got virus!!!need help!!!still

[mrg3dit2002]

i got a virus in the win system 32 folder and now it keeps coming back !
win32 agent ZPS {trj} in the win 32 config\regback folder  attched to software old ----2 times now
what should i do

[DavidR]

What is your OS ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner (if you use this don't install the toolbar or crawler or the anti-virus module). Or a-Squared free. I suggest trying then in order as the order that represents the better detection and clean-up. Some elements of the programs might not work if you have an older OS like win9x or winME, this is namely the resident protection in SpywareTerminator.


What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.

[mrg3dit2002]

i use windows vista 32
it is in (C:\windows\system32\config\regback\ (unsure how to put it) win32agent_ZPS {trj}
i well try to scan in safe mode
i use windows firewall

[DavidR]

Just copy the data from the avast log viewer, export the warning section of the log viewer open it and copy the line entry for this detection.

The safe mode scan is for one of the other anti-spyware tools not avast, I don't know if they all work with Vista, try SAS as this is I would say the best of the three.

The Vista firewalls outbound protection is disabled by default even when enabled it is rules based and you have to create the rules, not easy. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0.

[mrg3dit2002]

SAS logSUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2008 at 09:29 AM

Application Version : 4.15.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type       : Complete Scan
Total Scan Time : 00:14:45

Memory items scanned      : 315
Memory threats detected   : 0
Registry items scanned    : 4879
Registry threats detected : 0
File items scanned        : 16337
File threats detected     : 17

Adware.Tracking Cookie
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@media.xfire[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@doubleclick[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@ad.yieldmanager[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adrevolver[2].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adtech[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@advertising[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@atdmt[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@media.adrevolver[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@doubleclick[2].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@toyota.112.2o7[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@msnportal.112.2o7[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@questionmarket[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@specificclick[2].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@tacoda[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@trafficmp[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@xiti[1].txt
   C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@zedo[2].txt

[mrg3dit2002]

avast log
6/22/2008 7:27:32 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp11166873" file. 
6/22/2008 7:27:53 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp144526005" file. 
6/22/2008 7:28:24 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp146806937" file. 
6/22/2008 7:40:56 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp105456885" file. 
6/22/2008 7:41:11 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp129609980" file. 
6/22/2008 7:41:45 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp203977436" file. 
6/22/2008 7:42:48 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp217389011" file. 
6/22/2008 7:56:47 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp169640178" file. 
6/22/2008 7:59:51 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp255034303" file. 
6/22/2008 8:00:02 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp136390278" file. 
6/22/2008 8:03:21 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp96482621" file. 
6/22/2008 8:09:52 PM   SYSTEM   1608   Sign of "VBS:Malware-gen" has been found in "http://www.yahoo.com/\unp231131400" file. 
6/23/2008 7:27:03 AM   SYSTEM   1608   Sign of "Win32:Adware-gen [Adw]" has been found in "http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\PopCapLoader.dll" file. 
6/23/2008 2:32:39 PM   admin   5052   Sign of "Win32:JunkPoly [Cryp]" has been found in "C:\Documents and Settings\admin\Downloads\Midway_PsiOps_DF_IGN.exe\psi-ops_setup_sw.exe\$INSTDIR\PsiOps" file. 
6/29/2008 12:48:24 AM   admin   3668   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\Windows\System32\config\RegBack\SOFTWARE.OLD" file. 
7/1/2008 12:16:29 AM   admin   1216   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\Windows\System32\config\RegBack\SOFTWARE.OLD" file. 
7/1/2008 9:34:21 AM   SYSTEM   1528   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 

[mrg3dit2002]

Logfile of Spyware Terminator v2.2.3.444 (db:1.000.000.000)
Scan Time: 7/1/2008 9:12:03 AM  length: 54 s
Platform: VISTA (6.0.0.6001)
User: Admin
Boot Mode: Safe
Scan type: Fast_Spyware_Scan
Scanned Objects: 18316 (Critical:0)
Filter: No System items, No Safe items, No Invalid items

