XP (KB2479943)
              Security Update for Windows XP (KB2481109)
              Security Update for Windows XP (KB2482017)
              Security Update for Windows XP (KB2483185)
              Security Update for Windows XP (KB2485376)
              Security Update for Windows XP (KB923561)
              Security Update for Windows XP (KB938464)
              Security Update for Windows XP (KB941569)
              Security Update for Windows XP (KB946648)
              Security Update for Windows XP (KB950762)
              Security Update for Windows XP (KB950974)
              Security Update for Windows XP (KB951066)
              Security Update for Windows XP (KB951376-v2)
              Security Update for Windows XP (KB951698)
              Security Update for Windows XP (KB951748)
              Security Update for Windows XP (KB952004)
              Security Update for Windows XP (KB952954)
              Security Update for Windows XP (KB953155)
              Security Update for Windows XP (KB953838)
              Security Update for Windows XP (KB953839)
              Security Update for Windows XP (KB954211)
              Security Update for Windows XP (KB954600)
              Security Update for Windows XP (KB955069)
              Security Update for Windows XP (KB956390)
              Security Update for Windows XP (KB956572)
              Security Update for Windows XP (KB956744)
              Security Update for Windows XP (KB956802)
              Security Update for Windows XP (KB956803)
              Security Update for Windows XP (KB956841)
              Security Update for Windows XP (KB956844)
              Security Update for Windows XP (KB957095)
              Security Update for Windows XP (KB957097)
              Security Update for Windows XP (KB958215)
              Security Update for Windows XP (KB958644)
              Security Update for Windows XP (KB958687)
              Security Update for Windows XP (KB958690)
              Security Update for Windows XP (KB958869)
              Security Update for Windows XP (KB959426)
              Security Update for Windows XP (KB960225)
              Security Update for Windows XP (KB960714)
              Security Update for Windows XP (KB960803)
              Security Update for Windows XP (KB960859)
              Security Update for Windows XP (KB961371)
              Security Update for Windows XP (KB961373)
              Security Update for Windows XP (KB961501)
              Security Update for Windows XP (KB963027)
              Security Update for Windows XP (KB968537)
              Security Update for Windows XP (KB969059)
              Security Update for Windows XP (KB969897)
              Security Update for Windows XP (KB969947)
              Security Update for Windows XP (KB970238)
              Security Update for Windows XP (KB970483)
              Security Update for Windows XP (KB971486)
              Security Update for Windows XP (KB971557)
              Security Update for Windows XP (KB971633)
              Security Update for Windows XP (KB971657)
              Security Update for Windows XP (KB971961)
              Security Update for Windows XP (KB972260)
              Security Update for Windows XP (KB972270)
              Security Update for Windows XP (KB973346)
              Security Update for Windows XP (KB973354)
              Security Update for Windows XP (KB973507)
              Security Update for Windows XP (KB973525)
              Security Update for Windows XP (KB973869)
              Security Update for Windows XP (KB973904)
              Security Update for Windows XP (KB974112)
              Security Update for Windows XP (KB974318)
              Security Update for Windows XP (KB974392)
              Security Update for Windows XP (KB974455)
              Security Update for Windows XP (KB974571)
              Security Update for Windows XP (KB975025)
              Security Update for Windows XP (KB975467)
              Security Update for Windows XP (KB975560)
              Security Update for Windows XP (KB975561)
              Security Update for Windows XP (KB975562)
              Security Update for Windows XP (KB975713)
              Security Update for Windows XP (KB976323)
              Security Update for Windows XP (KB976325)
              Security Update for Windows XP (KB977816)
              Security Update for Windows XP (KB977914)
              Security Update for Windows XP (KB978037)
              Security Update for Windows XP (KB978251)
              Security Update for Windows XP (KB978262)
              Security Update for Windows XP (KB978338)
              Security Update for Windows XP (KB978542)
              Security Update for Windows XP (KB978601)
              Security Update for Windows XP (KB978706)
              Security Update for Windows XP (KB979309)
              Security Update for Windows XP (KB979482)
              Security Update for Windows XP (KB979683)
              Security Update for Windows XP (KB979687)
              Security Update for Windows XP (KB980195)
              Security Update for Windows XP (KB980232)
              Security Update for Windows XP (KB980436)
              Security Update for Windows XP (KB981322)
              Security Update for Windows XP (KB981349)
              Security Update for Windows XP (KB981997)
              Security Update for Windows XP (KB982132)
              Security Update for Windows XP (KB982214)
              Security Update for Windows XP (KB982665)
              SUPERAntiSpyware
              Update for Windows XP (KB951072-v2)
              Update for Windows XP (KB951978)
              Update for Windows XP (KB955759)
              Update for Windows XP (KB967715)
              Update for Windows XP (KB968389)
              Update for Windows XP (KB973687)
              Update for Windows XP (KB973815)
              Update for Windows XP (KB978207)
              Volo View Express
              WebFldrs XP
              Windows Genuine Advantage Validation Tool (KB892130)
              Windows Live OneCare safety scanner
              Windows Media Format 11 runtime
              Windows XP Service Pack 3
              .
              ==== End Of File ===========================

              SuperDave

              • Malware Removal Specialist


              • Genius
              • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: re-appearing Trojan-Dropper.VBS.Agent.bp
              « Reply #9 on: March 18, 2011, 06:03:05 PM »
              Registry cleaners are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.
              Free Window Registry Repair
              There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

              For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

              Further reading: XP Fixes Myth #1: Registry Cleaners
              **************************************************
              Download OTL to your desktop.

              * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
              * When the window appears, underneath Output at the top change it to Minimal Output.
              * Check the boxes beside LOP Check and Purity Check.
              * Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.

              When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

              Please copy and pate the contents of these files, one at a time, into your next reply.

              Note: You may need two or more posts to fit them all in.
              ******************************************************
              Download Security Check by screen317 from one of the following links and save it to your desktop.

              Link 1
              Link 2

              * Unzip SecurityCheck.zip and a folder named Security Check should appear.
              * Open the Security Check folder and double-click Security Check.bat
              * Follow the on-screen instructions inside of the black box.
              * A Notepad document should open automatically called checkup.txt
              * Post the contents of that document in your next reply.

              Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
              Windows 8 and Windows 10 dual boot with two SSD's

              Abhay Goel

                Topic Starter


                Rookie

                • Experience: Beginner
                • OS: Unknown
                Re: re-appearing Trojan-Dropper.VBS.Agent.bp
                « Reply #10 on: March 21, 2011, 12:32:15 AM »
                OTL logfile created on: 3/21/2011 11:37:09 AM - Run 1
                OTL by OldTimer - Version 3.2.22.3     Folder = F:\
                Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
                Internet Explorer (Version = 6.0.2900.5512)
                Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
                 
                510.00 Mb Total Physical Memory | 57.00 Mb Available Physical Memory | 11.00% Memory free
                1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
                Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
                 
                %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
                Drive C: | 29.29 Gb Total Space | 19.29 Gb Free Space | 65.86% Space Free | Partition Type: NTFS
                Drive D: | 45.20 Gb Total Space | 32.21 Gb Free Space | 71.24% Space Free | Partition Type: NTFS
                Drive F: | 3.73 Gb Total Space | 3.66 Gb Free Space | 98.24% Space Free | Partition Type: FAT32
                 
                Computer Name: PUNINW-DELHI | User Name: vikers | Logged in as Administrator.
                Boot Mode: Normal | Scan Mode: Current user
                Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
                 
                ========== Processes (SafeList) ==========
                 
                PRC - F:\OTL.exe (OldTimer Tools)
                PRC - C:\WINDOWS\system32\ProxyPD.exe (Eaton Corporation)
                PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
                PRC - C:\Program Files\McAfee\Common Framework\naPrdMgr.exe (McAfee, Inc.)
                PRC - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
                 
                 
                ========== Modules (SafeList) ==========
                 
                MOD - F:\OTL.exe (OldTimer Tools)
                MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
                 
                 
                ========== Win32 Services (SafeList) ==========
                 
                SRV - (Tally License Server) Tally License Server (NT) --  File not found
                SRV - (Net Driver HPZ12) --  File not found
                SRV - (hpqcxs08) --  File not found
                SRV - (spupdsvc) -- C:\WINDOWS\system32\spupdsvc.exe (Microsoft Corporation)
                SRV - (W3SVC) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
                SRV - (SMTPSVC) Simple Mail Transfer Protocol (SMTP) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
                SRV - (IISADMIN) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
                SRV - (p2pgasvc) -- C:\WINDOWS\system32\p2pgasvc.dll (Microsoft Corporation)
                SRV - (Iprip) -- C:\WINDOWS\system32\iprip.dll (Microsoft Corporation)
                SRV - (McAfeeFramework) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe (McAfee, Inc.)
                 
