Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help remove Trojan Win32.Agent

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 4th, 2009, 6:03 pm

Hi :)

Not to worry, this could be due to what I mentioned prior in my last post but look at it this way at least your Anti-Virus is doing what is supposed to do even if it is hindering us somewhat.

Just ignore anything it flags and stop any scan attempts, once you have temp' disabled it and started the ComboFix Script run it should pose no problem OK :thumbup:

Just carry out my prior instructions from here please, thank you:
Custom ComboFix Script:

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

    Open notepad and copy/paste the text in the quotebox below into it:
    Code: Select all
    Folder::
    c:\program files\Viewpoint
    c:\documents and settings\All Users\Application Data\Viewpoint
    c:\program files\Startup Inspector for Windows
    c:\program files\QuickTime
    c:\documents and settings\All Users\Application Data\AOL
    c:\documents and settings\Elena Farrelly\Application Data\U3
    
    Registry::
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    [-HKEY_CLASSES_ROOT\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Cpqset"=-
    "USB2Check"=-
    
    RegNull::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

F-Secure Blacklight:

Please download Blacklight from here to your desktop.

or

Link to it from the ftp site: ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
and save it to your desktop from there.

Go to Start-->Run, copy in the following text, and press Enter:
"%userprofile%\desktop\fsbl.exe" /expert
Accept the license agreement.
Click > scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

When completed the above, please post back the following in the order asked for:

  • Inform myself how your computer is running. Any problems encountered and or further symptoms?
  • ComboFix Log.
  • Blacklight Log.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 4th, 2009, 8:22 pm

The trojan is still being identified by kapersky but keeps coming back even after kapersky neutralizes or deletes it.

ComboFix 09-06-03.04 - Elena Farrelly 06/04/2009 16:55.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.545 [GMT -7:00]
Running from: c:\documents and settings\Elena Farrelly\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elena Farrelly\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\AOL
c:\documents and settings\All Users\Application Data\Viewpoint
c:\documents and settings\Elena Farrelly\Application Data\U3
c:\documents and settings\Elena Farrelly\Application Data\U3\temp\cleanup.exe
c:\program files\QuickTime
c:\program files\QuickTime\Plugins\nsIQTScriptablePlugin.xpt
c:\program files\Startup Inspector for Windows
c:\program files\Startup Inspector for Windows\Visit Startup Inspector for Windows Homepage.url
c:\program files\Startup Inspector for Windows\wsiComment.htm
c:\program files\Viewpoint
c:\recycler\NPROTECT\00038480.

.
((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 07:15 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-04 07:15 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-04 06:19 . 2009-06-04 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-02 15:54 . 2009-06-02 15:54 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-01 15:50 . 2009-06-01 15:54 -------- d-----w- C:\Rooter$
2009-05-28 17:36 . 2009-05-28 17:36 -------- d-----w- c:\program files\Trend Micro
2009-05-16 15:30 . 2009-05-16 15:30 -------- d-----w- c:\program files\Free PDF to Word Doc Converter
2009-05-07 18:31 . 2009-05-07 18:31 -------- d-----w- c:\documents and settings\Elena Farrelly\Application Data\Malwarebytes
2009-05-07 18:30 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-07 18:30 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-07 18:30 . 2009-05-07 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-07 18:30 . 2009-06-02 15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 00:06 . 2008-09-10 17:27 29679136 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-05 00:06 . 2008-09-10 17:27 1485600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-04 19:13 . 2008-09-10 17:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-06-04 19:12 . 2008-09-10 17:27 403076 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-04 19:12 . 2008-09-10 17:27 144044 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-04 06:27 . 2006-05-11 05:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 23:55 . 2006-09-15 17:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 23:53 . 2006-10-01 19:38 -------- d-----w- c:\program files\Lavasoft
2009-05-21 05:51 . 2008-09-10 17:27 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-05-21 05:51 . 2008-09-10 17:27 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-04-22 22:11 . 2009-04-22 22:11 -------- d-----w- c:\program files\YouTube Downloader
2009-04-11 22:54 . 2007-11-28 18:47 -------- d-----w- c:\documents and settings\Elena Farrelly\Application Data\Image Zone Express
2009-04-09 17:52 . 2006-10-01 19:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-04-09 17:50 . 2006-10-01 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 22:23 . 2007-10-09 05:21 8080987 -c--a-w- c:\program files\HandBrakeCLI.exe
2007-12-04 22:23 . 2007-01-31 19:33 1873811 -c--a-w- c:\program files\cygwin1.dll
2002-07-27 01:02 . 2006-09-16 23:39 153088 ----a-w- c:\program files\UNWISE.EXE
2006-09-18 03:14 . 2006-09-18 03:14 22 -csha-w- c:\windows\SMINST\HPCD.sys
2006-05-03 10:06 . 2007-12-19 17:10 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2007-12-19 17:10 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43 . 2008-02-08 01:02 27648 --sh--w- c:\windows\system32\Smab0.dll
2008-02-04 19:26 . 2008-02-08 01:02 151040 --sh--w- c:\windows\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2005-09-27 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-08-14 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-08-14 114688]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-04-18 61952]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprecovr \SystemRoot\sprecovr.txt

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/4/2007 2:58 PM 24344]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.sierra.cc.ca.us/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\Elena Farrelly\Application Data\Mozilla\Firefox\Profiles\tze28wyp.default\
FF - plugin: c:\documents and settings\Elena Farrelly\Application Data\Mozilla\Firefox\Profiles\tze28wyp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 17:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(1376)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
.
Completion time: 2009-06-05 17:09
ComboFix-quarantined-files.txt 2009-06-05 00:09
ComboFix2.txt 2009-06-04 07:19

Pre-Run: 19,102,011,392 bytes free
Post-Run: 19,105,181,696 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
148 --- E O F --- 2009-06-04 15:31