Running Processes
pctsAuxs.exe [PC Tools] : C:\Program Files\Spyware Doctor\pctsAuxs.exe
pctsSvc.exe [PC Tools] : C:\Program Files\Spyware Doctor\pctsSvc.exe
wmpnscfg.exe [Microsoft Corporation] : C:\Program Files\Windows Media Player\wmpnscfg.exe
iexplore.exe [Microsoft Corporation] : C:\Program Files\Internet Explorer\iexplore.exe

Internet Settings
R - HKLM\Software\Microsoft\Internet Explorer\Main, Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R - HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R - HKLM\System\CurrentControlSet\Services\Tcpip\Parameters, Domain =
R - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony, DomainName =

BHO
02 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
02 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -  [Comcast Cable Communications.] : C:\Program Files\ComcastToolbar\comcasttoolbar.dll
02 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -  [Google Inc.] : C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

Toolbars
03 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} -  [Comcast Cable Communications.] : C:\Program Files\ComcastToolbar\comcasttoolbar.dll
03 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -  [Yahoo! Inc.] : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

StartUps
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, DriverMax :  [Innovative Solutions] : C:\Program Files\INNOVATIVE SOLUTIONS\DRIVERMAX\DEVICES.EXE
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SUPERAntiSpyware :  [SUPERAntiSpyware.com] : C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
04 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, WMPNSCFG :  [Microsoft Corporation] : C:\Program Files\Windows Media Player\wmpnscfg.exe
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ISTray :  [PC Tools] : C:\Program Files\SPYWARE DOCTOR\PCTSTRAY.EXE
04 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, SigmatelSysTrayApp :  [SigmaTel, Inc.] : C:\Windows\sttray.exe
04 - Startup: %STARTUP%\Webshots.lnk [Webshots.com] : C:\Program Files\Webshots\Launcher.exe

Shell Extensions
CLSID_PreviewMime - {92dbad9f-5025-49b0-9078-2d78f935e341} -  [Microsoft Corporation] : C:\Windows\system32\inetcomm.dll
CLSID_PreviewEmail - {b9815375-5d7f-4ce2-9245-c9d4da436930} -  [Microsoft Corporation] : C:\Windows\system32\inetcomm.dll
CLSID_PreviewHtml - {f8b8412b-dea3-4130-b36c-5e8be73106ac} -  [Microsoft Corporation] : C:\Windows\system32\inetcomm.dll
Shell Message Handler - {5FA29220-36A1-40f9-89C6-F4B384B7642E} -  [Microsoft Corporation] : C:\Windows\system32\inetcomm.dll
Microsoft Agent Character Property Sheet Handler - {143A62C8-C33B-11D1-84FE-00C04FA34A14} -  [Microsoft Corporation] : C:\Windows\MSAgent\agentpsh.dll
CompressedFolder - {E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31} -  [Microsoft Corporation] : C:\Windows\system32\zipfldr.dll
Compressed (zipped) Folder Right Drag Handler - {BD472F60-27FA-11cf-B8B4-444553540000} -  [Microsoft Corporation] : C:\Windows\system32\zipfldr.dll
Compressed (zipped) Folder SendTo Target - {888DCA60-FC0A-11CF-8F0F-00C04FD7D062} -  [Microsoft Corporation] : C:\Windows\system32\zipfldr.dll
Compressed (zipped) Folder Context Menu - {b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af} -  [Microsoft Corporation] : C:\Windows\system32\zipfldr.dll
Compressed (zipped) Folder DropHandler - {ed9d80b9-d157-457b-9192-0e7280313bf0} -  [Microsoft Corporation] : C:\Windows\system32\zipfldr.dll
&Windows Media Player - {0a4286ea-e355-44fb-8086-af3df7645bd9} -  [Microsoft Corporation] : C:\Program Files\Windows Media Player\wmpband.dll
 - {BB6B2374-3D79-41DB-87F4-896C91846510} -  [Microsoft Corporation] : C:\Windows\system32\emdmgmt.dll
Windows Photo Gallery Viewer Autoplay Handler - {9D687A4C-1404-41ef-A089-883B6FBECDE6} -  [Microsoft Corporation] : C:\Windows\system32\RUNDLL32.EXE
Portable Media Devices - {640167b4-59b0-47a6-b335-a6b3c0695aea} -  [Microsoft Corporation] : C:\Windows\system32\audiodev.dll
Windows Defender IOfficeAntiVirus implementation - {2781761E-28E0-4109-99FE-B9D127C57AFE} -  [Microsoft Corporation] : C:\Program Files\Windows Defender\MpOav.dll

