I have weird files in my shared docs (keygens)

[spencer22l]

From some times ago I am seeing these unknown and random keygens and suspicious looking files.
I deleted all of them but they come back!
My anti virus software (runs on BitDefender engine) doesn't say anything.
I downloaded Malwarebytes to perform full scan and got rid of everything. I use Comodo for firewall and it doesn't say anything either, but I get message on startup saying it closed System Performance Analysis Tools or something and I think this is
related to these files.

I've also just ran Kaspersky Online Scanner and it said 1 was infected.Trojan.Win32.Agen.Ambb is the name.C:WINDOWS/pss/userinit.exe
I have found that file in my msconfig->startup so I unchecked it many times but failed. What should I do?
Help me please!

 

[spencer22l]

Sorry for not following the 8 step solution. I just read a post from googling and
was in a hurry =( I am performing superAntispyware scan now.
I will re upload with everything ready when completed. Sorry ^^

 

[spencer22l]

The 3 logs attachment

These are the 3 logs needed
Please help me!

 

[rf6647]

Welcome to TS.

Your logs show good progress.

Repeat running MBAM quick scans & save log each time, until log is clean or there is no change to infections detected.

Restart anytime the log indicates action on reboot.

Run MBAM full scan to go to the file/folder level.
Run SAS & HJT

Report you experiences.

Post logs.

The collection of MBAB logs may be consulted In connection with ComboFix (if & when).

Sorry, I must charge out the door.

 

[spencer22l]

Here....

I did as you told me,
ran Malware quick scan until nothing was found.
Then did a full scan.
Then the SAS and HJT.
The logs are all uploaded.

Now what should i do?

 

[rf6647]

You have passed the crisis stage, alright.

How are things?

We will use ComboFix for finishing touches. I want to observe the handling of this remanant that was knock down by MBAM

O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)

Follow the directions courtesy of Blind Dragon

Post this log, follow by HJT log.

 

[spencer22l]

Things are fine so far
I have got no new file in my shared docs.

And here are your logs
Thank you for helping me ^^

 

[rf6647]

replyvb5798

Another specialist will be called upon to interpret the ComboFix Log. My frazzled brain can't see through the clutter. Generally, what remains are fragments with no registry key to re-activate the infection.

It is the weekend, so it may take an extra day for this. The clean up instructions will follow what mflynn has been posting lately.

Enjoy Computing.

 

[spencer22l]

Alright thanks

Okay, I'll just wait,
and I've got NOD32 Antivirus + Comodo Firewall activated.
Also I undid DMZ setting on my router to be more secure.
I was using DMZ cus my Battlenet wouldn't work even if I set the port forwarding.
Anyways thank you for your help

 

[momok]

These are the following Combofix/CFScript instructions.

1. Open notepad and copy/paste the text in the quote box below into it:
   
   

   File::
   C:\Backup.GHO
   c:\windows\Ascd_tmp.ini
   c:\windows\IsUn0412.exe
   c:\windows\execute.data
   
   Registry::
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
   "c:\\WINDOWS\\system32\\fscagent.exe"=-
   "c:\\WINDOWS\\system32\\grdmgr.exe"=-

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.


Also, please let me know the details/contents/usage of these files and folders in FULL:

c:\documents and settings\lee\WINDOWS
c:\program files\Umile
c:\documents and settings\All Users\Application Data\{96F5B506-0F68-4EDB-AD12-CF915081579C}
c:\\Documents and Settings\\lee\\Desktop\\mine\\Settings\\loginscreen\\Echi\\wide.exe

 

[spencer22l]

I did as you told me to do.
And here are the logs.

And the progrmas :
1) c:\documents and settings\lee\WINDOWS
2) c:\program files\Umile
3) c:\documents and settings\All Users\Application Data\{96F5B506-0F68-4EDB-AD12-CF915081579C}
4) c:\\Documents and Settings\\lee\\Desktop\\mine\\Settings\\loginscreen\\Echi\\wide.exe

1) I do not know what that is it is a folder with "system" folder in it but its empty completely. I checked show hidden files + folders and hide protected operating system files. But nothing.

2)I'm Korean and it's a Korean Encoding software, I'm pretty sure it's safe because
it's a pretty popular freeware or shareware Korean Encoding Software.

3) I didn't know what it was so I followed the path and now I know. It's IconPackger,
it's not free I'm only using a trial and it changes all icons easily.

4) That is a log in screen for windows XP. Use with Logon Loader. So when I turn on my computer and after windows screen it's not "welcome" by Windows. It's something else. Whatever I chose.

Hope everything is going well.
Thank you for helping me =)

 

[spencer22l]

I downloaded Kaspersky Internet Security Trial
and did Full Scan and deleted all the threats detected,
because on Kaspersky Scan I found what I was looking for...

What else should I do?

 

[rf6647]

I realize that this is not a timely reply. The log confirmed the deletion of the files from the script.

It's to your credit that you were able to find the tool that ultimately solved your problem.

All the logs submitted indicated the infections were treated.

However, it appears that we focussed on what the tools produced. Re-read of your first post complained of 'keygens' appearing in shared docs. ComboFix generates a list of files created in the 30-day window, but any suggestion of 'strangeness' was missed.

Here are clean up instructions provided by Blind Dragon. Follow the general instructions following the separator (======).

 

[spencer22l]

Thank you, I have noticed that I haven't got
any of those weird keygens or hacking tools in my doc any more! =)

I have followed the clean up instruction until the last one.
THe spywareblaster, should I get it too? because I'm using
Kaskpersky Internet Security 2009 and I heard using many spyware protection,
antivirus software together might cause computer to crash and such,
If it's okay I will download and use it but should I??

 

[rf6647]

Go with your instinct. BD has his personal favorites.
And, yes, too much protection will hurt performance, or undo some aspect of other protections.

My Case: ZA Internet Security Suite reverses changes to 'host' made by SpyBot.

I have avoided using spywareblaster for the very same reason - what I have is working just fine. And life is too short to learn about yet another new program.

Having said that - I'll be struck by malware only spywareblaster can handle.

 

[spencer22l]

Ok, hopefully both of our anti virus can handle all the ones
that spywareblaster can =)
Thank you once again ^^;