06/04/09 17:13:11 [Info]: BlackLight Engine 2.2.1092 initialized
06/04/09 17:13:11 [Info]: OS: 5.1 build 2600 (Service Pack 3)
06/04/09 17:13:11 [Note]: 7019 4
06/04/09 17:13:11 [Note]: 7005 0
06/04/09 17:13:21 [Note]: 7006 0
06/04/09 17:13:21 [Note]: 7022 0
06/04/09 17:13:22 [Note]: 7011 2816
06/04/09 17:13:44 [Note]: 7035 0
06/04/09 17:13:44 [Note]: 7026 0
06/04/09 17:13:45 [Note]: 7026 0
06/04/09 17:13:45 [Note]: FSRAW library version 1.7.1024
06/04/09 17:17:34 [Note]: 7007 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:04 PM, on 6/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sierra.cc.ca.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6606 bytes
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 5th, 2009, 8:52 am

Hi :)

The trojan is still being identified by kapersky but keeps coming back even after kapersky neutralizes or deletes it.
I honestly can not see anything in the logs provided that would be the cause. I am thinking now this may be some form of FP(false positive).

Please check for any updates with Kaspersky Anti-Virus then run a scan please, if anything found do not let Kaspersky remove it. Just choose the option ignore and save the report.

When completed post the report generated please and we will go from there. Do not worry we will solve this problem by hook or crook OK :thumbup:
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 6th, 2009, 10:29 am

I tried sending this a few times but apparently the file size exceeded 100000 characters, so I deleted the first part of the log thru April and just sent you the May 2009 stuff. Hope it goes thru this time.
Joe


Protection : running
--------------------
Total scanned: 21132
Detected: 21
Untreated: 10
Start time: 6/4/2009 7:15:53 PM
Duration: 13:13:33


