Win32 trojan agent 2

[SerpentCultist]

Hi, I tried searching the forums for answers before posting, but I just couldnt find anything that could compare.

So a few days ago I noticed that whenever I click a search engine link, I get redirected, and I could not visit most anti virus websites, and even if I could download an Anti-Virus, it would not run.

I then downloaded SuperAntiVirus and ran it in alternative mode, it cleaned up some stuff and I was able to visit anti virus websites (still cant run most anti-virus applications though, and websearches are still redirected. Firefox now runs more slowly as well.), so I download Avira (didnt do anything), Vipre (didnt do much), and Ad-Aware.

Ad-Aware finds a bunch of infected files and removes them, one of which is "Win32TrojanAgent2." This virus keeps coming back with EVERY Ad-Aware scan, even though Ad-Aware keeps deleting it, it is the only thing that keeps coming back.

I did everything, but I cannot get rid of it.

I realized that you guys usually ask for Hijack This logs, so heres mines... I cant run Mbam, so I couldnt give it sorry.


I took the "h" out of "http", and a "w" out of "www" so it would let me post this... Excuse me for that.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:18, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\DOCUME~1\ALLUSE~1\MESSEN~1\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\DOCUME~1\ALLUSE~1\MESSEN~1\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\DOCUME~1\ALLUSE~1\MESSEN~1\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - ttp://ww.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - ttp://ww.srtest.com/srl_bin/sysreqlab_ind.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.79,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.79,85.255.112.213
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 3670 bytes

I hope you guys can help me, I would really appreciate it, as this thing is making me go crazy!

Thank you.

 

[B00kWyrm]

You _will_ find the help you need here...

First, if you have not already done so...

You need to read, understand, and strictly follow the directions
which you find at the top of this board.

Start with... https://www.techspot.com/vb/topic120350.html
Then ... https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Followed by ... https://www.techspot.com/vb/topic65943.html

Once you have posted the three (3) logs mentioned in the 8 steps,
one of the experienced helpers will be more able to assist you.

How to post your Hijackthis log-file as an ATTACHMENT:
https://www.techspot.com/vb/topic19133.html

Good Luck. Repost if you have difficulties along the way.

 

[Bobbye]

The moderator will be around and delete the pasted log, but since I see it now, let's handle it:

Real Time Protection needs to be temporarily disabled while scanning. You are running AdWatch:
AD-AWARE AD-WATCH

* Right click on the Ad-Watch icon in the system tray.
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
o Active: This will turn Ad-Watch On\Off without closing it.
o Automatic: Suspicious activity will be blocked automatically.
* Uncheck both of those boxes.
* (When done, you can re-enable it using the same steps but this time check both boxes.)

You have a DNS Changer malware infection:
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.79,85.255.112.213
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.79,85.255.112.213

You'll recognize this Trojan by checking the DNS server assignments on the computer that does not update. Do this by following these steps:

1) Start> Run> type in CMD and press Enter
2) At the command prompt, type IPCONFIG /ALL and press Enter
3) You should be presented with the bunch of information, find the section for your Internet connection. It may be entitled Ethernet Adapter Local Area Connection or something similar.
4) Find the DNS Server section and double-check the numbers. Usually the DNS is a local IP like 192.168.0.1 or it could be a statically assigned IP from your ISP. If the DNS numbers are remotely similar to the following IPs then you have the DNS Changer Trojan. These IPs originate in Europe.
85.255.113.122
85.255.112.83
85.255.116.148
85.255.112.223
5) Type Exit at the command prompt to close it

Reset router

1. Make sure you know the setup information for your router. You want to access the router configuration pages, and write down any information necessary to authenticate with your ISP. Please write this down, if you do not have a record elsewhere of this information. When in doubt, call your ISP and ask what is needed in the authentication fields of the router.
2. Shut down your computer, and any other computer connected to your router.
3. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
4. With the router unplugged, start your computer. Run MBAM.
5. Connect again to the router. Then turn the router back on. When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
6) After resetting your router - go to Start -> Run -> type in cmd and press enter -> at the prompt type ipconfig /flushdns -> type EXIT and press enter.

Please run Malwarebytes, Superantispyware and rescan with HijackThis. Attach logs from all three programs.

There are several entries in the HJ log that will need to be removed, but the other 2 programs need to be run first, then HJ again. Please do not add or remove any programs or entries unless told to do so by your helper.