Trojan-Downloader.Win32.Agent

[diraek]

My daughter got this on her computer. She only uses the computer for games and music. I use it occassionally for papers for school.

however, she cannot log onto WoW because of this trojan. I need to get it cleaned off for her.

I read the Viruses/Spyware/Malware, preliminary removal instructions and downloaded the hijackthis and have a copy of the log saved on my computer.

There are a lot of steps to this cleaning, but I will be greatful to get this computer cleaned up once and for all.

I'll let you know how the battle goes,

Di :|

 

[kitty500cat]

Hi, welcome to TechSpot! :wave:

Please post a new HJT log as an attachment into this thread. Be sure to move and rename HJT if you didn't already (details in the preliminary removal instructions). Also, please post AVG Antispyware and ComboFix logs as detailed in that thread. Also let me know the results of the AVG Antirootkit scan, but don't fix anything yet.

Regards

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.

 

[diraek]

Will do as soon as all the scans are done running ... off to scan again LOL

Di

okay so scanning is done .... whew!

Attached you will find the results of the scans ...

I am so looking forward to having this computer cleaned,

Di
AVG AntiRootKit
C:\WINDOWS\system32\kdmco.exe,Hidden file

AVG AntiSpyware
When I try to update it tells me Error: the server is not ready to serve. Please try again later
Ran scan anyway:
First time I ran the scan I got an error C:\programfiles\grisoftAVGAntiSpyware7.5\avges.err
uninstalled and reinstalled and reran the program:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:10:21 PM 3/20/2007

+ Scan result:



C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures\misc\sinstaller.exe -> Adware.Comet : Ignored.
C:\Documents and Settings\Cece\Desktop\My Pictures\misc\sinstaller.exe -> Adware.Comet : Ignored.
C:\Documents and Settings\Cece\My Documents\My Pictures\misc\sinstaller.exe -> Adware.Comet : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Ignored.
C:\System Volume Information\_restore{ADC8162E-DDEC-4ECF-AC94-EFC5698E95CF}\RP382\A0057325.exe -> Adware.WeirWeb : Ignored.
C:\Documents and Settings\Cece\Cookies\cece@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Ignored.
C:\System Volume Information\_restore{ADC8162E-DDEC-4ECF-AC94-EFC5698E95CF}\RP422\A0061890.exe -> Trojan.DNSChanger.in : Ignored.


::Report end

Off to my final in my Oracle class will check back as soon I get home again

Di

 

[kitty500cat]

Very important: Before deciding whether to clean or reformat your system, read this thread and decide what you want to do.

If, after reading the above thread, you decide to clean your system, please do the following.

Boot into safe mode, under your normal user name (not the administrator account). See how HERE.

In Windows Explorer, turn on "show all files and folders, including hidden and system." See how HERE.

Go into Add/Remove programs in your control panel and remove anything relating to the following:

Viewpoint
MyWebSearch
SpyHunter<--this is a rogue anti-spyware program

You should also uninstall UltraVNC if you didn't install it yourself or if you don't use it. It's best not to have remote control software installed unless you actually use it.

Now delete the following bold files and folders (if there):

C:\Program Files\Viewpoint<--delete the entire folder
C:\Program Files\MyWebSearch<--delete the entire folder
C:\Program Files\Enigma Software Group\SpyHunter<--delete the entire folder
sinstaller.exe<--search your system for this file and delete all instances found.
C:\Program Files\screensavers.com<--delete the entire folder (don't worry if it's not there)

Now have HJT fix these entries (if there):

R3 - URLSearchHook: ScriptInocUI Class - - (no file)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm035YYUS

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15.cab

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Fix all of the O17 entries as well, only if they don't belong to your ISP.

Now reboot into normal mode and rehide your protected files.

I see that you set AVG Anti-spyware to ignore certain items. You need to have it set all elements to "recommended action." HERE is a pictorial guide to AVG Anti-spyware if you need help with it.