Shell Extecute Hooks
SABShellExecuteHook Class - {{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}} -  [SuperAdBlocker.com] : C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

Protocol Handler
MHTML Asynchronous Pluggable Protocol Handler - {05300401-BCBC-11d0-85E3-00C04FD85AB4} -  [Microsoft Corporation] : C:\Windows\system32\inetcomm.dll

Services
23 - [Microsoft Corporation] : C:\Windows\system32\DRIVERS\bowser.sys
23 - [Microsoft Corporation] : C:\Windows\system32\Drivers\dfsc.sys
23 - [Intel Corporation] : C:\Windows\system32\DRIVERS\e100b325.sys
23 - [Intel Corporation] : C:\Windows\system32\DRIVERS\iaStor.sys
23 - [Intel Corporation] : C:\Windows\system32\drivers\iastorv.sys
23 - [PCTools Research Pty Ltd.] : C:\Windows\system32\drivers\ikfilesec.sys
23 - [PCTools Research Pty Ltd.] : C:\Windows\system32\drivers\iksysflt.sys
23 - [PCTools Research Pty Ltd.] : C:\Windows\system32\drivers\iksyssec.sys
23 - [Microsoft Corporation] : C:\Windows\system32\DRIVERS\msiscsi.sys
23 - [Microsoft Corporation] : C:\Windows\system32\DRIVERS\mrxsmb10.sys
23 - [Microsoft Corporation] : C:\Windows\system32\DRIVERS\mssmbios.sys
23 - [Microsoft Corporation] : C:\Windows\system32\drivers\rdpencdd.sys
23 - [PC Tools] : C:\Program Files\Spyware Doctor\pctsAuxs.exe
23 - [PC Tools] : C:\Program Files\Spyware Doctor\pctsSvc.exe

[mrg3dit2002]

other 1/2
Winlogon Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon, DLLName :  [SUPERAntiSpyware.com] : C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

