deja-virus, Reinfection Hell again...and again...and

Hello my friends, I hope you will be able to help me figure out where my re-infections keep coming from. I have 2 desktops and 1 laptop networked wirelessly using a Quest Actiontek DSL Router/Modem for file, printer and internet connection sharing.

About a week ago I received an AVG alert during a download with my laptop which identified TrojanHorseDownloader.Generic.rar. AvG claimed it had quarantined the file and I promptly deleted it. Then ran updated AVG virus scans on the other 2 pc's and nothing was found. Thinking I had cought it in time I forgot about it....for about a day or two when again my laptop AVG found another virus during a daily scan, this time it was the virus 'year1992/2' and after checking the other 2 pc's they had it too. So I did an online scan with PandaSoft and that found a few more spyware infections, I forget which ones but I uninstalled AVG because it had missed those malware files and switched to ZoneAlarm Pro Internet Security Suite on all 3 pc's. It found the same few spyware (basically just cookies) that pandasoft did so I considered myself cleaned once again.

A day or 2 later the same virus is once again detected by ZA on my laptop (year 1992/2) along with a handful of spyware again. I had not been receiving any e-mail, browsing any sites except for known-safe sites, or downloading anything except for ZA Pro, Windows Defender, Spybot S&D, and MS and ZA updates and virus sig files, and I am the only user of these pc's. Of course the other 2 pc's were also infected again too.

This time I unplugged the router and completely F-disked, reformatted and reinstalled all 3 pc's, first from Drive Image files, and then later again from scratch when I found all 3 infected again shortly after a drive image restoration. Last night I followed ALL of the instructions on your forum "READ & RUN ME FIRST Before Asking for Support" and everything seemed to finally be clean. But now today ZA Pro once again finds "year 1992/2" and I have again noticed a couple of suspicious files 'cli.exe and wuauclt.exe' on my system, so I created another hjt log. I'm very sorry this post is so long but feel the extra info may be helpful. I will post both hjt logs, the one from last night, and the one from today after the virus alert, along with the other files you ask for. My laptop is an Asus W2Jb, and the other 2 pc's are home-built desktops. Please let me know if you need any other info and thank you in advance for your expertise.

 

And here are the other 3 files....
Thanks again

 

And here are the other 3 files...
Thank you

 

....So please, could someone please translate these logs and tell me how to remove these things manually?

 

I assume that the two HJT logs are from two different computers?

If we are doing more than one computer I would like the computer we're working on disconnected from the internet while it's being cleaned. You will need HijackThis and CCleaner installed on each machine cleaned.

Please attach a fresh HJT log from the first computer needed analyzed.

 

Hello! and Thank you in advance for your help.

Both HJT logs were from the same pc, however, since it has been a couple of days I went ahead and did the whole procedure in "Read and Run First..." instructions and will post the 4 new files now. Nothing was detected in any of the scans. Thank you again for your help.

 

and the last file...

 

I don't see anything in your logs, what problems are you having? Does AVG still detect the TrojanHorseDownloader are stated in your initial post?

 

Hey Bj sorry it took so long to get back to you, I had my PC's offline while I tried to figure this out. This is what was happening. I did download a virus on my laptop (TrojanHorseDownloader.Generic.rar) and AVG found it right away and quarantined it, and I deleted it. Then as a precaution I also ran several Scans on my laptop and the other 2 desktops. Panda's online activescan was one of the alternative online antivirus tools I used on all 3. All the scans would come out clean on all 3 machines, and then later that night when my installed antivirus would run at 3:AM it would always pick up the same virus on all 3 machines (year 1992/2).

What was happening was that a pandasoft activescan file was triggering a false positive for the file pskavs.dll in the ZA pro scans. So after formatting and reinstalling and rescanning the machines, and finding them clean, first with my freshly installed antivirus, then with pandasoft activescan for redundancy, I was placing that same file on my machines again and again to be found later by ZA Pro. What a nightmare! So I thank you very much for your time and help, and sorry for the false alarm. You guys are doing a great sevice here, Thank you for the help.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!