TechSpot

Malware infection

By MrFox
Jun 21, 2009
Topic Status:
Not open for further replies.
  1. Hey folks, You've been a great help in the past, so here I am again.
    I first noticed my problem when my google search links were taking me elsewhere. I knew right away hat I had a hijacker.

    I tried several things, like running Ad-aware, SpyBot, uninstalled IE8 all the way back to IE6, AVG, etc. and the bugger is still there. It seems the main problem is Win32TrojanAgent2, however, I imagine I have other problems.

    When I try to open my any drive by double clicking on its icon, I get an error that reads...

    "Windows cannot find 'RECYCLER\S-6-4-50-100005354-100020377-100002482-7163.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

    The ".com" portion of this makes me suspicious that this is part of the malware problem.

    Anyway, I've read through the steps of Malware removal and have attached them to this thread. Thanks for any help.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Mr. Fox, I'll check the log, but would like you to run full system scan with the antivirus program. Save the log and attach it to next post.

    The Recycle is a folder for files that have been emptied from the Recycle Bin.
     
  3. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    Okay, I ran AVG just yesterday at 4:33 PM.

    Here are the results of that scan.

    What else can you tell me about the RECYCLER Error? It's keeping me from opening drives normally. I CAN use Explore to open them, so I'm not crippled, however, I shuldn't have to.

    Thanks for the help
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Download and run Autorun Eater: http://majorgeeks.com/Autorun_Eater_d6074.html

    Follow the onscreen prompts. This should resolve the Recycler problem.

    For the Tracking Cookies:
    Reset Cookies:

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
     
  5. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    Thanks, the autorun eater fixed the recycler problem. However, the cookies are the least of my problems.

    I have Win32TrojanAgent2 on my system and I can't seem to get rid of it. I really want to avoid reinstalling Windows. But it seems nothing I try will get rid of this thing; and seaching with Google or Yahoo! just gets high jacked. Bing search seems to work fine, however.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The AVG scan you left doesn't show anything but Tracking Cookies.

    Where are you finding this? According to Ad-Aware it's called Win32TrojanAgent2, while AVG identifies it as Trojan horse SHeur2.WNC. However, AVG doesn't show this.

    If you did run Spybot and it identified this, are you removing it? AdAware may also give a similar finding. But you are running AdWatch which is Real Time Protection from AdAware. That could be the reason the Trojan isn't being seen in other entries.

    Disable AdWatch:
    • Right click on the Ad-Watch icon in the system tray.
    • At the bottom of the screen there will be two checkable items:
      [o] Active: This will turn Ad-Watch On\Off without closing it.
      [o]Automatic: Suspicious activity will be blocked automatically.
    • Uncheck both of those boxes.
    (When done, you can re-enable it using the same steps but this time check both boxes.)

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    After the Eset online scan and with the AdWatch still disabled, rescan with HijackThis and attach new log with next reply along with Eset log.
     
  7. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    Okay,

    ESET found no threats.

    ESET and HiJackThis logs uploaded.

    I still have something hijacking Google.

    Adwatch Live still picks up Win32TrojanAgent2.

    Edit: To show I'm not crazy, I've included the Ad-Aware scan log from just a few minutes ago.

    Edit2: So, maybe I am crazy, it seems the last quarantine process ad-aware did actually removed it.

    Let me know if I shoudl do anything else to make sure it's gone however.

    Google is no longer behaving like it's hijakced.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I o not believe you're crazy. However, after reading several threads from others experiencing that same AdAware: "Win32.Trojan.Agent 2" occurrence, Lavasoft support says this:

    It appears to be a false positive. It has been found with a file iTunesIco.exe that is used at the installation of iTunes. The iTunesIco.exe has been removed from detection. But I couldn't find a date on that. The file is here: C:\WINDOWS\Installer\{EF6C4600-306D-4F6A-A119-C2A877D25B4A}\iTunesIco.exe.

    The file is only used initially when iTunes is installed. Re move it and see if this handles the Win32.Trojan.Agent2.
    Download and Windows Installer Cleanup Utility HERE and save it to your desktop.

    Double click on the setup on the desktop to install. Then run. Look or this file and remove it. Reboot the computer. Run AdAware again and see if it's gone.

    I would remind you that you were asked to temporarily disable AdWatch and given the instruction to do see. To have it running when scanning can cause inaccurate results. It is still running.

    I see only one entry in the HijackThis log that might not be needed. It is a process if Client for Netware is installed. Most users do not have this installed and the process can be removed. IT is:
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

    If you do not have Client for Netware:

    • [1] Click on the following link to download LSPFix to your desktop.http://www.cexx.org/lspfix.htm
      OR
      [2] Click on this link to download the exe file directly: http://www.cexx.org/LSPFix.exe
      [3] Once the exe file is on your desktop, double-click on it to open
      [4] In the left hand column, you should see the NWPROVAU.DLL file listed.
      [5] Click on it to highlight, then click the arrow in the middle of the screen that points to the right
      [6] This will move the filename to the right-hand column labeled Remove

      [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

      [o]Of course, it should be stated that if you are unsure of any of these procedures, please do not complete them and ask for assistance from a local computer tech, family friend, or other knowledgeable person.
      [7] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
      [8]Close the LSPFix program now.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list. Attach new log and Combofix report.

    Edit: One issue with AdAware is that in order to let Ad-Aware 2008 quarantine objects before removal users may choose to press the Quarantine button instead of the Remove button at the Scan Results window. This way the quarantined item may be restored later if the user so chooses
     
  9. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    Here's the hijackthis log.

    edit:
    and the combofix log
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Is the search still being redirected?
     
  11. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    nope. Links are going to where they should. Thanks!
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If the problems have been resolved, you can remove the cleaning tools. One thing I'd like to caution you about first: You have many 016 processes loading. These are Active X Objects, usually from add-ons. You would be wise to get those add-ons down to as few as possible for the sake of security and conflicts.

    To manage the add-ons: Open IE> tools> Manage add-ons. There are two sections> 1. add-ons currently on system and 2. add-ons previously on system. Go through both sections> highlight> Disable those you aren't using> Apply> OK.

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTCleanIt by OldTimer and Save it to your Desktop.
     
  13. MrFox

    MrFox TS Rookie Topic Starter Posts: 28

    Thanks for all the help. I'll get in there and see about cleaning up those addons, thanks for the tip.

    I'll run the clean up as well.

    Thanks for the help.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Glad to help.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.