Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

PSW.Agent.7.L can you help?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 13th, 2008, 6:09 pm

Hi,

What you just posted was what was posted before. The HijackThis log is new, but we don't need another HijackThis log. We need the full logs from both MalwareBytes Anti-Malware and Kaspersky. All we're getting is part of the Kaspersky log. Did you run MalwareBytes? And if so is there a log? On the Kaspersky log, you can try attaching the file. If you have any questions on what is asked let us know.

Thanks
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA
Advertisement
Register to Remove

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 14th, 2008, 10:41 am

Malwarebytes' Anti-Malware 1.11
Database version: 616

Scan type: Quick Scan
Objects scanned: 42033
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 14th, 2008, 11:11 am

Malwarebytes' Anti-Malware 1.11
Database version: 616

Scan type: Quick Scan
Objects scanned: 42033
Time elapsed: 13 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 14th, 2008, 11:13 am

KASPERSKY ONLINE SCANNER REPORT
Monday, April 14, 2008 9:06:49 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/04/2008
Kaspersky Anti-Virus database records: 703811


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\User\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 13186
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:16:08

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Sierra Wireless AirCard 595U Modem Device #2.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{592F614E-7941-4844-A466-176E12DD8F96}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\DOCUME~1\User\LOCALS~1\Temp\hsperfdata_User\1012 Object is locked skipped

Scan process completed.
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 14th, 2008, 5:10 pm

Hi,

All looks clean. If you aren't having any other issues and things are running well we can just clean up and finish off here.

Remove the SDFix folder.


Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 5.
  • Go to the Sun Java Website
  • Click on the download button next to Java Runtime Environment (JRE) 6 Update 5
  • Check the circle next to I agree to the Java SE Runtime Environment 6 License Agreement.
  • Click on the link Windows Offline Installation, Multi-language and save the downloaded file to your hard disk.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer


Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use Zoned Out -
Zoned Out will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://users.telenet.be/bluepatchy/miek ... ntion.html
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 14th, 2008, 11:52 pm

Appreciate all the help but avg still shows PSW. agent.7.l
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 15th, 2008, 8:58 am

Hi,

Regarding the PSW.Agent.7.L reported by AVG. Does AVG give you any details about what it finds, such as file name, location, registry entry, ect...? If so please post that.

Also, it does not appear Kaspersky was run properly and did not scan entire PC. Can you re-run Kaspersky for us and make sure to follow instructions exactly as posted. Making sure when selecting target that you select My Computer. Here are the instructions again.

Please do an online scan with Kaspersky WebScanner

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 16th, 2008, 9:48 am

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 9:52:36 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 706835


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 55721
Number of viruses found 9
Number of infected objects 36
Number of suspicious objects 0
Duration of the scan process 01:35:45

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User\Desktop\New Folder\auto.exe Infected: Worm.Win32.AutoRun.cza skipped

C:\Documents and Settings\User\Local Settings\Application Data\Identities\{9302BA22-02B6-406A-BDAD-642A3656D8BE}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Identities\{9302BA22-02B6-406A-BDAD-642A3656D8BE}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Identities\{9302BA22-02B6-406A-BDAD-642A3656D8BE}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Identities\{9302BA22-02B6-406A-BDAD-642A3656D8BE}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\History\History.IE5\MSHist012008041520080416\index.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\abm3.tmp Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User\My Documents\larry the cableguy\larry the cable guy.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\User\My Documents\My Music\cinnamin.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped

C:\Documents and Settings\User\My Documents\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped

C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped

C:\SDFix\backups\backups.zip/backups/tem17E.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/tem17E.tmp.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/tem186.tmp.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped

C:\SDFix\backups\backups.zip/backups/tem18C.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/tem18C.tmp.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/temDB.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/temDB.tmp.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\SDFix\backups\backups.zip/backups/temDF.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\SDFix\backups\backups.zip/backups/temDF.tmp.exe Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\SDFix\backups\backups.zip/backups/updE6.tmp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\SDFix\backups\backups.zip/backups/updE6.tmp.exe Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\SDFix\backups\backups.zip ZIP: infected - 11 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP366\A0085818.EXE Infected: Worm.Win32.AutoRun.cza skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP368\A0085923.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP369\A0085980.EXE Infected: Worm.Win32.AutoRun.cza skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP371\A0086022.dll Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP378\A0087819.exe Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP378\A0087838.dll Infected: not-a-virus:AdWare.Win32.Mirar.k skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP379\A0087878.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP381\A0088131.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP384\A0088303.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP384\A0088322.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088336.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088357.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088366.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088375.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088388.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088392.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088392.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088394.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088396.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088396.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088399.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088399.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088400.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088400.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088402.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bjb skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088402.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088448.DLL Object is locked skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP386\A0088456.EXE Infected: Worm.Win32.AutoRun.cza skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP388\A0088493.inf Infected: Virus.Win32.AutoRun.mg skipped

C:\System Volume Information\_restore{DC08BA3B-393B-4F22-8A8E-985A7E92B69B}\RP390\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Sierra Wireless AirCard 595U Modem Device #2.txt Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 16th, 2008, 5:42 pm

Hi,

That's what we're looking for from Kaspersky, good job :D From my last "all clean" speech I gave there were a couple of things you did not do.

1. Delete the SDFix folder, it's still there.
2. Clear out restore points, Kaspersky found several items in there.

Let's run through this again and I am going to advise a tool to clean up the folders/files Kaspersky found.

Please make sure to follow all steps given and take your time.

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\User\Desktop\New Folder\auto.exe
    C:\Documents and Settings\User\My Documents\larry the cableguy\larry the cable guy.mp3
    C:\Documents and Settings\User\My Documents\My Music\cinnamin.mp3
    C:\Documents and Settings\User\My Documents\SmitfraudFix
    C:\SDFix


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Click "Exit" to close OTMoveIt.

Now clear out your restore points:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).

Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

Now reboot and post a new HijackThis log along with the OTMoveIt log, and let us know how it's going.
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 16th, 2008, 6:36 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:36 PM, on 4/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe
C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Watcher.exe
C:\WINDOWS\system32\WgaTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ArcSoft\Polaroid iZone PhotoBase\iZone Monitor.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/profile.php?id=636384679
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: iZone Monitor.lnk = C:\Program Files\ArcSoft\Polaroid iZone PhotoBase\iZone Monitor.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED2EF933-E606-40D1-B8FB-F13BC34D17A2}: NameServer = 204.174.120.45 204.174.120.46
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SWAutoLaunch - Unknown owner - C:\Program Files\Sierra Wireless\3G Wireless Module\Generic\Components\SWAutoLaunch.exe

--
End of file - 8406 bytes
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 16th, 2008, 11:27 pm

I lost the moveit log from the clipboard but everything moved no problem
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 18th, 2008, 9:55 am

Hi,

Did you reset System Restore? Are you still getting Malware reported found?
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Re: PSW.Agent.7.L can you help?

Unread postby oldstyle » April 18th, 2008, 10:39 am

Yes, reset system restore and no sign of Agent7. I really appreciate your help.
Thanks
oldstyle
Regular Member
 
Posts: 21
Joined: April 7th, 2008, 2:14 pm

Re: PSW.Agent.7.L can you help?

Unread postby IndiGenus » April 18th, 2008, 11:22 am

Great :cheers: you're welcome and good luck in the future.

Dave
User avatar
IndiGenus
Regular Member
 
Posts: 657
Joined: February 2nd, 2005, 1:49 pm
Location: New England, USA

Re: PSW.Agent.7.L can you help?

Unread postby NonSuch » April 23rd, 2008, 12:34 am

oldstyle this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware