Trojan.Win32.Agent.dwg Removal

Ran Kaspersky and it revealed I have Trojan.Win32.Agent.dwg but no removal instructions. Norton 360 didn't even catch it.

Attached you'll find logs for your review. Help will be greatly appreciated.

FixIEDef
ComboFix
Mgtools

To Follow Kapersky Log

 

As promised Kaspersky Online Scanner Report

 

Hi starsky1971,
Welcome to Major Geeks!

Based on what you've attached, I will post a set of instructions to you tomorrow. Did you run AVG Antispyware? If not, please go ahead and run that and attach the log if there is one.

Thanks.
abri

 

More Info...

Attached is a screen shot of temp folder.

the 15exgmrgml18.exe appear in task manager processes which I end task on.

I the delete the temp folder but am unable to delete th Perflib_Perfdata_ef4.dat file.

I've run Spy Bot and will run AVG Spyware. Log file to follow.

Thanks for looking at...

 

Hi starsky,

You don't seem to have very many Windows Updates. Why is that?

Do you know what the following file is? If not, would you attach it to your next post?

C:\WINDOWS\Explorer.EXE.Z-missing.txt

Now please do the following:


1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [devenv] C:\WINDOWS\system\smvss.exe /w
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: prflbmsg32 - C:\WINDOWS\SYSTEM32\prflbmsg32.dll

Optionally fix these if you don't need for them to load at startup.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

Does the following belong to a program you know or want to keep? If not, please fix it as well.

O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab


After you click fix, just close hijackthis.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Windows Updates...
That's odd... I routinely update Windows and Office. Prior to my submission I ran a manual update and no updates were needed. The alst one was on 2.15.07 (KB928090)

C:\WINDOWS\Explorer.EXE.Z-missing.txt
I receive an error trying to upload this file. I am assuming because it is 0 KB and not data is in the file. I have no idea what it is.

AVG Anti-Spyware
I ran but didn't know how to save a log file and couldn't find one.

http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
I know the program but don't need and will remove

I'll let you know how I make out after following the below steps.

 

Computer seems to be running fine. Attached you'll find the avenger and mglogs.zip.

It appears there are errors in the avenger log.

 

Hi starsky1971,
Avenger ran fine, it's just that two of the files had already been deleted via HijackThis so that's why it didn't find them. We build some redundancy into the fixes.

I need to still find out about that one Explorer file. I'll get back to you about this after you finish the final cleanup instructions and post back to me.

abri

 

Hi starsky1971,

I missed two items that still need to be deleted. You can just go into Windows Explorer and delete them:

This file:
C:\Documents and Settings\StarrFamily\Desktop\Free-SpyHunter-Scanner-Install.exe

And this folder:
C:\Program Files\Enigma Software Group

Let me know how things are working.
abri

 

Everything has appeared ok until today. Yesterday I removed the files referenced below. Tonight I came home from work and received another unremovable virus from Norton. Trojan.adclicker. I ran all the recommended scans. Attached are the logs fro your review.

 

Hi starsky,

You have some odd tmp files which need to be deleted. I don't know where they are coming from.  You can delete them by running CCleaner as you have done before. Please do this first. Your computer will be vulnerable as long as you don't download and install your Windows updates.

First please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A057A204-BACC-4D26-8287-79A187E26987} - (no file)
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-8287-79A187E26987} - (no file)
O4 - Global Startup: NCProTray.lnk = ?

After you click fix, just close hijackthis.


2) Next I would like for you to go ahead and delete that one odd entry:

C:\WINDOWS\Explorer.EXE.Z-missing.txt


3) What is the following program? It's listed in your add/remove programs. If it's not something you use, please remove it using add/remove programs. It's installed in your Windows folder.

Not so deep

4) The following two drivers are installed by Coupons.com

C:\WINDOWS\uccspecb.sys
C:\WINDOWS\uccspecc.sys

Rename them to uccspecb.sys.zzz and uccspecc.sys.zzz

If their removal doesn't affect your computer for a couple of days, then you can simply delete them.

5) Because of the tmp files that have shown up, I would like for you to go to the Alternate Scans and scroll about halfway down the page and find the Rootkit Scans. Please run GMER and Rootkit Revealer and attach the results with your next post.

6) Now run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

abri

 

I'll be following instructions below. In the meantime, I am totally confused aobut the windows updates. Attached is what I see in Add/Remove Programs and also when I review updates on the Microsoft site. I just ran another manual scan and it didn't find anything to update.

See Attachments

I'll be posting the below shortly.

 

Requested files attached. Thanks in advance for reviewing

 

Hi startsky,

I'm still not finding anything that looks like malware. Please see if you find the following file in Windows Explorer. If so, delete it.

C:\WINDOWS\system32\prflbmsg32.dll

How is your computer doing?
abri

 

Deleted file. There was another one prflbmsg.dll. I left it. Computer has been running OK. Startup a little slow but overall fine.

 

I forgot. Do you see what I mean with regards to Windows Updates? I believe I ahve them all and it never finds any doing a manual scan but your research indicated I' don't have the most recent updates.

 

Hi starsky,

It was good to leave the file that looked similar to the other one.

As to the Windows Updates, I think I'm just missing all the uninstalls for the updates that I usually see on other people's computers. Yours seem to be in order.

Let me know if any other malicious files are identified by your antivirus program.
abri

 

Thankgs have been running smoothly antivirus and spyware not finding a thing. Thanks Much,

 

Thanks starsky!
Enjoy your computer!