Detected
--------
Status Object
------ ------

5/1/2009 2:00:48 AM Update completed successfully
5/1/2009 4:20:22 AM Update completed successfully
5/1/2009 6:40:23 AM Update completed successfully
5/1/2009 9:00:48 AM Update completed successfully
5/1/2009 11:19:59 AM Databases are up-to-date
5/1/2009 1:40:18 PM Update completed successfully
5/1/2009 4:00:25 PM Update completed successfully
5/1/2009 6:19:59 PM Databases are up-to-date
5/1/2009 8:39:59 PM Databases are up-to-date
5/1/2009 11:00:24 PM Update completed successfully
5/2/2009 1:20:04 AM Databases are up-to-date
5/2/2009 3:40:30 AM Update completed successfully
5/2/2009 6:00:23 AM Update completed successfully
5/2/2009 8:20:24 AM Update completed successfully
5/2/2009 8:43:30 AM Process (PID 2964) tried to access Kaspersky Anti-Virus process (PID 1116), but the action has been blocked by the Self-Defense component. No action on your part is required.
5/2/2009 10:40:40 AM Update completed successfully
5/2/2009 1:00:52 PM Update completed successfully
5/2/2009 3:20:42 PM Update completed successfully
5/2/2009 5:40:42 PM Update completed successfully
5/2/2009 8:00:38 PM Update completed successfully
5/2/2009 10:20:42 PM Update completed successfully
5/3/2009 12:40:46 AM Update completed successfully
5/3/2009 3:01:05 AM Update completed successfully
5/3/2009 5:20:40 AM Update completed successfully
5/3/2009 7:40:41 AM Update completed successfully
5/3/2009 9:31:37 AM File C:\DOCUME~1\ELENAF~1\LOCALS~1\Temp\install[1].exe: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
5/3/2009 9:31:38 AM Security threats have been detected. You are advised to neutralize them immediately.
5/3/2009 10:01:02 AM Update completed successfully
5/3/2009 12:20:42 PM Update completed successfully
5/3/2009 1:42:46 PM File C:\DOCUME~1\ELENAF~1\LOCALS~1\Temp\install[1].exe will be deleted on system restart.
5/3/2009 1:44:40 PM File C:\DOCUME~1\ELENAF~1\LOCALS~1\TEMP\INSTALL[1].EXE: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/3/2009 1:44:40 PM File C:\DOCUMENTS AND SETTINGS\ELENA FARRELLY\LOCAL SETTINGS\TEMP\INSTALL[1].EXE: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/3/2009 1:44:40 PM File C:\docume~1\elenaf~1\locals~1\temp\install[1].exe: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
5/3/2009 1:44:40 PM File C:\Documents and Settings\Elena Farrelly\Local Settings\Temp\install[1].exe: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
5/3/2009 1:45:38 PM File C:\DOCUME~1\ELENAF~1\LOCALS~1\Temp\install[1].exe: detected new threat 'not-a-virus:FraudTool.Win32.WinSpywareProtect.oy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
5/3/2009 1:47:10 PM Protection of your computer is not running. You are advised to resume protection.
5/3/2009 1:50:09 PM Protection of your computer started.
5/3/2009 1:58:30 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.reg: is password protected.
5/3/2009 1:58:30 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.ini: is password protected.
5/3/2009 1:58:30 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesci.zip/sbRecovery.reg: is password protected.
5/3/2009 1:58:30 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesci.zip/sbRecovery.ini: is password protected.
5/3/2009 2:33:09 PM Update completed successfully
5/3/2009 4:51:37 PM Update completed successfully
5/4/2009 2:51:32 PM Update error: The updates source cannot be found.
5/4/2009 3:13:03 PM Update completed successfully
5/4/2009 5:33:25 PM Update completed successfully
5/4/2009 7:52:29 PM Update completed successfully
5/4/2009 10:13:52 PM Update completed successfully
5/5/2009 12:33:58 AM Update completed successfully
5/5/2009 2:11:14 AM Protection of your computer is not running. You are advised to resume protection.
5/5/2009 8:50:51 AM Protection of your computer started.
5/5/2009 8:52:29 AM Update completed successfully
5/5/2009 11:14:54 AM Update completed successfully
5/5/2009 12:48:39 PM Protection of your computer started.
5/5/2009 1:29:21 PM Databases are up-to-date
5/5/2009 3:49:51 PM Update completed successfully
5/5/2009 6:10:12 PM Update completed successfully
5/5/2009 8:30:36 PM Update completed successfully
5/5/2009 10:50:35 PM Update completed successfully
5/6/2009 12:36:03 AM Protection of your computer is not running. You are advised to resume protection.
5/7/2009 10:29:56 AM Protection of your computer started.
5/7/2009 10:34:21 AM Update completed successfully
5/7/2009 5:52:44 PM Protection of your computer started.
5/7/2009 6:02:58 PM Protection of your computer is not running. You are advised to resume protection.
5/8/2009 9:13:56 AM Protection of your computer started.
5/8/2009 10:43:48 AM Update error: The updates source cannot be found.
5/8/2009 11:13:29 AM Protection of your computer started.
5/8/2009 11:25:20 AM Update completed successfully
5/8/2009 1:45:17 PM Update completed successfully
5/8/2009 1:49:04 PM Protection of your computer is not running. You are advised to resume protection.
5/9/2009 8:29:14 AM Protection of your computer started.
5/9/2009 8:31:47 AM Update error: The updates source cannot be found.
5/9/2009 8:50:47 AM Update completed successfully
5/9/2009 11:43:07 AM Update error: The updates source cannot be found.
5/9/2009 11:46:04 AM Protection of your computer started.
5/9/2009 1:44:22 PM Update completed successfully
5/9/2009 4:05:04 PM Update completed successfully
5/9/2009 6:36:16 PM Update error: The updates source cannot be found.
5/9/2009 6:57:43 PM Update completed successfully
5/10/2009 2:48:11 PM Update error: The updates source cannot be found.
5/10/2009 3:09:25 PM Update completed successfully
5/10/2009 5:29:13 PM Update completed successfully
5/10/2009 7:49:13 PM Update completed successfully
5/10/2009 9:02:14 PM Protection of your computer is not running. You are advised to resume protection.
5/11/2009 5:33:00 PM Protection of your computer started.
5/11/2009 5:33:29 PM Update error: The updates source cannot be found.
5/11/2009 5:54:14 PM Update completed successfully
5/11/2009 9:39:16 PM Update error: The updates source cannot be found.
5/11/2009 10:01:02 PM Update completed successfully
5/11/2009 10:22:09 PM Protection of your computer is not running. You are advised to resume protection.
5/12/2009 7:26:17 PM Protection of your computer started.
5/12/2009 7:28:07 PM Update completed successfully
5/13/2009 3:28:39 PM Protection of your computer started.
5/13/2009 3:29:11 PM Update error: The updates source cannot be found.
5/13/2009 3:49:28 PM Update error: The updates source cannot be found.
5/13/2009 4:08:48 PM Update error: The updates source cannot be found.
5/13/2009 4:28:48 PM Update error: The updates source cannot be found.
5/13/2009 4:49:17 PM Update error: The updates source cannot be found.
5/13/2009 5:08:49 PM Update error: The updates source cannot be found.
5/13/2009 5:28:48 PM Update error: The updates source cannot be found.
5/13/2009 5:49:39 PM Update error: The updates source cannot be found.
5/13/2009 6:08:48 PM Update error: The updates source cannot be found.
5/13/2009 6:09:07 PM Protection of your computer is not running. You are advised to resume protection.
5/14/2009 1:01:49 PM Protection of your computer started.
5/14/2009 1:07:20 PM Update completed successfully
5/14/2009 3:22:36 PM Databases are up-to-date
5/14/2009 5:43:04 PM Update completed successfully
5/14/2009 5:53:14 PM Protection of your computer is not running. You are advised to resume protection.
5/15/2009 7:50:05 AM Protection of your computer started.
5/15/2009 7:53:00 AM Update error: The updates source cannot be found.
5/15/2009 8:11:33 AM Update completed successfully
5/15/2009 10:10:46 AM Protection of your computer is not running. You are advised to resume protection.
5/16/2009 7:24:32 AM Protection of your computer started.
5/16/2009 7:28:40 AM Update completed successfully
5/16/2009 12:13:58 PM Protection of your computer started.
5/16/2009 12:14:28 PM Update error: The updates source cannot be found.
5/16/2009 12:35:15 PM Update completed successfully
5/16/2009 2:32:37 PM Protection of your computer is not running. You are advised to resume protection.
5/17/2009 7:01:25 AM Protection of your computer started.
5/17/2009 7:01:53 AM Update error: Error connecting to update source.
5/17/2009 7:22:55 AM Update completed successfully
5/17/2009 9:42:22 AM Update completed successfully
5/17/2009 12:02:03 PM Databases are up-to-date
5/17/2009 2:22:25 PM Update completed successfully
5/17/2009 3:13:21 PM Protection of your computer is not running. You are advised to resume protection.
5/17/2009 6:28:50 PM Protection of your computer started.
5/17/2009 6:57:34 PM Protection of your computer started.
5/17/2009 6:58:07 PM Update error: The updates source cannot be found.
5/17/2009 6:58:46 PM Running process C:\WINDOWS\system32\wbem\proquota.exe: detected modification of riskware 'Invader'.
5/17/2009 6:58:55 PM Process C:\WINDOWS\system32\wbem\proquota.exe (PID: 4048): attempt to embed itself into another process was blocked.
5/17/2009 7:19:32 PM Update completed successfully
5/17/2009 8:51:57 PM Protection of your computer is not running. You are advised to resume protection.
5/17/2009 11:25:42 PM Protection of your computer started.
5/17/2009 11:29:11 PM Update completed successfully
5/18/2009 1:06:32 AM Protection of your computer is not running. You are advised to resume protection.
5/18/2009 11:55:20 AM Protection of your computer started.
5/18/2009 11:55:41 AM Update error: The updates source cannot be found.
5/18/2009 11:56:00 AM Running process C:\WINDOWS\system32\wbem\proquota.exe: detected modification of riskware 'Invader'.
5/18/2009 11:56:06 AM Process C:\WINDOWS\system32\wbem\proquota.exe (PID: 304): attempt to embed itself into another process was blocked.
5/18/2009 12:16:47 PM Update completed successfully
5/18/2009 2:37:17 PM Update completed successfully
5/18/2009 2:56:08 PM Protection of your computer is not running. You are advised to resume protection.
5/18/2009 3:25:15 PM Protection of your computer started.
5/18/2009 3:25:53 PM Running process C:\WINDOWS\system32\wbem\proquota.exe: detected modification of riskware 'Invader'.
5/18/2009 3:25:55 PM Process C:\WINDOWS\system32\wbem\proquota.exe (PID: 3744): attempt to embed itself into another process was blocked.