                 
                ========== Driver Services (SafeList) ==========
                 
                DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
                DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
                DRV - (Tcpip6) -- C:\WINDOWS\system32\drivers\tcpip6.sys (Microsoft Corporation)
                DRV - (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM) -- C:\WINDOWS\system32\drivers\s0016unic.sys (MCCI Corporation)
                DRV - (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS) -- C:\WINDOWS\system32\drivers\s0016nd5.sys (MCCI Corporation)
                DRV - (s0016mdfl) -- C:\WINDOWS\system32\drivers\s0016mdfl.sys (MCCI Corporation)
                DRV - (s0016mdm) -- C:\WINDOWS\system32\drivers\s0016mdm.sys (MCCI Corporation)
                DRV - (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s0016mgmt.sys (MCCI Corporation)
                DRV - (s0016obex) -- C:\WINDOWS\system32\drivers\s0016obex.sys (MCCI Corporation)
                DRV - (s0016bus) Sony Ericsson Device 0016 driver (WDM) -- C:\WINDOWS\system32\drivers\s0016bus.sys (MCCI Corporation)
                DRV - (HPFXBULK) -- C:\WINDOWS\system32\drivers\hpfxbulk.sys (Hewlett Packard)
                DRV - (sea1unic) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM) -- C:\WINDOWS\system32\drivers\sea1unic.sys (MCCI)
                DRV - (sea1obex) -- C:\WINDOWS\system32\drivers\sea1obex.sys (MCCI)
                DRV - (sea1nd5) Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS) -- C:\WINDOWS\system32\drivers\sea1nd5.sys (MCCI)
                DRV - (sea1mgmt) Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\sea1mgmt.sys (MCCI)
                DRV - (sea1mdm) -- C:\WINDOWS\system32\drivers\sea1mdm.sys (MCCI)
                DRV - (sea1mdfl) -- C:\WINDOWS\system32\drivers\sea1mdfl.sys (MCCI)
                DRV - (sea1bus) Sony Ericsson Device 0A1 driver (WDM) -- C:\WINDOWS\system32\drivers\sea1bus.sys (MCCI)
                DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
                DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
                 
                 
                ========== Standard Registry (SafeList) ==========
                 
                 
                ========== Internet Explorer ==========
                 
                 
                IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.co.in/
                IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
                IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = [String data over 1000 bytes]
                IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.apac.etn.com:8080
                 
                 
                 
                Hosts file not found
                O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
                O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
                O4 - HKLM..\Run: [ProxyPD] C:\WINDOWS\system32\ProxyPD.exe (Eaton Corporation)
                O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
                O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
                O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
                O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
                O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
                O12 - Plugin for: .spop - Reg Error: Value error. File not found
                O15 - HKCU\..Trusted Domains: etn.com ([easohsavos05.napa.ad] https in Trusted sites)
                O15 - HKCU\..Trusted Domains: gmail.com ([]* in Trusted sites)
                O15 - HKCU\..Trusted Domains: rediffmail.com ([www] http in Trusted sites)
                O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} https://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/WinNTChk.cab (ObjWinNTCheck Class)
                O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} https://easohsavos05.napa.ad.etn.com:4343/officescan/console/html/ClientInstall/setupini.cab (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class)
                O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} https://easohsavos05.napa.ad.etn.com:4343/officescan/console/html/ClientInstall/setup.cab (OfficeScan Corp Edition Web-Deployment SetupCtrl Class)
                O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} https://easohsavos02.napa.ad.etn.com:4343/officescan/console/html/root/AtxEnc.cab (Encrypt Class)
                O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab (Windows Live Safety Center Base Module)
                O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} https://easohsavos05.napa.ad.etn.com:4343/officescan//console/html/ClientInstall/RemoveCtrl.cab (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class)
                O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
                O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
                O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
                O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
                O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
                O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = napa.ad.etn.com
                O20 - HKLM Winlogon: Shell - (EXPLORER.EXE) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
                O20 - HKLM Winlogon: UserInit - (c:\program files\microsoft\watermark.exe) - c:\Program Files\Microsoft\WaterMark.exe ()
                O24 - Desktop WallPaper: C:\WINDOWS\Greenstone.bmp
                O24 - Desktop BackupWallPaper: C:\WINDOWS\Greenstone.bmp
                O32 - HKLM CDRom: AutoRun - 1
                O32 - AutoRun File - [2011/03/21 11:37:20 | 000,000,003 | RHS- | M] () - F:\autorun.inf -- [ FAT32 ]
                O33 - MountPoints2\{d916bc69-0145-11dd-a9b8-faaa4a14e3b6}\Shell\AutoRun\command - "" = F:\p3r1ud.exe
                O33 - MountPoints2\{d916bc69-0145-11dd-a9b8-faaa4a14e3b6}\Shell\explore\Command - "" = F:\p3r1ud.exe
                O33 - MountPoints2\{d916bc69-0145-11dd-a9b8-faaa4a14e3b6}\Shell\open\Command - "" = F:\p3r1ud.exe
                O33 - MountPoints2\{d916bc6a-0145-11dd-a9b8-faaa4a14e3b6}\Shell\AutoRun\command - "" = G:\p3r1ud.exe
                O33 - MountPoints2\{d916bc6a-0145-11dd-a9b8-faaa4a14e3b6}\Shell\explore\Command - "" = G:\p3r1ud.exe
                O33 - MountPoints2\{d916bc6a-0145-11dd-a9b8-faaa4a14e3b6}\Shell\open\Command - "" = G:\p3r1ud.exe
                O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
                O35 - HKLM\..comfile [open] -- "%1" %*
                O35 - HKLM\..exefile [open] -- "%1" %*
                O37 - HKLM\...com [@ = comfile] -- "%1" %*
                O37 - HKLM\...exe [@ = exefile] -- "%1" %*
                 
