Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help with 4 possible Trojans, Please help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help with 4 possible Trojans, Please help.

Unread postby BlueEyedFox » April 10th, 2009, 10:45 am

Okay so I have two files starting in my startup today, I believe I have 2 trojans and am not sure how to go about removing them.

I run Comodo Internet Security and Malwarebytes Anti Malware

At the moment by CIS is blocking both files, From program and firewall request (By my own will). IT did try to access the internet but I stopped it. People are telling me to Format but I have too much on here to do that.

CIS and Malware Bytes dont detect nothing.

Here are the virusscan.jotti.org results

File 1: 1CB72.exe.exe

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Downloader-CGE
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found Troj.Downloader.W32.CodecPack.epq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Downldr3.DZ
F-Secure Anti-Virus
Found Trojan.Win32.Agent2.hga
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Agent2.hga
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.VB.gen

File 2: 9F6B3.exe.exe

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Downloader-CGE
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found Troj.Downloader.W32.CodecPack.epq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Downldr3.DZ
F-Secure Anti-Virus
Found Trojan.Win32.Agent2.hga
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Agent2.hga
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Trojan-Downloader.VB.gen
----------------------------------------------------------------------------------------------------------------------------------------------------------------
Here are the VirusTotal results

File 1 : 1CB72.exe.exe

a-squared 4.0.0.101 2009.04.10 -
AhnLab-V3 5.0.0.2 2009.04.10 -
AntiVir 7.9.0.138 2009.04.10 -
Antiy-AVL 2.0.3.1 2009.04.10 Trojan/Win32.Agent2
Authentium 5.1.2.4 2009.04.09 W32/Downldr3.DZ
Avast 4.8.1335.0 2009.04.09 Win32:Downloader-CGE
AVG 8.5.0.285 2009.04.10 -
BitDefender 7.2 2009.04.10 -
CAT-QuickHeal 10.00 2009.04.10 -
ClamAV 0.94.1 2009.04.10 -
Comodo 1109 2009.04.10 -
DrWeb 4.44.0.09170 2009.04.10 -
eSafe 7.0.17.0 2009.04.07 -
eTrust-Vet 31.6.6448 2009.04.10 -
F-Prot 4.4.4.56 2009.04.09 W32/Downldr3.DZ
F-Secure 8.0.14470.0 2009.04.10 Trojan.Win32.Agent2.hga
Fortinet 3.117.0.0 2009.04.09 -
GData 19 2009.04.10 Win32:Downloader-CGE
Ikarus T3.1.1.49.0 2009.04.10 -
K7AntiVirus 7.10.698 2009.04.09 -
Kaspersky 7.0.0.125 2009.04.10 Trojan.Win32.Agent2.hga
McAfee 5579 2009.04.09 -
McAfee+Artemis 5579 2009.04.09 -
McAfee-GW-Edition 6.7.6 2009.04.10 -
Microsoft 1.4502 2009.04.10 -
NOD32 3999 2009.04.10 -
Norman 6.00.06 2009.04.09 -
nProtect 2009.1.8.0 2009.04.10 -
Panda 10.0.0.14 2009.04.10 -
Prevx1 V2 2009.04.10 Medium Risk Malware
Rising 21.24.44.00 2009.04.10 -
Sophos 4.40.0 2009.04.10 -
Sunbelt 3.2.1858.2 2009.04.10 Trojan.Win32.Agent2.hga
Symantec 1.4.4.12 2009.04.10 -
TheHacker 6.3.4.0.305 2009.04.09 -
TrendMicro 8.700.0.1004 2009.04.10 TROJ_AGENT.AQER
VBA32 3.12.10.2 2009.04.10 Trojan-Downloader.VB.gen
ViRobot 2009.4.10.1688 2009.04.10 -
VirusBuster 4.6.5.0 2009.04.10 -

File 2: Could get it to upload, Virustotal is working when it wants to

error : Please report failure as: ErrorTime= "Apr 10 16:05:29"

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:03 AM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\EVGA Precision\EVGAPrecision.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EVGA Precision\Bundle\OSDServer\RTSS.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mister Tickle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [EVGAPrecision] "C:\Program Files\EVGA Precision\EVGAPrecision.exe" /s
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: 1CB72.exe.exe
O4 - Startup: 9F6B3.exe.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cssdll32.dll
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6977 bytes

------------------------------------------------------------------------------------------------------------------------------------------------------------------

Image

Sorry for posting so much stuff, I wanted to make sure I had everything so I can be assited properly.

Please help me out, Thanks.

Edit: I have two new files named BAB2D.exe and 0E808.exe after a blue screen when I tried to run some program that supposed to scan for rootkits or something.

Oh and I cant seem to get on http://www.bleepingcomputer.com/forums/ from google chrome but i can get on the main site its strange, so I'm using IE for now. What is this bleep? Please help,

Oh and everytime I restart, Even though I changed some settings with AusLogic Boost thing it says "Excuting .dll" something before it starts up and i see my desktop, It spammed alot of em the first time but I think its related to AusLogic

The new files seem to be very different, Heres a picture of sometihng I thought looked important

Image



http://www.bleepingcomputer.com/forums/topic218273.html
Last edited by tashi on April 10th, 2009, 11:08 am, edited 2 times in total.
Reason: Added link to BC topic
BlueEyedFox
Active Member
 
Posts: 1
Joined: May 10th, 2008, 5:27 pm
Advertisement
Register to Remove

Re: Help with 4 possible Trojans, Please help.

Unread postby NonSuch » April 23rd, 2009, 7:43 pm

While we appreciate that you very likely posted at multiple forums in order to ensure a response, that only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. Although there are many forums that handle HijackThis logs, there are not so many helpers; most of us help out at several forums. In addition, the results may not work out so well when you're following different instructions from different helpers. They may suggest different approaches for the same problem, all of which may be good; however, system conflicts may arise if different fixes for the same problem are applied simultaneously.

In the future, for your sake as well as ours, please refrain from requesting help from multiple forums. Choose one, and stick with that one until they've resolved your problem.

This topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware