Agent.AP, Small.VQ virus won't leave

Hi

I need some help ridding my computer of what seem to be some persistent viruses. I did all the steps in the tutorial and still get warnings of the following viruses in my ANTIVIR.

The one i get most often is

Trojan Horse TR\Dldr.Agent.AP

I also get Dldr.Small.VQ

and WINDOWS\DOGDQ.DLL

Also, something called CWS.SearchX always comes up when i do a Spyware Doctor scan.

Also abosearch.com/index.html often gets sent as my homepage.

Please help!

thanks

Steve

 

What ANTIVIR are you using?
did you DL CWShredder?
Adaware se/Spybot S&D. . .

Go through this sticky again(follow all of it)
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal:
make sure all programs are up to date
Then run through this sticky
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting:
Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis! Please do this!!!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

 

I run a program called AntiVir Guard on a regular basis and it along with Spyware doctor are detecting right now. I used the following programs in Safe mode with my system restore off and the files were still found when i booted up in regular mode.

CCleaner
Adware SE with VX2 cleaner
Spybot
spyware blaster
Mcafee avert stinger
CW shredder
Kill2me
about:Buster
HSRemove

I downloaded hijack this and put it in a folder.

thanks

steve

 

did you do the online scans
in safe mode/with networking?

or the Alternative Scans ?
do that
then attach a HJT log, after you go through the HJT sticky. . .

 

I ran all of the programs you mentioned that I could in Safe mode and still stuff keeps being detected. The Log file is attached

thanks again

steve

 

I don't know what these are. . .

appls.exe

msaw32.exe <==== looks ugly
m?iexec.exe <====this too

make sure system restore is still disabled
put it back in safe mode

run Symantec's new removal tool: Symantec Trojan.Vundo Removal Tool 1.0.3

maybe, that will help

then run hjt again and check these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abosearch.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abosearch.com/sp.htm
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com

close all windows
click fix

and post a new log
I might have missed something

 

Hi Steve,

Jarcher missed a few, so I thought I'd help out a little.


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them if possible:

msaw32.exe
appls.exe
m?iexec.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://abosearch.com/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://abosearch.com/index.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abosearch.com/index.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://abosearch.com/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abosearch.com/index.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {FA402061-C457-66D0-CC72-378C7FF18253} - C:\WINDOWS\javasf.dll

O4 - HKLM\..\Run: [appls.exe] C:\WINDOWS\appls.exe

O4 - HKCU\..\Run: [Jjbxckg] C:\WINDOWS\System32\m?iexec.exe

O4 - HKCU\..\Run: [taskmngr] C:\WINDOWS\System32\taskmngr.exe

O15 - Trusted Zone: *.awmdabest.com

O15 - Trusted Zone: *.frame.crazywinnings.com

Again, make sure All Browser Windows are Closed when you Click FIX.

Now boot into Safe Mode and navigate to and DELETE the following if they should remain:

C:\WINDOWS\javasf.dll
C:\WINDOWS\System32\taskmngr.exe - - -> Not to be confused with taskmgr.exe Note there is no "n"
C:\WINDOWS\System32\m?iexec.exe
C:\WINDOWS\appls.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now.

ALSO: I should note that O15 - Trusted Zone: *.frame.crazywinnings.com will probably come back. It is part of a new breed of baddie and I do not know how to kill it yet.

Best luck
PP

 

thank's, I wasnt to sure on some,
and my wife was buggn me to get off, I did hurry.
Sorry Steve,
JA

 

Thanks for the help

i have attached the log file.
I ran spybot twice by accident and both times it picked up something called DSO Exploit - even though I deleted it the first time through. The first two webpages I visited (google and this page) ANTIVIR popped up and told me that C:\\windows\systm32\sustc.dll (dldr.agent.ap) was found and asked what i wanted to do with it so said delete. Think same think popped up for both websites. ?? any more advice

Thanks again so much

steve

 

just got an about:blank when i started up explorer and I am getting popups almost every time I visit any page.

dang!

steve

 

Hi Steve,

I don't yet know how to kill this one: O15 - Trusted Zone: *.frame.crazywinnings.com

The others below may be connected to it somehow. Anyway, close all browser windows and have HijackThis fix the following:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ca7.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {ABE199E3-D9FF-9402-7CDB-478D4A6CB9D9} - C:\WINDOWS\system32\sdktp32.dll

O15 - Trusted Zone: *.frame.crazywinnings.com

Then boot to safe mode and delete these if found:

C:\WINDOWS\system32\sdktp32.dll
C:\WINDOWS\system32\msaw32.exe

Reboot to normal windows and attach a fresh log. That Crazywinnings will likely be back and, as I mentioned, may have items that tag along with it.
Sorry I can't help you further, but I have yet to find someone who knows how to kill this!!

PP

 

hey P.P,
could - O15 - Trusted Zone: *.frame.crazywinnings.com - be removed from the trusted sites in the IE security settings?

would the Storage Guard ( sgtray.exe ) have anything to keeping it
probably not because its inactive in safe mode, right?

and the same with SHS.exe

I mean, could it all be related?

 

I do not know. I've seen all sorts of different attempts made to get rid of this thing and they all have failed.
But, if you've got a suggestion, post it. Who knows - It might just work!
I can't help but wonder if this is related to that other hard to remove Trusted Zone Hijacker that we've been seeing lately.

PP

 

well
I, as in, me. . .
would remove them. they seem to be a restore app. not put there by windows
but I am not too familier with either

If they where not put there by the user (in this case, Steve)
they should be safe to remove, (technically),right

But anyway. .as far as the O15 entry
have we checked the "Trusted sites" in IE?
right click the IE icon on the desktop
or click tools in your IE browser
and open properties>security>trusted sites

is it there? can you remove it?

 

it could be in the trusted sites - I can't get into that folder from the tools - options menu