Advanced Files Report
%PROGRAMFILES%\Spyware Doctor\smumhook.dll [PC Tools] MD5=942E3D765874521870873D619E48480A SIZE=142728
%PROGRAMFILES%\Spyware Doctor\pctsAuxs.exe [PC Tools] MD5=0D608069A10354474A986F3BC301E024 SIZE=747912
%PROGRAMFILES%\Spyware Doctor\SysAccess.dll [PC Tools] MD5=CE35482528135C85AB07A7691EE6162D SIZE=135048
%PROGRAMFILES%\Spyware Doctor\rtl100.bpl [Borland Software Corporation] [Borland Package Library] MD5=E016DADBA1DD3C5EF41A8F70D3DC64A0 SIZE=843264
%PROGRAMFILES%\Spyware Doctor\ikdll.dll [PCTools Research Pty Ltd.] [Spyware Doctor] MD5=208326BC207CF19C8F872704AA47E475 SIZE=119688
%PROGRAMFILES%\Spyware Doctor\pctsSvc.exe [PC Tools] MD5=F4CDCBD7AD2E0C60D3EED62A55877834 SIZE=948616
%PROGRAMFILES%\Spyware Doctor\vcl100.bpl [Borland Software Corporation] [Borland Package Library] MD5=74B6B0BEAC3DC80201383B8699AD694E SIZE=1680896
%PROGRAMFILES%\Spyware Doctor\CommOM.dll [PC Tools] MD5=A87B9EEB1EF6DCD19A213A2FC3EBFEAE SIZE=919432
%PROGRAMFILES%\Spyware Doctor\CommLib.dll [PC Tools] MD5=311D43966E38C09E536BA8A96CBA05DB SIZE=825224
%PROGRAMFILES%\Spyware Doctor\commhlpr.dll [PC Tools] MD5=F3E492C514B3D2ED296F041E6AC63C21 SIZE=96648
%PROGRAMFILES%\Spyware Doctor\RegHelper.dll [PC Tools] [Spyware Doctor] MD5=582ACBF40CFCD2C2FCEB36D625741AF5 SIZE=115080
%PROGRAMFILES%\Spyware Doctor\inethlpr.dll [PC Tools] [Spyware Doctor] MD5=725A60C6D1065AD914F2C4F456E507F2 SIZE=178568
%PROGRAMFILES%\Spyware Doctor\filehlpr.dll [PC Tools] [Spyware Doctor] MD5=E3FD8FABD868CC52B83E2563A9749BD7 SIZE=140680
%PROGRAMFILES%\Spyware Doctor\sdcore.dll [PC Tools] MD5=0C355789633AD64B766BF4D8B300D7BD SIZE=119176
%PROGRAMFILES%\Spyware Doctor\FileStorage.sdp [PC Tools] MD5=2BC5C09CFFA89B8E5D23088509C47BF0 SIZE=309640
%PROGRAMFILES%\Spyware Doctor\Settings.sdp [PC Tools] MD5=D6E927045CBFAFD4BD7F18A09A8CB6D6 SIZE=112520
%PROGRAMFILES%\Spyware Doctor\IDBLib.sdp [PC Tools] MD5=1E1BFE9ACAAB3BF5CF3350E1E4570B01 SIZE=259464
%PROGRAMFILES%\Spyware Doctor\SDInfo.sdp [PC Tools] MD5=0D1EF366BD5AF9C264E39FF6E9FE8088 SIZE=923528
%PROGRAMFILES%\Spyware Doctor\SDExtra.sdp [PC Tools] MD5=D2E128B4D8AB072B93E2A2E99D8995F0 SIZE=162184
%PROGRAMFILES%\Spyware Doctor\PCTWSC.dll [PC Tools] [PCTWSC Dynamic Link Library] MD5=13F5E4B74B0EA628FCA5C2F51A51F977 SIZE=173960
%PROGRAMFILES%\Spyware Doctor\Immunizer.sdp [PC Tools] MD5=DDF0458188530D3D22C9CFAAD9E4A4E1 SIZE=108936
%PROGRAMFILES%\Spyware Doctor\Localizer.sdp [PC Tools] MD5=9A7637C82FE4DCB65F7EBEA6AEE54B39 SIZE=148872
%PROGRAMFILES%\Spyware Doctor\NfyMan.sdp [PC Tools] MD5=C5FAD0714030D9F08C3254AED249671A SIZE=101768
%PROGRAMFILES%\Spyware Doctor\quarantine.sdp [PC Tools] MD5=13738E3C00BA38F6C6C18E472C918E9C SIZE=159624
%PROGRAMFILES%\Spyware Doctor\BH.dll [PC Tools] [Browser Helper] MD5=02D9B8CDD76FDDF4F5CE7298BA53B936 SIZE=242568
%PROGRAMFILES%\Spyware Doctor\RebootManager.sdp [PC Tools] MD5=9E5B1ED1B6C690005C974BBE2988F7ED SIZE=128392
%PROGRAMFILES%\Spyware Doctor\scaneng.sdp [PC Tools] MD5=D2A4393DB35264D203AC9790B60B3C78 SIZE=241544
