Trojaned? Not sure, so . . .

A little bit ago, while my computer was idling, AVG Free Edition, alerted me to a potential threat, a trojan. I opted for heal, which it did successfully. The same warning showed up again, to which I also chose heal. I ran a scan afterward in which AVG claimed there were no threats found. However, C:\\WINDOWS\system32\kernel32.dll is listed as changed.

I looked back at previous scans and found on 6.19 that previous change, some files from the World of Warcraft downloader and background downloader were deleted, and two files in the C:\System Volume Information\_restore followed by a long list of numbers were also deleted. The details under those listings show Trojan horse PSW.Generic4.TUV listed as infected, with deleted directly under it.

The last AVG scan I did claimed no threats. Ad-Aware had an update and found nothing. Spybot Search&Destroy had a number of updates and then found nothing on scan.

I run all of those scans every Tuesday and sometimes throughout the week as well. I've not done anything unusual on my machine, played WoW, checked e-mail, viewed the same sites I always do. So what can I do next to know if I am clean or not? If not, where did this come from and what do I do to get rid of it? I'm not sure if I need to follow the malware guide or not, so any advice is appreciated. I suspect I'll go ahead with those steps so I have the logs ready.

 

Seems there is not a current fix for this. Should I switch virus scanners? At least this explains why AVG suddenly noticed a threat when I had not even been actively at my computer much since my last scan. So this could be the entire deal, yet . . .

I'm still a bit concerned and curious though, as mIRC continues to refuse my connection to that chat system. Is this an effect of this situation? Would a resolution from AVG or Blizzard solve that connection issue, if that be the problem? I ran the other scans, so I can post logs if necessary.

 

I think you are right Chaslang, but I would like to make sure. So I attached the logs. Thanks in advance. If you could walk me through what files I need to delete and the system restore that would be appreciated. I get paranoid when dealing with this stuff.

 

Here are the attachments.

 

Last log from CounterSpy. I don't like this one because I've no idea where these results came from. :/

 

Thanks Chaslang. I'm having trouble deleting the version of Mozilla Firefox you listed. Add/Remove programs doesn't remove it, the hourglass spins a bit and stops, then the list of programs is just there, including Firefox. Even the uninstall from the folder does literally nothing. How do I get rid of it then? Should I manually delete the folder?

 

Yes the Mozilla entry still showed in Add/Remove Programs. The Your Uninstaller 2006! could not remove it either. So I installed the Sun Java Runtime Environment and Mozilla Firefox versions you listed and rebooted. The initial listing Mozilla Firefox (1.5.0.12) is still there in Add/Remove Programs along with the new version.

I also ran HJT per your instructions and only found one of your entries to fix:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) -- was there and fixed.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = -- there was only one HKCU entry and it did not match these, so I left it as is.

R3 - Default URLSearchHook is missing -- no R3 listing at all.

So do I go on and reset browser settings now or is there something else I need to do?

 

Here is the GetUnKey log.

 

In following the Reset Web Settings instructions, I found there is no "Reset Web Settings" option under the Programs tab. I followed the rest of the instructions.

 

Sorry about the IE7 note, missed that, so I did that now and the registry instructions you posted. Is there anything else I need do? Thanks again for all of your help and patience Chaslang.

 

So hopefully my last questions:

There are still 8 files listed as infected with Trojan horse PSW.Generic4.TUV (the false positive) in AVG virus vault, listed here:

C:\Program Files\World of Warcraft\BackgroundDownloader.exe
C:\Program Files\World of Warcraft\WoW-2.0.12.6456-to-2.1.0.6692-enUS-downloader.exe
C:\Program Files\World of Warcraft\WoW-2.1.0.6692-to-2.1.0.6729-enUS-downloader.exe
C:\Program Files\World of Warcraft\WoW-2.1.0.6729-to-2.1.1.6739-enUS-downloader.exe
C:\System Volume Information\_restore{CBFB9CC5-9963-4FB0-B691-F0E82EF6F198}\RP207\A0049157.exe
C:\System Volume Information\_restore{CBFB9CC5-9963-4FB0-B691-F0E82EF6F198}\RP209\A0050089.exe
C:\System Volume Information\_restore{CBFB9CC5-9963-4FB0-B691-F0E82EF6F198}\RP215\A0051712.exe
C:\System Volume Information\_restore{CBFB9CC5-9963-4FB0-B691-F0E82EF6F198}\RP215\A0051714.exe

What should I do with these listings? They are all listed as backup copies, so can I empty the vault which I assume deletes the files and empties the quarantine?

Also, AVG still has C:\WINDOWS\system32\kernel32.dll listed as Change and Changed on a scan. It is not considered a threat. I know there is a way to not list the changes in AVG, just can't find that option.

Thanks again, hopefully my machine is about back to the original state it was in before all of this.

 

Yes I did the system restore. Those listings were already in the AVG virus vault. I just wanted to know if I should delete them. Thanks for your help.