                ========== Files/Folders - Created Within 30 Days ==========
                 
                [2011/03/17 12:12:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
                [2011/03/16 17:06:17 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
                [2011/03/16 17:06:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
                [2011/03/16 17:06:12 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
                [2011/03/16 17:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
                [2011/03/11 13:56:04 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
                [2011/03/11 13:52:38 | 000,974,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc42.dll
                [2011/03/11 13:52:38 | 000,953,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mfc40u.dll
                [2011/03/11 13:47:46 | 000,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\comctl32.dll
                [2011/03/11 13:39:25 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
                [2011/03/11 13:28:00 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
                [2011/03/10 17:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\vikers\Start Menu\Programs\Free Window Registry Repair
                [2011/03/10 17:44:00 | 000,000,000 | ---D | C] -- C:\Program Files\Free Window Registry Repair
                [2011/03/09 13:05:18 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
                [2011/03/08 15:40:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\vikers\Application Data\GlarySoft
                [2011/03/08 15:38:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Glary Utilities
                [2011/03/08 15:38:44 | 000,000,000 | ---D | C] -- C:\Program Files\Glary Utilities
                [2011/03/04 13:25:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\vikers\Recent
                [2011/03/04 13:16:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
                [2011/03/04 11:20:11 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
                [2011/02/22 13:02:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
                [2011/02/22 12:34:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\vikers\Application Data\GetRightToGo
                [2011/02/22 12:34:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\vikers\My Documents\Downloads
                [2011/02/21 16:48:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\vikers\Application Data\Malwarebytes
                [2011/02/21 16:47:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
                [51 C:\Documents and Settings\vikers\My Documents\*.tmp files -> C:\Documents and Settings\vikers\My Documents\*.tmp -> ]
                [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
                 
                ========== Files - Modified Within 30 Days ==========
                 
                [2011/03/21 11:40:57 | 000,000,016 | ---- | M] () -- C:\WINDOWS\System32\dmlconf.dat
                [2011/03/21 11:34:50 | 000,028,529 | ---- | M] () -- C:\WINDOWS\netterm.ini
                [2011/03/21 09:40:47 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
                [2011/03/21 09:40:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
                [2011/03/16 10:10:26 | 000,000,208 | ---- | M] () -- C:\WINDOWS\POD.INI
                [2011/03/14 13:18:51 | 000,000,021 | ---- | M] () -- C:\tmuninst.ini
                [2011/03/14 13:13:21 | 000,322,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
                [2011/03/14 13:03:06 | 000,001,809 | ---- | M] () -- C:\WINDOWS\imsins.BAK
                [2011/03/11 13:04:29 | 000,000,256 | ---- | M] () -- C:\WINDOWS\WININIT.INI
                [2011/03/08 15:38:50 | 000,000,314 | ---- | M] () -- C:\WINDOWS\tasks\GlaryInitialize.job
                [2011/02/23 14:03:16 | 000,016,846 | ---- | M] () -- C:\WINDOWS\Ofcscan.ini
                [51 C:\Documents and Settings\vikers\My Documents\*.tmp files -> C:\Documents and Settings\vikers\My Documents\*.tmp -> ]
                [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
                 