%PROGRAMFILES%\Spyware Doctor\stasks.sdp [PC Tools] MD5=D40F1DE60539437D44FCDFC4DC44068C SIZE=129928
%PROGRAMFILES%\Spyware Doctor\SystemMonitor.sdp [PC Tools] MD5=60065438CF58F40B3D943E486DAA7432 SIZE=1021832
%PROGRAMFILES%\Spyware Doctor\whitelist.sdp [PC Tools] MD5=1A91A54A8373C6A14A083B3C2CF762DC SIZE=127368
%PROGRAMFILES%\Spyware Doctor\sdwvhlp.dll [PC Tools] [sdwvhlp Dynamic Link Library] MD5=746F88D8A76F3D96BAADBAC079290EC6 SIZE=59272
%PROGRAMFILES%\Spyware Doctor\plugins\Browsers.SDP [PC Tools] MD5=4F54516C4E783516FFC7F55A0E17E9C9 SIZE=300936
%PROGRAMFILES%\Spyware Doctor\plugins\grfiles.SDP [PC Tools] [Spyware Doctor] MD5=0D69324E7CB053BBA9C1D8A956461C3D SIZE=276872
%PROGRAMFILES%\Spyware Doctor\plugins\grImmunizer.SDP [PC Tools] [Spyware Doctor] MD5=738E83C4E0C3572013679E2D48806ED1 SIZE=166280
%PROGRAMFILES%\Spyware Doctor\plugins\grregistry.SDP [PC Tools] [Spyware Doctor] MD5=1E1037C1726AB93738BBE29C4DB80C0F SIZE=157064
%PROGRAMFILES%\Spyware Doctor\PCToolsComponents.bpl [PC Tools] MD5=293A2D99C283E5118BBDD5EF7FD6FE51 SIZE=406528
%PROGRAMFILES%\Spyware Doctor\SH.dll [PC Tools] MD5=F6A7327F1482F37C8241662A20F8AD23 SIZE=217480
%PROGRAMFILES%\Spyware Doctor\plugins\Network.SDP [PC Tools] [Spyware Doctor] MD5=0711ACC0297F84E78DCF9DA8DCB24C96 SIZE=375688
%PROGRAMFILES%\Spyware Doctor\plugins\Process.SDP [PC Tools] MD5=14D940D114F80572F966FA78DB6726E8 SIZE=449416
%PROGRAMFILES%\Spyware Doctor\plugins\ScriptEngine.SDP [PC Tools] MD5=4D95A3BBA059369E90AA02908ADAA5D8 SIZE=343432
%PROGRAMFILES%\Spyware Doctor\plugins\StartUp.SDP [PC Tools] [Spyware Doctor] MD5=91B1217A95B425B37E19A619D8B625EF SIZE=292232
%SYSDIR%\l3codeca.acm [Fraunhofer Institut Integrierte Schaltungen IIS] [MPEG Layer-3 Audio Codec for MSACM] MD5=733A9243A14753652F9FA9C8BBC44F98 SIZE=62464
%PROGRAMFILES%\Internet Explorer\iexplore.exe [Microsoft Corporation] [Windows® Internet Explorer] MD5=5B92133D3E7FB2644677686305E29E81 SIZE=625664
%SYSDIR%\Macromed\Flash\Flash9f.ocx [Adobe Systems, Inc.] [Shockwave Flash] MD5=48FDF435B8595604E54125B321924510 SIZE=2991488
%PROGRAMFILES%\Webshots\Launcher.exe [Webshots.com] [The Webshots Desktop Launcher] MD5=ED6CA9FDE40E86F3ADC986275578FE74 SIZE=157000
%PROGRAMFILES%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Inc.] [Yahoo! Toolbar] MD5=3374C2A0344BE49368DC342329404B49 SIZE=436288
%SYSDIR%\inetcomm.dll [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=366DE53C91D95F081907FEEC352EDA2C SIZE=738304
%WINDIR%\MSAgent\agentpsh.dll [Microsoft Corporation] [Microsoft Agent Property Sheet Handler] MD5=F0B6186AEB591642784D6FFDC2D625BC SIZE=30720
%SYSDIR%\zipfldr.dll [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=F41857E440A9DF3FD5A543C8B2A53048 SIZE=342016
%PROGRAMFILES%\Windows Media Player\wmpband.dll [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=E7369CA015162EF4F9E207897EF7DED8 SIZE=99328
%SYSDIR%\emdmgmt.dll [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=BA4E96D951DDAD6AC3AF3C91D4AC68BF SIZE=564736
