JS Downloader.agent virus detected plus others

[radski]

Hi all, the other day my brother was using MSN and AVG popped up saying it has found viruses. He followed the AVG prompts to delete, some deleted others didn't
I logged into my profile, and more problems became apparent. I wasn't able to open Adware, I wasn't able to right click, use CTRL ALT DELETE, or open an IE. I restarted and I was able to get IE open although search results through google kept redirecting to random sites. I stumbled across TechSpot after performing a virus scan in normal windows mode. It found JS Downloader. I followed the the 15 or so steps, although I wasn't able to down CCleaner first go. I restarted and I got a 'Activate this copy of Windows' pop up.
I've followed the steps and here are the 2 attachments, for some reason I can't find the AVG Anti Spyware log.
The Panda Anti Root kit found nothing

 

[kritius]

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

-------------------------------------------------------------------------------------------------------

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

--------------------------------------------------------------------------------------------------------

See this pictorial guide on how to use AVG Antispyware.

Boot into safe mode by tapping F8 as soon as windows starts,

Show all hidden files and folders

Run AVG Antispyware.

VERY IMPORTANT

Make sure AVG is set to quarantine it`s results.


Make sure you read this step properly.

Please note: If your AVG Antispyware log says all items have "No Action Taken" or "Ignored" That`s because you haven`t followed the instructions properly for using AVG Antispyware and will have to read them again and do a fresh AVG Antispyware scan.


Once finished, click the save scan report button, followed by the Save report as button and save it to your desktop.

Reboot into normal mode and rehide your protected OS files.

Then post the log back.

------------------------------------------------------------------------------------------------------

Go to the folder that HJT is located and rename the .exe file to something like crusty.exe and send the shortcut to the desktop.

Run HJT and post back with a fresh log.

 

[radski]

AVG and HJT logs

 

[kritius]

Can you retry the AVG and try to get it to quarantine what it finds?

There is some stuff in there that should be dealt with.

Go to add/remove programs and get rid of anything to do with this,
iPIX ActiveX Control

then boot into safe mode and show all hidden files and folders and do a search for it and delete whatever it finds.

Run HJT and have it fix these entries,
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

Boot back into normal mode and rehide your protected files.

Run Hijackthis again and post back with the 2 requested logs.

 

[radski]

hey kritius, what do you want me to do first? I've gone to Add/Remove and can't find anything to do with Ipix. With the AVG scan, do I do that in safe mode with all hidden files shown, as I've been doing before?

 

[kritius]

Sorry, yes, do the AVG scan in safe mode again with all the hidden folders visable and make sure that its set to quarantine the results like in the picture.

Then do the HJT scan and delete the entry if its there from safe mode as well and delete the entry if its there.

Then boot back into normal mode, rehide all the folders and do another scan with HJT.

Thanks

 

[radski]

With the AVG scan I was only able to quarantine one of the files that had a risk of high, all the rest were medium.
HJT, I was able to delete that entry.

Rehiding and hiding files am I suppose to restart for the changes to take effect?

 

[kritius]

That got it. Can you delete the contents of the quarantine folder now please.

Just need to check some more things.?

O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.htm
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://66.91.151.66/wg_webeye.cab

Do you recognise these?

I take it you are using an Acer computer?

Do a scan with the free Kaspersky on line scanner.

Other than that, how is the computer running now? Any other occurences?

 

[radski]

Thanks kritius!
I've deleted the file in quarantine.
Net Transport is one of those programs that lets you download media streams etc.
The Web Camera Server Control, I have no idea what it is, since I don't even have a web camera.
Yes, I am on an Acer.

Should I do the online scan now, or wait for further instructions regarding the top two things?

 

[kritius]

Run the scan for now, if it allows you to save a log file then post that log here for me, I just need to check a few things out.

EDIT||||||||||||||||||||

After you do the scan with Kaspersky, Close all browser windows, open HJT and do a system scan only,
put a check next to this entry,

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://66.91.151.66/wg_webeye.cab

Select fix checked.

Reboot and do another scan and post a log, I need to see if it comes back.

 

[radski]

Hi kritius.

I've done the Kaspersky scan and I've followed the instructions regarding HJT, although none of the scans were carried out in safe mode.
Here are the two logs.

 

[radski]

On my profile things seem to be working fine but on my brother's, IE doesn't have the top bar where it says File, Edit etc, and he's unable to do CRTL ALT DELETE, it says the administrator has disabled the task manager.

 

[kritius]

In regards to IE I have 2 recommendations:-

• Right click on the top bar beside the tabs and make sure that Menu Bar is ticked.
• Stop using IE and start using Firefox.

For the taskbar, try running the fix ploicies download that I gave you earlier in his account.

Let me know how it goes.

 

[radski]

The menu bar option isn't there, although the FixPolicy program did fix the task manager.
Is my profile all clean?
When I perform a virus or any other scan in my profile does it only look at my profile's files or everything on the computer i.e. do I have to log into my brother's account and do a scan?

 

[kritius]

Can you have another runthrough with Kaspersky? I want to check some stuff out. Do another HJT scan and a combofix one if you can.

 

[radski]

After restarting the computer yesterday the fix policies download seemed to do the trick and everything is ok now. Here are the logs in the order I did them.
Kaspersky log
combofix log
HJT log

 

[radski]

kritius have you had a chance to look at the new logs?

 

[kritius]

Have you been experiencing any specific problems?

Your HJT log looks clean.

Go to start>run and type combofix /u (notice the space between the x and /)

delete the three tools by putting them in the recycle bin.

Also can you use the housecall online scanner from the 15 steps for me as well?

 

[radski]

During the uninstalling of Combofix, the Comodo firewall kept asking if I wanted to allow swreg.cfexe to do stuff. Is swreg.cfexe good or bad?

What are the three tools you want me to delete, the ones from Step 10?

 

[kritius]

Yes those where the three tools.

That file is BAD, deny it. Dont unistall combofix just yet, can you run another scan with it and post the log back here?

 

[radski]

I did allow swreg.cfexe to run afew times. Although I did block it this time around along with CF30146.exe trying to connect to nircmd.com.

I've done a scan with Combofix, here's the log

 

[kritius]

I've asked someone to read through it so ill let you know as soon as possible.

I want an unbiased opinion on it.

 

[radski]

Thanks kritius.

 

[radski]

Anything? Did you want me to do the housecall online scanner thing after we sort out HJT or now?

 

[kritius]

Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  + Extended (If available, otherwise use standard)
  o Scan Options:
  + Scan Archives
  + Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file KasScan-ddmmyy (or similar)
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.