5/18/2009 4:46:44 PM Update completed successfully
5/18/2009 6:59:21 PM Protection of your computer is not running. You are advised to resume protection.
5/18/2009 8:02:10 PM Protection of your computer started.
5/18/2009 8:02:34 PM Update error: The updates source cannot be found.
5/18/2009 8:23:14 PM Update completed successfully
5/18/2009 10:43:24 PM Update completed successfully
5/19/2009 1:03:17 AM Update completed successfully
5/19/2009 1:58:32 AM Protection of your computer is not running. You are advised to resume protection.
5/19/2009 5:46:30 PM Protection of your computer started.
5/19/2009 5:49:19 PM Update completed successfully
5/19/2009 8:08:48 PM Update completed successfully
5/19/2009 10:29:44 PM Update completed successfully
5/20/2009 12:51:47 AM Update completed successfully
5/20/2009 1:30:55 AM Protection of your computer is not running. You are advised to resume protection.
5/20/2009 10:29:59 PM Protection of your computer started.
5/20/2009 10:30:32 PM Update error: The updates source cannot be found.
5/20/2009 10:30:49 PM Running process C:\WINDOWS\system32\wbem\proquota.exe: detected modification of riskware 'Invader'.
5/20/2009 10:30:51 PM Process C:\WINDOWS\system32\wbem\proquota.exe (PID: 3920): attempt to embed itself into another process was blocked.
5/20/2009 10:51:32 PM Please restart your computer to complete the installation of new or updated protection components.
5/20/2009 10:51:36 PM Update completed successfully
5/21/2009 1:11:52 AM Update completed successfully
5/21/2009 1:14:15 AM Protection of your computer is not running. You are advised to resume protection.
5/21/2009 10:24:38 AM Protection of your computer started.
5/21/2009 10:26:49 AM Update completed successfully
5/21/2009 12:48:41 PM Update completed successfully
5/21/2009 3:52:57 PM Protection of your computer started.
5/21/2009 3:54:52 PM Update completed successfully
5/21/2009 10:42:06 PM Protection of your computer started.
5/21/2009 10:42:30 PM Update error: The updates source cannot be found.
5/21/2009 11:04:23 PM Update completed successfully
5/22/2009 1:23:31 AM Update completed successfully
5/22/2009 1:34:03 AM Protection of your computer is not running. You are advised to resume protection.
5/22/2009 10:23:55 AM Protection of your computer started.
5/22/2009 10:26:08 AM Update completed successfully
5/22/2009 12:46:26 PM Update completed successfully
5/22/2009 1:13:57 PM Protection of your computer is not running. You are advised to resume protection.
5/22/2009 7:08:10 PM Protection of your computer started.
5/22/2009 7:08:36 PM Update error: The updates source cannot be found.
5/22/2009 7:29:45 PM Update completed successfully
5/22/2009 7:58:33 PM Protection of your computer is not running. You are advised to resume protection.
5/23/2009 7:14:05 AM Protection of your computer started.
5/23/2009 7:16:21 AM Update completed successfully
5/23/2009 9:35:19 AM Update completed successfully
5/23/2009 11:55:34 AM Update completed successfully
5/23/2009 2:15:23 PM Update completed successfully
5/23/2009 4:35:20 PM Update completed successfully
5/23/2009 6:55:09 PM Update completed successfully
5/23/2009 9:15:19 PM Update completed successfully
5/25/2009 2:19:07 PM Update completed successfully
5/25/2009 4:39:00 PM Update completed successfully
5/25/2009 6:58:54 PM Update completed successfully
5/26/2009 7:38:58 AM Update error: The updates source cannot be found.
5/26/2009 7:59:49 AM Update completed successfully
5/26/2009 10:20:16 AM Update completed successfully
5/26/2009 1:15:34 PM Update error: The updates source cannot be found.
5/26/2009 1:37:14 PM Update completed successfully
5/26/2009 2:36:40 PM Protection of your computer is not running. You are advised to resume protection.
5/26/2009 2:42:23 PM Protection of your computer started.
5/26/2009 6:44:47 PM Update completed successfully
5/26/2009 8:28:26 PM Protection of your computer is not running. You are advised to resume protection.
5/27/2009 6:25:44 AM Protection of your computer started.
5/27/2009 6:27:46 AM Update completed successfully
5/27/2009 2:38:41 PM Protection of your computer started.
5/27/2009 2:40:16 PM Update error: The updates source cannot be found.
5/27/2009 2:59:58 PM Update completed successfully
5/27/2009 5:20:26 PM Update completed successfully
5/27/2009 7:40:05 PM Update completed successfully
5/27/2009 9:29:42 PM Protection of your computer is not running. You are advised to resume protection.
5/28/2009 7:50:55 AM Protection of your computer started.
5/28/2009 7:51:50 AM Update error: The updates source cannot be found.
5/28/2009 7:53:19 AM File C:\WINDOWS\System32\Wbem\proquota.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
5/28/2009 7:53:19 AM Security threats have been detected. You are advised to neutralize them immediately.
5/28/2009 7:53:19 AM File C:\WINDOWS\System32\Wbem\proquota.exe: is still infected, postponed.
5/28/2009 7:53:26 AM File C:\WINDOWS\system32\wbem\proquota.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
5/28/2009 7:53:26 AM File C:\WINDOWS\system32\wbem\proquota.exe: is still infected, postponed.
5/28/2009 7:53:27 AM File c:\windows\system32\wbem\proquota.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
5/28/2009 8:11:11 AM Update error: The updates source cannot be found.
5/28/2009 8:31:12 AM Update error: The updates source cannot be found.
5/28/2009 8:48:28 AM File C:\WINDOWS\system32\Wbem\proquota.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
5/28/2009 8:51:08 AM Update error: The updates source cannot be found.
5/28/2009 9:03:00 AM File c:\windows\system32\wbem\proquota.exe: is still infected, skipped by user.
5/28/2009 9:03:05 AM File C:\WINDOWS\system32\Wbem\proquota.exe: is still infected, skipped by user.
5/28/2009 9:04:58 AM Protection of your computer started.
5/28/2009 9:05:10 AM Security threats have been detected. You are advised to neutralize them immediately.
5/28/2009 9:06:08 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/28/2009 9:11:24 AM Update error: The updates source cannot be found.
5/28/2009 9:32:36 AM Update completed successfully
5/28/2009 11:52:22 AM Update completed successfully
5/29/2009 12:40:12 PM Update completed successfully
5/29/2009 2:59:59 PM Update completed successfully
5/29/2009 11:30:44 PM Update error: The updates source cannot be found.
5/29/2009 11:51:21 PM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: is still infected, skipped by user.
5/29/2009 11:51:30 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/29/2009 11:51:30 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: is still infected, skipped by user.
5/29/2009 11:51:50 PM Update completed successfully
5/29/2009 11:52:19 PM Protection of your computer is not running. You are advised to resume protection.
5/31/2009 7:51:14 AM Security threats have been detected. You are advised to neutralize them immediately.
5/31/2009 7:51:14 AM Protection of your computer started.
5/31/2009 7:52:46 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/31/2009 7:53:30 AM Update completed successfully
5/31/2009 7:55:07 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: is still infected, skipped by user.
5/31/2009 7:57:04 AM Protection of your computer started.
5/31/2009 7:57:20 AM Security threats have been detected. You are advised to neutralize them immediately.
5/31/2009 7:58:16 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
5/31/2009 10:12:34 AM Update completed successfully
5/31/2009 12:20:21 PM Update error: The updates source cannot be found.
5/31/2009 12:41:33 PM Update completed successfully
5/31/2009 3:01:54 PM Update completed successfully
5/31/2009 5:22:24 PM Update completed successfully
5/31/2009 7:41:39 PM Update completed successfully
5/31/2009 10:01:54 PM Update completed successfully
6/1/2009 12:21:54 AM Update completed successfully
6/1/2009 2:41:55 AM Update completed successfully
6/1/2009 5:02:08 AM Update completed successfully
6/1/2009 7:21:55 AM Update completed successfully
6/1/2009 9:42:07 AM Update completed successfully
6/1/2009 12:01:53 PM Update completed successfully
6/1/2009 2:21:55 PM Update completed successfully
6/1/2009 4:41:56 PM Update completed successfully
6/1/2009 4:45:46 PM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: is still infected, skipped by user.
6/1/2009 4:45:46 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/1/2009 4:45:46 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: is still infected, skipped by user.
6/1/2009 4:48:15 PM Protection of your computer is not running. You are advised to resume protection.
6/1/2009 4:49:40 PM Protection of your computer started.
6/1/2009 4:49:54 PM Security threats have been detected. You are advised to neutralize them immediately.
6/1/2009 4:51:14 PM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/1/2009 7:02:32 PM Update completed successfully
6/2/2009 8:12:24 AM Update error: The updates source cannot be found.
6/2/2009 8:33:49 AM Update completed successfully
6/2/2009 8:44:11 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: is still infected, skipped by user.
6/2/2009 8:44:12 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/2/2009 8:44:12 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: is still infected, skipped by user.
6/2/2009 8:44:27 AM Protection of your computer is not running. You are advised to resume protection.
6/2/2009 8:45:28 AM Protection of your computer started.
6/2/2009 8:45:41 AM Security threats have been detected. You are advised to neutralize them immediately.
6/2/2009 8:46:49 AM File C:\WINDOWS\System32\Wbem\proquota.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: ELENAHOMELAPTOP\Elena Farrelly, computer: localhost.
6/2/2009 8:46:49 AM File C:\WINDOWS\System32\Wbem\proquota.exe: is still infected, skipped by user.
6/2/2009 8:47:17 AM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/2/2009 8:55:42 AM Process (PID 2064) tried to access Kaspersky Anti-Virus process (PID 752), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/2/2009 8:55:44 AM Process (PID 2064) tried to access Kaspersky Anti-Virus process (PID 2192), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/2/2009 2:28:10 PM Update completed successfully