%SYSDIR%\RUNDLL32.EXE [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=4B555106290BD117334E9A08761C035A SIZE=44544
%SYSDIR%\audiodev.dll [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=67C30FAFA58BD7E02A9DA8BE28512934 SIZE=244224
%PROGRAMFILES%\Windows Defender\MpOav.dll [Microsoft Corporation] [Windows Defender] MD5=B7DC98F6F4E7611A9C0849945FB28FB9 SIZE=90680
%PROGRAMFILES%\SUPERAntiSpyware\SASSEH.DLL [SuperAdBlocker.com] [SuperAntiSpyware] MD5=ECD5517A6633826057D4F050927DDF56 SIZE=77824
%PROGRAMFILES%\SUPERAntiSpyware\SASWINLO.dll [SUPERAntiSpyware.com] [SUPERAntiSpyware WinLogon Processor] MD5=3B2F85D8C913CE452ADE4A0D24299FEA SIZE=294912
%SYSDIR%\svchost.exe -k LocalServiceNoNetwork
%SYSDIR%\DRIVERS\bowser.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=74B442B2BE1260B7588C136177CEAC66 SIZE=69632
%SYSDIR%\svchost.exe -k NetworkService
%SYSDIR%\svchost.exe -k DcomLaunch
%SYSDIR%\Drivers\dfsc.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=9E635AE5E8AD93E2B5989E2E23679F97 SIZE=75264
%SYSDIR%\svchost.exe -k LocalServiceNetworkRestricted
%SYSDIR%\DRIVERS\e100b325.sys [Intel Corporation] [Intel(R) PRO/100 Adapter] MD5=D00EEAE1CACD77A1A8396BBC19140BBA SIZE=159744
%SYSDIR%\DRIVERS\iaStor.sys [Intel Corporation] [Intel Matrix Storage Manager driver] MD5=E5A0034847537EAEE3C00349D5C34C5F SIZE=308248
%SYSDIR%\drivers\iastorv.sys [Intel Corporation] [Intel Matrix Storage Manager driver (base)] MD5=54155EA1B0DF185878E0FC9EC3AC3A14 SIZE=235064
%SYSDIR%\svchost.exe -k netsvcs
%SYSDIR%\drivers\ikfilesec.sys [PCTools Research Pty Ltd.] [Spyware Doctor] MD5=3D8A88BD1E6A640807691198A8342E8C SIZE=42376
%SYSDIR%\drivers\iksysflt.sys [PCTools Research Pty Ltd.] [Spyware Doctor] MD5=7583E2211097D273FCA4E3FCE04F639F SIZE=66952
%SYSDIR%\drivers\iksyssec.sys [PCTools Research Pty Ltd.] [Spyware Doctor] MD5=2402F65F1ECA5159C8F0F16066F4BDED SIZE=81288
%SYSDIR%\DRIVERS\msiscsi.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=F247EEC28317F6C739C16DE420097301 SIZE=181304
%SYSDIR%\svchost.exe -k LocalService
%SYSDIR%\DRIVERS\mrxsmb10.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=67E55CED3FC143C82A8197988BFC1F9A SIZE=211968
%SYSDIR%\DRIVERS\mssmbios.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=E384487CB84BE41D09711C30CA79646C SIZE=31288
%SYSDIR%\svchost.exe -k LocalSystemNetworkRestricted
%SYSDIR%\svchost.exe -k NetworkServiceNetworkRestricted
%SYSDIR%\drivers\rdpencdd.sys [Microsoft Corporation] [Microsoft® Windows® Operating System] MD5=9D91FE5286F748862ECFFA05F8A0710C SIZE=6144
%SYSDIR%\svchost.exe -k rpcss
%SYSDIR%\svchost.exe -k secsvcs
%SYSDIR%\mscoree.dll [Microsoft Corporation] [Microsoft® .NET Framework] MD5=24084D13982FFE48C5BF931F1E5DD707 SIZE=282112
%COMMONFILES%\ADOBE\ACROBAT\ACTIVEX\ACROPDF.DLL [Adobe Systems, Inc.] [Adobe PDF Browser Control] MD5=97E41D0A84A5318A970F41A8058D9529 SIZE=632432
%COMMONFILES%\ADOBE\UPDATER5\ADOBEUPDATER.EXE [Adobe Systems Incorporated] [Adobe Updater] MD5=CEBB4703FE0A875947E5F0A3A95FE577 SIZE=2321600