                ========== Files Created - No Company Name ==========
                 
                [2011/03/14 12:34:04 | 000,028,529 | ---- | C] () -- C:\WINDOWS\netterm.ini
                [2011/03/11 14:13:47 | 000,001,809 | ---- | C] () -- C:\WINDOWS\imsins.BAK
                [2011/03/08 15:38:50 | 000,000,314 | ---- | C] () -- C:\WINDOWS\tasks\GlaryInitialize.job
                [2011/02/23 14:03:16 | 000,016,846 | ---- | C] () -- C:\WINDOWS\Ofcscan.ini
                [2011/01/28 19:34:18 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\dmlconf.dat
                [2009/05/14 10:35:23 | 000,000,208 | ---- | C] () -- C:\WINDOWS\POD.INI
                [2009/03/27 17:31:59 | 000,000,103 | ---- | C] () -- C:\WINDOWS\System32\hptrace.ini
                [2009/03/27 17:31:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
                [2009/03/27 17:31:26 | 000,049,152 | R--- | C] () -- C:\WINDOWS\System32\hpbprnfx.exe
                [2009/03/27 17:31:06 | 000,013,451 | ---- | C] () -- C:\WINDOWS\hpbins01.dat
                [2009/03/27 17:31:06 | 000,001,380 | ---- | C] () -- C:\WINDOWS\hpbmdl01.dat
                [2009/03/27 17:26:31 | 000,516,096 | ---- | C] () -- C:\WINDOWS\System32\ati2sgag.exe
                [2009/03/27 17:22:42 | 000,000,256 | ---- | C] () -- C:\WINDOWS\WININIT.INI
                [2009/03/27 17:03:05 | 000,007,753 | ---- | C] () -- C:\WINDOWS\hplj3380.ini
                [2009/02/27 10:44:55 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
                [2009/02/27 10:44:55 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
                [2009/02/27 10:44:14 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
                [2009/02/27 10:44:13 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
                [2009/02/27 10:44:11 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
                [2009/02/27 10:33:08 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
                [2009/02/25 16:21:10 | 000,000,063 | ---- | C] () -- C:\WINDOWS\DeskTopBird_K.ini
                [2009/02/24 14:21:12 | 000,079,360 | ---- | C] () -- C:\WINDOWS\System32\acdbres.dll
                [2009/01/22 12:35:06 | 000,000,054 | ---- | C] () -- C:\WINDOWS\GECKOS.INI
                [2009/01/22 12:26:12 | 000,000,372 | ---- | C] () -- C:\WINDOWS\EMICLOCK.INI
                [2008/11/21 16:26:42 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
                [2008/11/05 12:54:32 | 000,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
                [2008/11/05 12:54:32 | 000,000,131 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
                [2008/10/17 10:17:49 | 000,000,131 | ---- | C] () -- C:\WINDOWS\ra.ini
                [2008/09/24 14:43:44 | 000,009,391 | ---- | C] () -- C:\WINDOWS\cfgspyrt.ini
                [2008/09/24 14:43:42 | 000,010,348 | ---- | C] () -- C:\WINDOWS\cfgrt.ini
                [2008/09/24 14:17:38 | 000,010,254 | ---- | C] () -- C:\WINDOWS\cfgrt_ex.ini
                [2008/06/21 18:52:04 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
                [2008/04/15 14:52:35 | 000,000,454 | ---- | C] () -- C:\WINDOWS\SMSCFG.ini
                [2008/04/15 14:02:55 | 000,019,051 | ---- | C] () -- C:\WINDOWS\cfgall.ini
                [2008/04/08 20:52:27 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\vikers\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
                [2008/04/08 10:30:33 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\vikers\Local Settings\Application Data\fusioncache.dat
                [2008/04/03 17:04:42 | 000,004,346 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
                [2008/04/03 17:02:45 | 000,322,728 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
                [2008/04/03 13:37:12 | 000,000,344 | ---- | C] () -- C:\WINDOWS\hpbvspst.ini
                [2008/04/03 13:37:01 | 000,001,568 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
                [2008/04/03 12:11:51 | 000,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
                [2008/04/03 12:01:46 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
                [2008/04/03 11:45:35 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
                [2008/04/03 11:40:04 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
                [2008/04/02 11:28:09 | 000,093,878 | ---- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
                [2007/07/06 05:34:24 | 000,229,376 | ---- | C] () -- C:\WINDOWS\System32\HPPCPR01.DLL
                [2007/07/06 05:34:22 | 000,000,630 | ---- | C] () -- C:\WINDOWS\System32\HPPCPR01.DAT
                [2005/03/22 07:18:05 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
                [2005/03/22 07:18:05 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
                [2004/08/04 17:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
                [2004/08/04 17:30:00 | 000,445,258 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
                [2004/08/04 17:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
                [2004/08/04 17:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
                [2004/08/04 17:30:00 | 000,076,938 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
                [2004/08/04 17:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
                [2004/08/04 17:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
                [2004/08/04 17:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
                [2004/08/04 17:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
                [2004/08/04 17:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
                [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
                 
                ========== LOP Check ==========
                 
                [2010/03/05 11:36:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
                [2009/04/22 10:36:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
                [2010/05/21 17:46:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
                [2010/03/15 17:31:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
                [2010/03/15 17:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
                [2010/05/21 14:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
                [2010/03/15 17:03:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
                [2010/04/23 17:22:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
                [2010/05/21 14:02:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\DriverCure
                [2011/02/22 12:41:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\GetRightToGo
                [2011/03/08 15:40:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\GlarySoft
                [2008/11/21 17:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\Leadertech
                [2010/03/18 13:19:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\Nokia
                [2010/04/26 13:52:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\PC Suite
                [2010/07/26 16:02:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\Rediff.com
                [2009/02/23 18:47:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\Teleca
                [2010/04/16 14:15:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\vikers\Application Data\Uniblue
                [2010/05/21 14:01:55 | 000,000,382 | ---- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
                [2011/03/08 15:38:50 | 000,000,314 | ---- | M] () -- C:\WINDOWS\Tasks\GlaryInitialize.job
                 
                ========== Purity Check ==========
                 
                 
                 
                ========== Alternate Data Streams ==========
                 
                @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

                < End of report >

                Abhay Goel

                  Topic Starter


                  Rookie

                  • Experience: Beginner
                  • OS: Unknown
                  Re: re-appearing Trojan-Dropper.VBS.Agent.bp
                  « Reply #11 on: March 21, 2011, 12:32:49 AM »
                  OTL Extras logfile created on: 3/21/2011 11:37:09 AM - Run 1
                  OTL by OldTimer - Version 3.2.22.3     Folder = F:\
                  Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
                  Internet Explorer (Version = 6.0.2900.5512)
                  Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
                   
