Win32.trojan.agent removal from XP - check results

Hi and Welcome to Majorgeeks

Please do follow this guide to the letter and attach the full MGlogs.zip file as instructed in the guide as the other logs are needed.

 

You need to attach the requested log from ComboFix as stated in the READ & RUN ME. Based on your logs I can see you ran it. Just attach the C:\combofix.txt log.


Uninstall the below as requested in the READ ME:
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Then reboot your PC.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


You need to also go back to step 1 of the READ ME and put your system into normal startup mode using MSconfig as was requested. You have malware items trapped in there and we cannot finish cleaning your PC until you follow the instructions properly.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

 

Which is one of many reasons why we specify not to use MSconfig. It is trapped in there and we needed to get it fixed and now it is.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Core LC
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {7c1ce531-09e9-4fc5-9803-1c2956615786} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: PowerReg Scheduler.exe
O9 - Extra button: Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\europillamusica2\entrar.html (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
After clicking Fix, exit HJT.

Now reboot your PC.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Your logs are clean.


If you are not having any other malware problems, it is time to do our final steps:

1. Uninstall COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
2. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
3. If you are running Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
4. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You can delete this folder now.


You're welcome. Surf safely.