End of Report

[DavidR]

1. SAS log, tracking cookies are no security risk at worst they are a privacy issue, I don't even bother with checking for tracking cookies in the SAS scan settings.

2. avast log the old ones related to yahoo are false positives which has been corrected.

These:
6/29/2008 12:48:24 AM   admin   3668   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\Windows\System32\config\RegBack\SOFTWARE.OLD" file.
7/1/2008 12:16:29 AM   admin   1216   Sign of "Win32:Agent-ZPS [trj]" has been found in "C:\Windows\System32\config\RegBack\SOFTWARE.OLD" file.

Are somewhat strange as I don't know what RegBack is (registry back-up perhaps ?
If so then it would be regenerating the Software.old file which is a text file so I'm surprised it is picked up as any form of malware. This may be a false positive detection and should be analysed further.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

3. SpywareTerminator log.
I'm not familiar with its layout, but it looks like a HiJackThis style report and there doesn't seem to be anything obvious there.

Summary:
I think the regeneration is likely to be non-malicious if this relates to registry back-up software you are aware of. In which case you need to do the steps I suggested earlier and report the findings.

[mrg3dit2002]

ok thanks for the help,i well give it a try!

[DavidR]

You're welcome, let us know the results.

[mrg3dit2002]

virus total results:

AhnLab-V3 2008.7.2.0 2008.07.01 -
AntiVir 7.8.0.59 2008.07.01 -
Authentium 5.1.0.4 2008.07.01 -
Avast 4.8.1195.0 2008.06.30 Win32:Agent-ZPS <<<<<<<<< hummmmm...
AVG 7.5.0.516 2008.07.01 -
BitDefender 7.2 2008.07.01 -
CAT-QuickHeal 9.50 2008.06.30 -
ClamAV 0.93.1 2008.07.01 -
DrWeb 4.44.0.09170 2008.07.01 -
eSafe 7.0.17.0 2008.07.01 -
eTrust-Vet 31.6.5917 2008.07.01 -
Ewido 4.0 2008.07.01 -
F-Prot 4.4.4.56 2008.07.01 -
F-Secure 7.60.13501.0 2008.07.01 -
Fortinet 3.14.0.0 2008.07.01 -
GData 2.0.7306.1023 2008.07.01 -
Ikarus T3.1.1.26.0 2008.07.01 -
Kaspersky 7.0.0.125 2008.07.01 -
McAfee 5328 2008.06.30 -
Microsoft 1.3704 2008.07.01 -
NOD32v2 3232 2008.07.01 -
Norman 5.80.02 2008.07.01 -
Panda 9.0.0.4 2008.07.01 -
Prevx1 V2 2008.07.01 -
Rising 20.51.12.00 2008.07.01 -
Sophos 4.30.0 2008.07.01 -
Sunbelt 3.1.1509.1 2008.07.01 -
Symantec 10 2008.07.01 -
TheHacker 6.2.96.365 2008.07.01 -
TrendMicro 8.700.0.1004 2008.07.01 -
VBA32 3.12.6.8 2008.07.01 -
VirusBuster 4.5.11.0 2008.07.01 -
Webwasher-Gateway 6.6.2 2008.07.01 -
Additional information
File size: 5700679 bytes
MD5...: 336301ede7e061df7982a277045d096c
SHA1..: 69b566c455e4844d657614badc85f4df1f945abd
SHA256: 32aedcc0a47aa7da93d42b2e1a2a87be06e58c9db8a02fcb4903c4f98d651a3f
SHA512: 4e6494753ad7a62ffba49d4ae67c2b40155cfa8061995508e0288d720e67c646
f2a38bf0ce71c4e0479d93ad6f5e744c7fa53e75072c468526dfc72299fdbda7
PEiD..: -
PEInfo: -




mabie a FP??

[DavidR]

My suspicions on it being strange to detect this in what is a text file are confirmed, it is a false positive.

So send the sample to avast, exclude the file from scans and restore it from the chest, see see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.