6/2/2009 4:47:22 PM Update completed successfully
6/2/2009 7:07:59 PM Update completed successfully
6/2/2009 9:27:43 PM Update completed successfully
6/3/2009 7:28:56 AM Update error: The updates source cannot be found.
6/3/2009 7:50:43 AM Update completed successfully
6/3/2009 10:10:52 AM Update completed successfully
6/3/2009 12:30:40 PM Update completed successfully
6/3/2009 3:58:53 PM Update error: The updates source cannot be found.
6/3/2009 4:20:26 PM Update completed successfully
6/3/2009 6:39:52 PM Update completed successfully
6/3/2009 9:00:12 PM Update completed successfully
6/3/2009 11:13:56 PM Update error: The updates source cannot be found.
6/3/2009 11:19:16 PM Process (PID 2624) tried to access Kaspersky Anti-Virus process (PID 2192), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/3/2009 11:19:17 PM Process (PID 2624) tried to access Kaspersky Anti-Virus process (PID 752), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/3/2009 11:35:25 PM Update completed successfully
6/3/2009 11:38:05 PM File C:\WINDOWS\SYSTEM32\WBEM\PROQUOTA.EXE: is still infected, skipped by user.
6/3/2009 11:38:06 PM Protection of your computer is not running. You are advised to resume protection.
6/3/2009 11:47:57 PM Protection of your computer started.
6/3/2009 11:49:02 PM Security threats have been detected. You are advised to neutralize them immediately.
6/3/2009 11:50:05 PM Some protection components are disabled. You are advised to enable them.
6/3/2009 11:50:05 PM Protection of your computer is disabled.
6/3/2009 11:52:24 PM Process (PID 3212) tried to access Kaspersky Anti-Virus process (PID 1540), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/4/2009 12:22:42 AM Protection of your computer is disabled.
6/4/2009 12:23:52 AM Security threats have been detected. You are advised to neutralize them immediately.
6/4/2009 12:25:23 AM File c:\documents and settings\elena farrelly\desktop\combofix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
6/4/2009 12:34:55 AM Protection of your computer started.
6/4/2009 12:41:49 AM Process (PID 2552) tried to access Kaspersky Anti-Virus process (PID 740), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/4/2009 12:41:51 AM Process (PID 2552) tried to access Kaspersky Anti-Virus process (PID 3264), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/4/2009 1:03:35 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/4/2009 1:44:15 AM Update completed successfully
6/4/2009 7:19:21 AM Update error: The updates source cannot be found.
6/4/2009 7:39:32 AM Update error: The updates source cannot be found.
6/4/2009 7:59:27 AM Update error: The updates source cannot be found.
6/4/2009 8:19:27 AM Update error: The updates source cannot be found.
6/4/2009 8:23:16 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113614.exe: deleted.
6/4/2009 8:26:03 AM Protection of your computer is not running. You are advised to resume protection.
6/4/2009 8:27:47 AM Security threats have been detected. You are advised to neutralize them immediately.
6/4/2009 8:27:47 AM Protection of your computer started.
6/4/2009 8:39:44 AM Update error: The updates source cannot be found.
6/4/2009 8:44:32 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.reg: is password protected.
6/4/2009 8:44:32 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip/sbRecovery.ini: is password protected.
6/4/2009 8:44:32 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesci.zip/sbRecovery.reg: is password protected.
6/4/2009 8:44:32 AM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesci.zip/sbRecovery.ini: is password protected.
6/4/2009 8:47:38 AM File C:\Documents and Settings\Elena Farrelly\Desktop\ComboFix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
6/4/2009 9:06:19 AM Update completed successfully
6/4/2009 9:34:00 AM Process (PID 200) tried to access Kaspersky Anti-Virus process (PID 728), but the action has been blocked by the Self-Defense component. No action on your part is required.
6/4/2009 9:48:16 AM File C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/4/2009 9:48:16 AM File C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir: is still infected, postponed.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file007: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file008: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file009: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file010: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file011: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file012: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file013: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file014: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file015: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file016: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file017: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file018: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file019: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file020: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file021: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file022: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file023: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file024: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file025: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file027: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file028: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file029: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file030: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file031: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file032: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file033: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file034: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file035: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file036: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file037: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file038: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file039: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file040: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file041: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file042: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file043: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file044: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file045: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file046: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file047: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file048: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file049: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file050: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file051: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file052: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file053: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file054: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file055: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file056: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file057: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file058: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file059: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file060: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file061: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file062: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file063: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file064: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file065: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file066: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file067: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file068: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file069: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file070: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file071: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file072: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file073: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file074: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file075: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file076: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file077: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file078: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file079: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file080: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file081: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file082: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file083: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file084: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file085: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file086: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file087: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file088: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file089: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file090: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file091: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file092: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file093: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file094: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file095: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file096: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file097: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file098: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file099: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file100: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file101: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file102: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file103: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file104: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file105: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file106: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file107: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file108: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file109: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file110: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file111: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file112: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file113: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file114: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file115: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file116: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file117: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file118: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file119: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file120: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file121: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file122: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file123: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file124: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file125: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file126: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file127: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file128: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file129: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file130: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file131: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file132: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file133: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file134: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file135: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file136: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file137: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file138: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file139: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file140: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file141: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file142: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file143: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file144: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file145: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file146: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file147: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file148: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file149: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file150: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file151: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file152: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file153: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file154: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file155: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file156: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file157: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file158: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file159: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file160: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file161: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file162: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file163: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file164: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file165: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file166: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file167: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file168: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file169: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file170: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file171: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file172: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file173: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file174: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file175: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file176: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file177: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file178: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file179: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file180: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file181: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file182: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file183: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file184: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file185: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file186: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file187: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file188: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file189: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file190: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file191: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file192: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file193: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file194: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file195: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file196: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file197: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file198: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file199: is password protected.
6/4/2009 10:20:29 AM File C:\temp\klcodec357f.exe//file200: is password protected.
6/4/2009 10:48:14 AM File c:\qoobox\quarantine\c\windows\system32\wbem\proquota.exe.vir: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/4/2009 11:09:50 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113628.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/4/2009 11:21:03 AM Update completed successfully
6/4/2009 12:10:40 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113628.exe: deleted.
6/4/2009 12:10:40 PM File c:\qoobox\quarantine\c\windows\system32\wbem\proquota.exe.vir: deleted.
6/4/2009 12:11:56 PM Protection of your computer is not running. You are advised to resume protection.
6/4/2009 12:13:18 PM Protection of your computer started.
6/4/2009 12:33:50 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/4/2009 12:33:50 PM Security threats have been detected. You are advised to neutralize them immediately.
6/4/2009 1:34:36 PM Update completed successfully
6/4/2009 3:54:39 PM Update completed successfully
6/4/2009 4:51:54 PM Some protection components are disabled. You are advised to enable them.
6/4/2009 4:51:54 PM Protection of your computer is disabled.
6/4/2009 4:51:54 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe: is still infected, skipped by user.
6/4/2009 5:11:22 PM Protection of your computer started.
6/4/2009 5:13:23 PM Running process C:\Documents and Settings\Elena Farrelly\Desktop\fsbl.exe: detected modification of riskware 'Invader'.
6/4/2009 5:13:44 PM Running process C:\Documents and Settings\Elena Farrelly\Desktop\fsbl.exe: added to exclusion list.
6/4/2009 5:13:44 PM Process C:\Documents and Settings\Elena Farrelly\Desktop\fsbl.exe (PID: 1220): attempt to embed itself into another process allowed.
6/4/2009 5:13:44 PM Process C:\Documents and Settings\Elena Farrelly\Desktop\fsbl.exe (PID: 1220): attempt to embed itself into another process allowed.
6/4/2009 6:14:49 PM Update completed successfully
6/4/2009 7:15:53 PM Security threats have been detected. You are advised to neutralize them immediately.
6/4/2009 7:15:53 PM Protection of your computer started.
6/4/2009 7:31:04 PM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'. User: WORKGROUP\ELENAHOMELAPTOP$, computer: localhost.
6/4/2009 8:17:03 PM Update completed successfully
6/5/2009 8:05:34 AM Update error: The updates source cannot be found.
6/5/2009 8:15:18 AM Update completed successfully
6/5/2009 8:18:10 AM File c:\documents and settings\elena farrelly\desktop\combofix.exe//PE_Patch.UPX/32788R22FWJFW\catchme.cfexe: detected modification of virus 'Heur.Invader'.
6/5/2009 8:18:34 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/5/2009 8:18:34 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe: is still infected, postponed.
6/5/2009 8:18:36 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113661.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/5/2009 8:18:36 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113661.exe: is still infected, postponed.
6/5/2009 8:18:38 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113669.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/5/2009 8:18:38 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113669.exe: is still infected, postponed.
6/5/2009 8:18:54 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113854.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/5/2009 8:18:54 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113854.exe: is still infected, postponed.
6/5/2009 8:18:56 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113861.exe: detected Trojan program 'Trojan.Win32.Agent.chjy'.
6/5/2009 8:18:56 AM File C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113861.exe: is still infected, postponed.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 6/4/2009 7:15:53 PM 0 bytes
File Anti-Virus running 6/4/2009 7:15:53 PM 849.9 KB
Mail Anti-Virus running 6/4/2009 7:15:53 PM 0 bytes
Web Anti-Virus running 6/4/2009 7:15:53 PM 26.7 KB
Scan startup objects completed 6/4/2009 7:18:00 PM 6/4/2009 7:18:26 PM 392.5 KB
Update completed 6/4/2009 8:16:01 PM 6/4/2009 8:17:03 PM 0 bytes
Update The updates source cannot be found 6/5/2009 8:05:30 AM 6/5/2009 8:05:34 AM 0 bytes
Scan stopped 6/5/2009 8:12:22 AM 6/5/2009 8:13:58 AM 507.2 KB
Update completed 6/5/2009 8:14:04 AM 6/5/2009 8:15:18 AM 24.6 KB
Scan critical areas completed 6/5/2009 8:15:42 AM 6/5/2009 8:16:15 AM 838.1 KB
Scan My Computer running 6/5/2009 8:17:58 AM 527.3 KB

