Please help with two trojans

[thefranchise808]

Hi My virus software found these two infections:

"\\\globalroot\systemroot\system\gxvxclhbftepkdmnkrjbogkilfskgwyaswapy.dll"
;"Trojan horse Agent2.GUF
;"Infected"

"C:\Program Files\Mozilla Firefox\firefox.exe (1776)"
;"Trojan horse Agent2.GUF
"Infected"

They seem to be messing up my ability to open my spyware removal programs

Attached is my hijackthis log.

Any help is greatly appreciated

Thank you

 

[touch]

Hello thefranchise808

See if you can run this guide ->
8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[thefranchise808]

Hi, Thanks for responding.
I've done all steps except for the Superantispyware and malware byte...i have the applications but i can't open them which I'm positive is connected to the infections. I've tried uninstalling and reinstalling the programs but still doesn't work.

Here is the latest hijackthis log after doing everything else:

Thanks again

P.S:
I know I still have bearshare installed....but a user on this site (Blind Dragon) once advised me that it should be okay to keep on while understanding it is a risk

 

[kimsland]

I know I still have bearshare installed....but a user on this site (Blind Dragon) once advised me that it should be okay to keep on while understanding it is a risk

It's up to the support member to decide if they want to help you or not, whilst having P2P still installed.

Here's some further reading on P2P

Info on using P2P Programs => https://www.techspot.com/vb/topic124748.html
More info supplied here => https://www.techspot.com/vb/post752079-4.html

 

[BillyBurton]

Trojan Horse Removal

Hello,
Reading through these postings, I have exactly the same issue which just started yesterday (Monday). I can not perform a restore point, also can not run Malwarebytes or even install SUPERAntispyware. I tried to submit a hijack report earlier today but I'm not sure it went through correctly. AVG a/v is up-to-date and didn't indicate any issues except when I try to launch IE 8 or Firefox after a reboot, I get the warning message that Trojan Horse Agent2.GUF found in c:\Windows\System32\gxvx...dll was found (2 occurences) and it can only clean 1 until the next time them both reappear.

Not sure what other important information you may need from me but I certainly appreciate any assistance I can receive to rid myself of the pest and move on.

Thanks - Regards

 

[touch]

Hello BillyBurton.

It is confusing with more log´s in same topic. I´ll suggest you -
Run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your own topic

I´ts probably only hijackthis log you can attach

 

[touch]

thefranchise808 -> Remove Bearshare. As The Free version contain some malware.

Try malwarebyte again, slightly different ->

Download malwarebyte
http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.

If automatic update fail, download the manual update ->
http://www.gt500.org/malwarebytes/mbam-rules.exe

Reboot to safe mode.

Go into the Malware folder in through Program Files
Rename the mbam.exe to 123.exe and run it.
Do a full computer scan
Check all and remove/fix/delete them.

Restart your computer and attach the log

 

[thefranchise808]

Hi Touch,

Removed Bearshare, followed the MBAM instructions.
Here is the log after scanning in safe mode.

Thanks again!

 

[touch]

Great

See if you can run the steps in this guide:

8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

Yes, please update and run malwarebyte again

 

[thefranchise808]

Ok...3 logs attached

Thanks!

 

[kimsland]

Your MalwareBytes database is old, too old.
You needed to update it first, err it's very time consuming to double up!

Also regarding AVG
I basically feel it doesn't protect that well. I recommend you uninstall your free AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Restart

An alternative Antivirus that I recommend is Avira free Antivirus (also being in the 8-Step guide)

Make sure Avira is fully up to date after install, and keep it live protecting

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

There you go

Edit:

Here's a quote from about a year ago

I'll get rid of those Bearshare files

 

[thefranchise808]

Hahaha...see I deleted it.....one year later =P

anyway, about this problem...I've followed all these instructions, installed Avira, been doing MBAM scans...removing the trojans and the latest scan doesn't show any infections BUT My google searches are still being redirected which as I've read is due to some sort of malware.

Thoughts from anyone here?

Here is my latest hijackthis:


Thanks again.

 

[kimsland]

• Download Combofix to your desktop.
• Double click ComboFix & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

 

[thefranchise808]

combofix and hijackthis:

 

[kimsland]

Please locate "BearShare" folder
It lives in C:\Program Files
And delete it

Then run CheckDisk, info howto here: https://www.techspot.com/vb/post672297-2.html

Then run CCleaner

Then run ComboFix (in Normal Mode) again
It runs for 10 mins, as you know, so it shouldn't take very long, except Check Disk which sometimes is about 5mins, and sometimes half an hour.

Either way. The above should help

 

[kritius]

Unistall Viewpoint

Run CFScript
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
c:\windows\system32\drivers\cskyim.sys

Folder::
c:\program files\BearShare

Driver::
Viewpoint Manager Service
wlftgy

Firefox::
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\mv3b5e21.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitComet\\BitComet.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9235885a-02d8-11dd-a194-101111111111}]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[thefranchise808]

Thanks to both of you...
Here are logs.

 

[kimsland]

It looks good :grinthumb

Remove non-essential Startups
Please start up HJT Scan only
Place a tick next to the following not required Startups
Close any Internet Browsers, then select Fix

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - Global Startup: BlueSoleil.lnk = ?
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

Un-install Combofix

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 
• Any popup errors about Antivirus just ok or close

Note: 1 space after ComboFix in that uninstall command

Uninstall SuperAntiSpyware (User Choice)
Any issues uninstalling this, download the SUPERAntiSpyware Uninstaller Assistant

Restart

Clear & Reset System Restore's Cache
Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Run CCleaner
Check all Windows Security Updates are complete
Check the drive with CheckDisk

Lastly run a Defrag on your system



After Restart, let us know how it seems to be running

 

[thefranchise808]

Followed all the instructions and I don't seem to be having the google redirect problem anymore. On top of that, my system seems to be running and loading faster so I guess you helped me clear up some junk along the way.

Couple questions:
-What type of Spyware program shoud I use? SAS?
-What's the difference between scanning with anti-virus such as Avira and MBAM?

Thank you VERY much to you all: Touch, Kimsland, and Kritius

Much appreciated.

See you guys around.

 

[kimsland]

"What type of Spyware program shoud I use"

Generally on all tech forums it is requested to have two AntiSpyware programs
Note: These programs do not need to be live protecting all the time. Nor do they need to be consistently starting with Windows on every startup.

Depending upon your usage and basically where you browse (ie many websites are full of spyware) Is dependent upon how often you run a scan
I tend to run a quick scan (updated first) say once a week.
I use Malwarebytes and SuperAntiSpyware, both are the best I feel



"What's the difference between scanning with anti-virus such as Avira and MBAM?"

This is a good question. As many AntiVirus programs now come with AntiMalware components as well.
If we look at Avira (which I use) Avira will remove Virus and "various types of malware"
Avira is well perfect at finding and removing Viruses. But when it comes to Malware (ie Spyware Adware Trojan etc) Then a program such as MBAM (Malwarebytes) is more suited.



Just as an extra bit of info. Some (many actually) Antivirus packages come as an all-in-one, Antivirus; AntiMalware and Firewall
I personnally do not believe they are as good as
1 Good Antivirus ie Avira
2 AntiMalware program
This is because, generally these companies that make these programs specialize in specific Malware removal (ie not Firewall etc)
And these all-in-one type programs tend to be too heavy in system resource, ie refer above about not having the AntiMalware starting with Windows.


I hope this brings some clarity, Safe surfing :grinthumb