I was doing a routine scan with SAS, MBAM, and Avira. Avira didn't find anything, however MBAM and SAS found multiple items, including a backdoor. There aren't any signs of backdoor activity. I haven't seen random programs opening.
The DDS Log:
DDS (Ver_2012-11-20.01) - FAT32_x86
Internet Explorer: 7.0.6000.17115 BrowserJavaVersion: 10.9.2
Run by Ken at 16:10:56 on 2013-01-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1164 [GMT -8:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
D:\Avira\AntiVir Desktop\avguard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\PIEngineering\X-keys\XKWdkApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [X-keys Programming] c:\program files\piengineering\x-keys\XKWdkApp.exe
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,RunDLLEntry
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "d:\avira\antivir desktop\avgnt.exe" /min
uPolicies-Explorer: NoDriveTypeAutoRun = dword:36
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B71C78A1-D096-4D44-B5D2-754D11E381EE} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-20 36552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AntiVirSchedulerService;Avira Scheduler;d:\avira\antivir desktop\sched.exe [2012-12-20 85280]
R2 AntiVirService;Avira Real-Time Protection;d:\avira\antivir desktop\avguard.exe [2012-12-20 109344]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-20 83944]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena plus\room\safedrv.sys --> c:\program files\garena plus\room\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-7-29 2343]
S3 TOUPCAM;ToupTek CMOS/CCD Camera Driver;c:\windows\system32\drivers\toupcam.sys [2012-7-3 18240]
.
=============== Created Last 30 ================
.
2013-01-07 23:18:07 -------- d-----w- c:\documents and settings\ken\application data\SUPERAntiSpyware.com
2013-01-07 23:17:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-07 23:17:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-01-07 16:18:58 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-12-20 21:25:29 -------- d-----w- c:\documents and settings\ken\application data\Avira
2012-12-20 21:19:30 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-12-20 21:19:30 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-12-19 22:01:01 -------- d-----w- C:\avast! sandbox
2012-12-18 01:00:03 -------- d-----w- c:\documents and settings\ken\application data\GarenaPlus
2012-12-18 00:59:36 -------- d-----w- c:\program files\Garena Plus
2012-12-18 00:59:22 -------- d-----w- c:\documents and settings\all users\application data\GarenaMessenger
.
==================== Find3M ====================
.
2012-12-16 12:24:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-15 00:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-13 00:40:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-13 00:40:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 03:30:04 832512 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 03:30:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-11-01 03:30:04 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 03:30:04 17408 ----a-w- c:\windows\system32\corpol.dll
.
============= FINISH: 16:11:32.48 ===============
The SAS Log:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 01/07/2013 at 03:56 PM
Application Version : 5.6.1014
Core Rules Database Version : 9837
Trace Rules Database Version: 7649
Scan type : Complete Scan
Total Scan Time : 00:30:56
Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator
Memory items scanned : 456
Memory threats detected : 0
Registry items scanned : 38407
Registry threats detected : 0
File items scanned : 28758
File threats detected : 1
Trojan.Agent/Gen-Siggen
C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\23.0.1271.97\AVFORMAT-54.DLL
MBAM Log:
Malwarebytes Anti-Malware 1.70.0.1100
Malwarebytes : Free anti-malware download
Database version: v2013.01.07.06
Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.11
Ken :: ACER-684C9A655D [administrator]
1/7/2013 4:39:25 PM
MBAM-log-2013-01-07 (16-45-43).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239337
Time elapsed: 6 minute(s), 11 second(s)
Memory Processes Detected: 1
C:\Acer\Empowering Technology\admServ.exe (Backdoor.Agent) -> 1900 -> No action taken.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\AWService (Backdoor.Agent) -> No action taken.
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\ACER\EMPOWERING TECHNOLOGY\ADMSERV.EXE (Backdoor.Agent) -> Data: 1 -> No action taken.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Acer\Empowering Technology\admServ.exe (Backdoor.Agent) -> No action taken.
(end)
The DDS Log:
DDS (Ver_2012-11-20.01) - FAT32_x86
Internet Explorer: 7.0.6000.17115 BrowserJavaVersion: 10.9.2
Run by Ken at 16:10:56 on 2013-01-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1164 [GMT -8:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir Desktop\sched.exe
D:\Avira\AntiVir Desktop\avguard.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\PIEngineering\X-keys\XKWdkApp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [X-keys Programming] c:\program files\piengineering\x-keys\XKWdkApp.exe
mRun: [LXCRCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCRtime.dll,RunDLLEntry
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avgnt] "d:\avira\antivir desktop\avgnt.exe" /min
uPolicies-Explorer: NoDriveTypeAutoRun = dword:36
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{B71C78A1-D096-4D44-B5D2-754D11E381EE} : DHCPNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-12-20 36552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 AntiVirSchedulerService;Avira Scheduler;d:\avira\antivir desktop\sched.exe [2012-12-20 85280]
R2 AntiVirService;Avira Real-Time Protection;d:\avira\antivir desktop\avguard.exe [2012-12-20 109344]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-12-20 83944]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena plus\room\safedrv.sys --> c:\program files\garena plus\room\safedrv.sys [?]
S3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2006-7-29 2343]
S3 TOUPCAM;ToupTek CMOS/CCD Camera Driver;c:\windows\system32\drivers\toupcam.sys [2012-7-3 18240]
.
=============== Created Last 30 ================
.
2013-01-07 23:18:07 -------- d-----w- c:\documents and settings\ken\application data\SUPERAntiSpyware.com
2013-01-07 23:17:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-01-07 23:17:34 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2013-01-07 16:18:58 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-12-20 21:25:29 -------- d-----w- c:\documents and settings\ken\application data\Avira
2012-12-20 21:19:30 83944 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-12-20 21:19:30 36552 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-12-19 22:01:01 -------- d-----w- C:\avast! sandbox
2012-12-18 01:00:03 -------- d-----w- c:\documents and settings\ken\application data\GarenaPlus
2012-12-18 00:59:36 -------- d-----w- c:\program files\Garena Plus
2012-12-18 00:59:22 -------- d-----w- c:\documents and settings\all users\application data\GarenaMessenger
.
==================== Find3M ====================
.
2012-12-16 12:24:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-15 00:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-13 00:40:58 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-13 00:40:56 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 03:30:04 832512 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 03:30:04 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-11-01 03:30:04 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-11-01 03:30:04 17408 ----a-w- c:\windows\system32\corpol.dll
.
============= FINISH: 16:11:32.48 ===============
The SAS Log:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 01/07/2013 at 03:56 PM
Application Version : 5.6.1014
Core Rules Database Version : 9837
Trace Rules Database Version: 7649
Scan type : Complete Scan
Total Scan Time : 00:30:56
Operating System Information
Windows XP Home Edition 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator
Memory items scanned : 456
Memory threats detected : 0
Registry items scanned : 38407
Registry threats detected : 0
File items scanned : 28758
File threats detected : 1
Trojan.Agent/Gen-Siggen
C:\PROGRAM FILES\GOOGLE\CHROME\APPLICATION\23.0.1271.97\AVFORMAT-54.DLL
MBAM Log:
Malwarebytes Anti-Malware 1.70.0.1100
Malwarebytes : Free anti-malware download
Database version: v2013.01.07.06
Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.11
Ken :: ACER-684C9A655D [administrator]
1/7/2013 4:39:25 PM
MBAM-log-2013-01-07 (16-45-43).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239337
Time elapsed: 6 minute(s), 11 second(s)
Memory Processes Detected: 1
C:\Acer\Empowering Technology\admServ.exe (Backdoor.Agent) -> 1900 -> No action taken.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\AWService (Backdoor.Agent) -> No action taken.
Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs|C:\ACER\EMPOWERING TECHNOLOGY\ADMSERV.EXE (Backdoor.Agent) -> Data: 1 -> No action taken.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Acer\Empowering Technology\admServ.exe (Backdoor.Agent) -> No action taken.
(end)