                  510.00 Mb Total Physical Memory | 57.00 Mb Available Physical Memory | 11.00% Memory free
                  1.00 Gb Paging File | 1.00 Gb Available in Paging File | 68.00% Paging File free
                  Paging file location(s): C:\pagefile.sys 768 1536 [binary data]
                   
                  %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
                  Drive C: | 29.29 Gb Total Space | 19.29 Gb Free Space | 65.86% Space Free | Partition Type: NTFS
                  Drive D: | 45.20 Gb Total Space | 32.21 Gb Free Space | 71.24% Space Free | Partition Type: NTFS
                  Drive F: | 3.73 Gb Total Space | 3.66 Gb Free Space | 98.24% Space Free | Partition Type: FAT32
                   
                  Computer Name: PUNINW-DELHI | User Name: vikers | Logged in as Administrator.
                  Boot Mode: Normal | Scan Mode: Current user
                  Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
                   
                  ========== Extra Registry (SafeList) ==========
                   
                   
                  ========== File Associations ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
                  .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
                  .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l
                   
                  ========== Shell Spawning ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
                  batfile [open] -- "%1" %*
                  cmdfile [open] -- "%1" %*
                  comfile [open] -- "%1" %*
                  cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
                  exefile [open] -- "%1" %*
                  InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
                  piffile [open] -- "%1" %*
                  regfile [merge] -- Reg Error: Key error.
                  scrfile [config] -- "%1"
                  scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
                  scrfile [open] -- "%1" /S
                  txtfile [edit] -- Reg Error: Key error.
                  Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
                  Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
                  Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
                  Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
                  Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
                   
                  ========== Security Center Settings ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
                  "FirstRunDisabled" = 1
                  "AntiVirusDisableNotify" = 0
                  "FirewallDisableNotify" = 0
                  "UpdatesDisableNotify" = 0
                  "AntiVirusOverride" = 0
                  "FirewallOverride" = 0
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
                  "DisableMonitoring" = 1
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
                   
                  ========== System Restore Settings ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
                  "DisableSR" = 0
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
                  "Start" = 0
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
                  "Start" = 2
                   
                  ========== Firewall Settings ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
                  "EnableFirewall" = 0
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
                  "EnableFirewall" = 0
                  "DoNotAllowExceptions" = 0
                  "DisableNotifications" = 0
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
                  "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
                  "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
                  "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
                  "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
                  "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
                  "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
                  "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
                  "EnableFirewall" = 1
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
                  "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
                  "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
                  "63022:TCP" = 63022:TCP:*:Enabled:Trend Micro OfficeScan Listener
                  "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
                  "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
                  "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
                  "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
                  "3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
                   
                  ========== Authorized Applications List ==========
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
                  "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
                  "C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
                  "C:\Documents and Settings\vikers\Desktop\ChromeSetup.exe" = C:\Documents and Settings\vikers\Desktop\ChromeSetup.exe:*:Enabled:ChromeSetup
                   
                  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
                  "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" = C:\Program Files\McAfee\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service -- (McAfee, Inc.)
                  "C:\Program Files\NetMeeting\conf.exe" = C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting® -- (Microsoft Corporation)
                  "E:\setup\HPZNET01.EXE" = E:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe
                  "E:\setup\hppapd.exe" = E:\setup\hppapd.exe:*:Enabled:hppapd.exe
                  "E:\setup\HPPNICIFS01.EXE" = E:\setup\HPPNICIFS01.EXE:*:Enabled:hppnicifs01.exe
                  "E:\setup\HPNTWKEXE.EXE" = E:\setup\HPNTWKEXE.EXE:*:Enabled:hpntwkexe.exe
                   
                   
                  ========== HKEY_LOCAL_MACHINE Uninstall List ==========
                   
                  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
                  "{1746EA69-DCB6-4408-B5A5-E75F55439CDF}" = Scan
                  "{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
                  "{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 23
                  "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
                  "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
                  "{606E5C0D-6039-42A7-988E-9D51DE773AFF}" = hppFonts
                  "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
                  "{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
                  "{7D7B5C64-1CAD-4FBD-988A-D6767CFECE8D}" = hppScanTo
                  "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
                  "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
                  "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
                  "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
                  "{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.2
                  "{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
                  "{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch
                  "{C1E26EED-CC8B-4371-9CC7-AD8A5814B4B2}" = IE5 Registration
                  "{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
                  "{D5E31EEE-CD8A-4E01-87F1-119C4A3201FD}" = hppscan3390
                  "{db18dc72-cd20-4801-be82-f5d2caeec4d7}" = DJ_AIO_03_F2200_Software
                  "{DD23CAA4-8872-4B95-B263-EA46FD82CF19}" = LaserAIO
                  "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
                  "ATI Display Driver" = ATI Display Driver
                  "CCleaner" = CCleaner
                  "Free Window Registry Repair" = Free Window Registry Repair
                  "Glary Utilities_is1" = Glary Utilities 2.32.0.1126
                  "Hydraulic Training Simulations" = Hydraulic Training Simulations
                  "Interactive Hydraulics Designer" = Interactive Hydraulics Designer
                  "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
                  "Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
                  "QuickTime" = QuickTime
                  "Volo View Express" = Volo View Express
                  "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
                  "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
                  "Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
                  "Windows Media Format Runtime" = Windows Media Format 11 runtime
                  "Windows XP Service Pack" = Windows XP Service Pack 3
                  "WMFDist11" = Windows Media Format 11 runtime
                  "Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
                   