Now post fresh HJT, ComboFix, and AVG Anti-spyware logs as attachments into this thread. Also let me know if AVG Antirootkit finds anything.

Regards

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in the Security and the Web forum.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system has a wareout infection and has been hijacked. In addition to the instructions given by kitty500cat, please do the following.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Attach a fresh HJT log as well as the C:\fixwareout\report.txt.

Regards Howard :wave: :wave:

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

I did as kitty500cat asked and will attach the files requested.

I'm starting to see crosseyed from all the scans.

Oh by the way I didn't set anything to ignore that was the default setting ... I did, however, figure out how to change that setting to quarantene and delete.

Okay now for the wareout thingy ... Back with my results

Di

So I have done all the scans deleted all the files I could find and attached all the required information?

I am studying to be a programmer ... but wouldn't have liked to have to remove all that was taken from this computer by hand.

Thank you both for all your help!!

Hopefully she can keep this thing free of junk from now on ... I have enough tools to stop the end of days I think! or have I spoken too soon?

You both have been so great, thanks again

Di

 

[howard_hopkinso]

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cece\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{68D58B4A-C0B8-45E8-B8C0-65594C58E2C6}: NameServer = 85.255.114.50,85.255.112.20

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA2C8E7B-B0FA-487C-8713-FE2B22B5BA90}: NameServer = 85.255.114.50,85.255.112.20

O17 - HKLM\System\CCS\Services\Tcpip\..\{AD078FE7-A35A-4790-93F0-9CACC8AA7BF2}: NameServer = 85.255.114.50,85.255.112.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.50 85.255.112.20

O17 - HKLM\System\CS1\Services\Tcpip\..\{68D58B4A-C0B8-45E8-B8C0-65594C58E2C6}: NameServer = 85.255.114.50,85.255.112.20

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.50 85.255.112.20

Click on the fix checked button.

Close HJT and reboot your system.

Your AVG Antispyware log says all items have been ignored.

Please run a fresh AVG scan and set it to quarantine the results.

Post a fresh AVG Antispyware log as well as a fresh HJT log.

Regards Howard

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

All Okay?

Did as you requested ...

Is it all okay now?

According to my isp the 17's were ComCast Services DNS servers ... But then again I had more training my first quarter of school than the tech support people do at my isp LOL

Thanks,
Di :wave:

 

[howard_hopkinso]

Your HJT log is clean.

Have HJT fix this inactive entry.

O2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

The 017 entries I told you to fix were the hijacker and are definitely not from your ISP.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

Well here we are again and my daughter has once again gotten her computer locked up but this time by spamware ... I have run AVG Antispy ware and Ad-Aware antispyware and they both found different things but we still have one that is replacing her desktop that I can't seemt to find ...

Attached you will find a copy of the popups that keep showing up on her computer ... can you help me?

 

[howard_hopkinso]

I have removed your .doc file due to the risk of infection.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

I cannot seem to get the attachment Manager to open up for me to show you what I found ... bloody computer ... it is really skrewed up!

The AVGrootkit showed no rootkits. If I can get get the manage attachments to open up I will post the attachments of the other scans ... big if!

Finally, I got the attachments to work.

Here are the log files Thanks for your help with this

Di

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

When I follow your instructions I get this:

Error Selected file does not appear to be a valid scrip

only choice is okay

Press okay to log error and continue or canel to abort

I press okay

error code 1813

only choice is okay
then nothing happens ... tried to delete the zip file and redo all instructions ... still the same thing ...

Third times the charm ... attached you will find the new logs ...

Thanks for your patience

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

index.htm

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerdashfloonthego/sis/ddfotg.1.0.0.33.cab

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a new HJT log.

Regards Howard

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[diraek]

okay did that here is the new HJT Log

Thank you again for all your help ... you guys are the greatest!

Di

 

[howard_hopkinso]

Your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of diraek only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.