Here's the Kapersky report again. I sent it once but don't see it posted, so I'm trying again.


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: Trojan program Trojan.Win32.Agent.chjy C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP671\A0113628.exe 42.5 KB
Infected: Trojan program Trojan.Win32.Agent.chjy c:\qoobox\quarantine\c\windows\system32\wbem\proquota.exe.vir 42.5 KB
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 6th, 2009, 10:37 am

Looks like it went thru this time. I had to delete the older data in the kapersky log a few times until the file got small enough to fit in a post. But I have all of the old log data in the file on my desktop and if you need it, I can post the older parts into a couple of different posts. Let me know, OK?
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 6th, 2009, 4:24 pm

Hi :)

All is fine, kapersky is just flagging infections we have removed with ComboFix and some residing in the System Restore Points. We can deal with these in due course.

No need to post the older parts of the report, just ignore kapersky for now if it starts saying you are infected as all it will be doing is informing your good self of the aforementioned.

Next:

Please run ATF Cleaner again.

ESET Online Scanner:

Note: Please use Internet Explorer for this scan.

  • Please go here then click on: Image
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

When completed the above, please post back the following in the order asked for:

  • Inform myself how your computer is running. Any problems encountered and or further symptoms?
  • Eset Log.
  • A new HijackThis Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 7th, 2009, 2:29 am

ESET says it found some threats. I had to run it twice because it didn't automatically save the report to a text file the first time, so this time I copied it to the clipboard and pasted it in this reply.

The computer is doing ok. No unusual problems.

C:\Documents and Settings\Elena Farrelly\My Documents\Nero-7.10.1.2_all_update.exe Win32/Toolbar.AskSBar application
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113653.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113661.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP672\A0113669.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113854.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP674\A0113861.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP675\A0113917.exe probably a variant of Win32/Adware.RogueApp application
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP683\A0114852.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP683\A0114859.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP685\A0114981.exe a variant of Win32/Kryptik.PN trojan
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP685\A0115002.exe a variant of Win32/Kryptik.PN trojan



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:59 PM, on 6/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sierra.cc.ca.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Unknown owner - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6900 bytes
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 7th, 2009, 3:06 am

Hi :)

ESET says it found some threats. I had to run it twice because it didn't automatically save the report to a text file the first time, so this time I copied it to the clipboard and pasted it in this reply.
Not a problem.

The computer is doing ok. No unusual problems.
Very good :thumbup:

Next:

Congratulations your computer now appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Uninstall ComboFix:

  • Click on Start >> Run...
  • Now type in Combofix /u in the and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image

OTC:

Please download OTC and save it to desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: Please also remove any other tools we have used and the logs created if still present.

Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.

Other installed security software:

Your presently installed security application, Kaspersky Anti-Virus 7.0 automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also once per week.

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:


Be careful when opening attachments and downloading files:

  • Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  • Never open emails from unknown senders.
  • Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  • Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Make your Internet Explorer safer:

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Note: Internet Explorer v8 has been recently released from its beta program, my advice hold off upgrading for the time being as no doubt flaws will be identified and fixes released over the coming months.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:


Only use one of the above.