                  ========== Last 10 Event Log Errors ==========
                   
                  [ Application Events ]
                  Error - 9/18/2008 1:04:28 AM | Computer Name = PUNINW-DELHI | Source = Application Error | ID = 1000
                  Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
                   module mshtml.dll, version 6.0.2900.2180, fault address 0x00098e09.
                   
                  Error - 9/18/2008 1:04:39 AM | Computer Name = PUNINW-DELHI | Source = Application Error | ID = 1001
                  Description = Fault bucket 130592454.
                   
                  Error - 9/19/2008 12:38:49 AM | Computer Name = PUNINW-DELHI | Source = Userenv | ID = 1054
                  Description = Windows cannot obtain the domain controller name for your computer
                   network. (The specified domain either does not exist or could not be contacted.
                   ). Group Policy processing aborted.
                   
                  Error - 9/19/2008 2:36:10 AM | Computer Name = PUNINW-DELHI | Source = Application Hang | ID = 1002
                  Description = Hanging application OUTLOOK.EXE, version 11.0.8169.0, hang module
                  hungapp, version 0.0.0.0, hang address 0x00000000.
                   
                  Error - 9/19/2008 2:53:00 AM | Computer Name = PUNINW-DELHI | Source = Application Hang | ID = 1002
                  Description = Hanging application conf.exe, version 5.1.2600.2180, hang module hungapp,
                   version 0.0.0.0, hang address 0x00000000.
                   
                  Error - 9/19/2008 2:53:03 AM | Computer Name = PUNINW-DELHI | Source = Application Hang | ID = 1002
                  Description = Hanging application conf.exe, version 5.1.2600.2180, hang module hungapp,
                   version 0.0.0.0, hang address 0x00000000.
                   
                  Error - 9/22/2008 12:33:12 AM | Computer Name = PUNINW-DELHI | Source = Userenv | ID = 1054
                  Description = Windows cannot obtain the domain controller name for your computer
                   network. (The specified domain either does not exist or could not be contacted.
                   ). Group Policy processing aborted.
                   
                  Error - 9/22/2008 8:20:07 AM | Computer Name = PUNINW-DELHI | Source = Userenv | ID = 1054
                  Description = Windows cannot obtain the domain controller name for your computer
                   network. (The specified domain either does not exist or could not be contacted.
                   ). Group Policy processing aborted.
                   
                  Error - 9/22/2008 11:45:04 PM | Computer Name = PUNINW-DELHI | Source = Userenv | ID = 1054
                  Description = Windows cannot obtain the domain controller name for your computer
                   network. (The specified domain either does not exist or could not be contacted.
                   ). Group Policy processing aborted.
                   
                  Error - 9/22/2008 11:46:05 PM | Computer Name = PUNINW-DELHI | Source = AutoEnrollment | ID = 15
                  Description = Automatic certificate enrollment for local system failed to contact
                   the active directory (0x8007054b).  The specified domain either does not exist
                  or could not be contacted.    Enrollment will not be performed.
                   
                   
                  ========== Last 10 Event Log Errors ==========
                   
                  Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!
                   
                  < End of report >

                  Abhay Goel

                    Topic Starter


                    Rookie

                    • Experience: Beginner
                    • OS: Unknown
                    Re: re-appearing Trojan-Dropper.VBS.Agent.bp
                    « Reply #12 on: March 21, 2011, 12:34:34 AM »
                     Results of screen317's Security Check version 0.99.9 
                     Windows XP Service Pack 3 
                     Internet Explorer 6 Out of date!
                    ``````````````````````````````
                    Antivirus/Firewall Check:

                     Windows Security Center service is not running! This report may not be accurate!
                     WMI entry may not exist for antivirus; attempting automatic update.
                    ```````````````````````````````
                    Anti-malware/Other Utilities Check:

                     Malwarebytes' Anti-Malware   
                     CCleaner     
                     Java(TM) 6 Update 23 
                     Out of date Java installed!
                     Adobe Flash Player   
                    Adobe Reader 9.4.2
                    Out of date Adobe Reader installed!
                    ````````````````````````````````
                    Process Check: 
                    objlist.exe by Laurent

                    ``````````End of Log````````````

                    SuperDave

                    • Malware Removal Specialist


                    • Genius
                    • Thanked: 1020
                    • Certifications: List
                    • Experience: Expert
                    • OS: Windows 10
                    Re: re-appearing Trojan-Dropper.VBS.Agent.bp
                    « Reply #13 on: March 21, 2011, 01:28:03 PM »
                    * Open OTL
                    * Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

                    Code: [Select]
                    :OTL
                    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
                    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
                    O12 - Plugin for: .spop - Reg Error: Value error. File not found
                    O15 - HKCU\..Trusted Domains: etn.com ([easohsavos05.napa.ad] https in Trusted sites)
                    O15 - HKCU\..Trusted Domains: gmail.com ([]* in Trusted sites)
                    O15 - HKCU\..Trusted Domains: rediffmail.com ([www] http in Trusted sites)

                    :COMMANDS
                    [resethosts]
                    [purity]
                    [emptytemp]
                    [start explorer]

                    * Click Run Fix
                    * OTLI2 may ask to reboot the machine. Please do so if asked.
                    * Click OK
                    * A report will open. Copy and Paste that report in your next reply.
                    ***********************************************
                    Update Your Java (JRE)

                    Old versions of Java have vulnerabilities that malware can use to infect your system.


                    First Verify your Java Version

                    If there are any other version(s) installed then update now.

                    Get the new version (if needed)

                    If your version is out of date install the newest version of the Sun Java Runtime Environment.

                    Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

                    Be sure to close ALL open web browsers before starting the installation.

                    Remove any old versions

                    1. Download JavaRa and unzip the file to your Desktop.
                    2. Open JavaRA.exe and choose Remove Older Versions
                    3. Once complete exit JavaRA.
                    4. Run CCleaner.

                    Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
                    **********************************************
                    Please download the newest version of Adobe Acrobat Reader from Adobe.com

                    Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
                    Go to the Control Panel and enter Add or Remove Programs.
                    Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

                    Once old versions are gone, please install the newest version.
                    Windows 8 and Windows 10 dual boot with two SSD's

                    Abhay Goel

                      Topic Starter


                      Rookie

                      • Experience: Beginner
                      • OS: Unknown
                      Re: re-appearing Trojan-Dropper.VBS.Agent.bp
                      « Reply #14 on: March 21, 2011, 10:30:11 PM »
                      All processes killed
                      ========== OTL ==========
                      Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
                      Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
                      Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
                      Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
                      Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension\.spop\ deleted successfully.
                      Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\etn.com\easohsavos05.napa.ad\ deleted successfully.
                      Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\gmail.com\ deleted successfully.
                      Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\rediffmail.com\www\ deleted successfully.
                      ========== COMMANDS ==========
                      HOSTS file reset successfully
                       
                      [EMPTYTEMP]
                       
                      User: Administrator
                      ->Temp folder emptied: 0 bytes
                      ->Temporary Internet Files folder emptied: 67 bytes
                       
                      User: All Users
                       
                      User: C9986880
                      ->Temp folder emptied: 2073359 bytes
                      ->Temporary Internet Files folder emptied: 2683793 bytes
                      ->Java cache emptied: 3524 bytes
                      ->Flash cache emptied: 734 bytes
                       
                      User: Default User
                      ->Temp folder emptied: 0 bytes
                      ->Temporary Internet Files folder emptied: 67 bytes
                       
                      User: E5250045
                      ->Temp folder emptied: 2992672 bytes
                      ->Temporary Internet Files folder emptied: 0 bytes
                      ->Java cache emptied: 12713141 bytes
                      ->Flash cache emptied: 2415 bytes
                       
                      User: LocalService
                      ->Temp folder emptied: 0 bytes
                      ->Temporary Internet Files folder emptied: 67 bytes
                       
                      User: NetworkService
                      ->Temp folder emptied: 0 bytes
                      ->Temporary Internet Files folder emptied: 33170 bytes
                       
                      User: vikers
                      ->Temp folder emptied: 971644 bytes
                      ->Temporary Internet Files folder emptied: 32902 bytes
                      ->Java cache emptied: 12861056 bytes
                      ->Flash cache emptied: 1528823 bytes
                       
                      %systemdrive% .tmp files removed: 0 bytes
                      %systemroot% .tmp files removed: 2142714 bytes
                      %systemroot%\System32 .tmp files removed: 0 bytes
                      %systemroot%\System32\dllcache .tmp files removed: 0 bytes
                      %systemroot%\System32\drivers .tmp files removed: 0 bytes
                      Windows Temp folder emptied: 1347 bytes
                      %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
                      %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
                      RecycleBin emptied: 3398 bytes
                       
                      Total Files Cleaned = 36.00 mb
                       
                       
                      OTL by OldTimer - Version 3.2.22.3 log created on 03222011_093815

                      Files\Folders moved on Reboot...

                      Registry entries deleted on Reboot...