Note: If you re-apply the Immunize feature with Spybot S&D, no need to install a Host File as this is a similiar feature.

Enable Spybot S&D TeaTimer:

You can start Resident TeaTimer by clicking on Tools ? Resident on the left navigation bar (therefore Spybot-S&D has to run in Advanced Mode). There you can tick the checkboxes next to Resident "TeaTimer" (Protection of over-all system settings) active in order to activate TeaTimer.

Further information on how to use this application can be found here.

Advised Optional Installation:

There is no sign of a software firewall installed on your system. Regardless if using a hardware type and or using the inbuilt Windows Service Pack 3 firewall this is a necessary application as it will also provide outbound protection where as the aforementioned do not..

I highly advise you download ONE of the following firewalls and install it. Restart the computer for changes to take effect.


This article is a excellent resource regarding the aforementioned firewalls: Understanding and Using Firewalls

Finally a educational source:

To learn more about how to protect yourself while on the internet read this article by Tony Klein:

So how did I get infected in the first place?

Some consider this article outdated, personally I still think it bares relevance and the author is well respected in the Anti-Malware community and by myself also!

Any questions? Feel free to ask, if not stay safe!
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 7th, 2009, 2:33 pm

Before I do the cleanup, shouldn't we get rid of the trojan files found? You told me to uncheck the box and do not allow the program to delete the malicious files. Kapersky is still warning me that the files still exist and it can't remove them, although they appear to be neutralized/quarantined. Shouldn't we delete those first before doing the cleanup?
Joe
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 7th, 2009, 4:03 pm

Hi :)

Part of the clean up process specifically the Uninstall ComboFix procedure, will remove the quarantined infections and flush/reset the System Restore points. So the warnings from Kapersky should then cease OK :thumbup:
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 7th, 2009, 9:16 pm

I read the materials you sent, and ran the cleanup. The Trojan SEEMS to be gone. After the restart, it didn't pop up and I ran a quick scan with Kapersky of critical areas and it came up clean. Thank you so much.

The cleaner did take out a few things, but there are still several icons and logs left on the desktop. (Hijackthis, HJTinstall.exe., ATF cleaner, Gooredfix.exe, and Tempclean). I deleted the logs to the recycle Bin, and will dump the shortcuts, but am I only deleting the shortcuts or do I have to go through a software/program removal process? Should I keep the utility to empty my temp files as well as the MalwareBytes?

Thanks again for all your help and advice.
Joe
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 8th, 2009, 6:57 am

Hi :)

I read the materials you sent, and ran the cleanup. The Trojan SEEMS to be gone. After the restart, it didn't pop up and I ran a quick scan with Kapersky of critical areas and it came up clean. Thank you so much.
Very good and you're welcome!

Hijackthis - This I would keep as it is only a small program and may be needed in the future, but hopefully not!
ATF Cleaner - I would also keep this as it is small but useful application I advise run after every online session to stop the build up of temp files etc.

By all means do delete the following:

HJTinstall.exe
Gooredfix.exe
Tempclean

MalwareBytes?
I still think you should consider what I posted prior about this but your choice OK:
Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan once a week.
I install the freeware version like you have now on all the computers I work on(as well as advise keep with any individuals such as your good self I have assisted online).
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 8th, 2009, 1:21 pm

I had a problem removing some programs.
I installed one of the firewall programs you recommended, and deleted the desktop items you recommended, but the shortcuts to some of the other programs I uninstalled are still present. E.g., the AdAware icon is still on the desktop. When I tried to uninstall AdAware, it said a network resource was not available, so I had to cancel part way through. Then I tried to use the Control Panel, Add/remove programs, and it shows AdAware is still listed with frequency of use but there is no "remove program" button to get rid of it. In fact, there is no "remove" button on MOST of the older programs on my system - only the most recent installations offer that button. If I wanted to remove the Google toolbar for example, the Control Panel doesn't give me the option to do it. I can always drop the desktop icon in the recycle bin, but doesn't that leave program remnants on my system? How do I get the Control panel to let me remove the unwanted programs?
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm

Re: Help remove Trojan Win32.Agent

Unread postby Dakeyras » June 8th, 2009, 5:39 pm

Hi :)

For the applications with no apparent uninstaller navigate to here:

C:\Program Files

Look within the appropriate folder for the application you wish to uninstall. So for example if you wish to uninstall Ad-Aware look within the LavaSoft folder and double click on the uninstaller.exe file.

Or alternatively re-download the application install then try uninstall via Add\Remove. Plus you could try this application from Microsoft to assist with problematic/stubborn uninstall issues:

Windows Installer Cleanup Utility:

Download the Windows Installer Cleanup Utility and save it to your Desktop.

  • Double-click msicuu2.exe to install the utility.
  • Next, click Start >> All Programs >> Windows Install Clean UP
  • Once the program is open select:

    Name of Software to be removed etc.

  • Now click Remove, then click OK
  • Reboot your computer.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Help remove Trojan Win32.Agent

Unread postby jfarrelly » June 8th, 2009, 10:46 pm

Sorry - bet you thought you were done with me. I am replying from a different computer because IE is messed up on the other one. When I tried to go to this site to read your reply, IE went crazy. It opened dozens and dozens of browser windows until it ran out of memory and locked up the computer. The only way to get control was to hold down the power button and power off. Oddly, when I first started IE, it asked for an Internet Connection even though the wireless connection was already connected. I tried Firefox but Firefox asked for a connection , too. But FF connected and went online right after I closed the dialog box.

Something major is wrong. Should I dump IE7 and download IE8.0 and hope a fresh install cleans things up? Or should I run a HiJackthis scan? Maybe the virus caused some damage that is just now showing up. (I hadn't used IE until today. I had been using Firefox for the last week or so).
Joe
jfarrelly
Regular Member
 
Posts: 27
Joined: May 7th, 2009, 3:51 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 365 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware