Downloader.Agent and Trojan Woes

Yesterday I got hit with some Downloader.Agent.emo and others and several Trojans. AVG quarantine no help. Here is latest HJT file Please help!

Edit: Removed inline log for guide below to be run

 

Still working on prelim scans as requested, but bogus security popups are now gone. Will report results when done.

 

That's good they are gone however they are more than likely several traces remaining. If you have any questions/problems just let us know.

Will check back later for logs.

 

Ran prelim scans as requested. Unable to run scans in Safe mode. Most went well, had to run Bitdefender twice, unable to get log saved, as IE shut down immediately after scan. Also no log for Panda Activescan, as it did not offer a save or save as function.

While running several of these later scans, noticed IE bringing up web pages I didn't request (Buzznet, Free College Scholarsips.net, etc.), on top of the pages I was on, so I think there's still some minor problems. These pages also come up with IE closed. IE also shut down unexpectedly several times.

Will attach 3 log here, balance in next post.

 

See attached current HJT log.

 

Forgot to rename HJT.exe to analysethis.exe. Did that, and new log attached. Still getting random IE web page popups, even when IE closed.:cry

 

First, we should relocate HJT to a safer location. Please relocate HJT to C:\Program Files\HJT.

Once you have renamed HJT, run ComboFix as stated below.

Running ComboFix

Once you have ran ComboFix, attach fresh logs from the below.

• GetRunKey
• ShowNew
• HijackThis
• ComboFix

 

I'm exhausted. Popups back with a vengeance. Virtumonde and some other Trojans are ruining my pc happiness. Updated logs attached as requested.

 

And this. Oops, forgot to upload prev. 3 files. Coming next.

 

3 updated files attached. I await your assistance.

 

Additional info: Since this ordeal began (about a week ago), my desktop shows 2 new 'shield' icons, 'Live Safety Center', and 'Online Security Guide'. Both icons keep returning upon deletion.

Many of the unwanted popups look like IE with a 'Security Toolbar 7.1', with bogus alerts, warnings, and some misspellings.

Others arise from a yellow 'Yield' type 'System Alert: Malware Threats' in the taskbar at screen bottom.

They just keep coming!

Please help! :cry

 

Now IE home page is hijacked, and some bogus security toolbar is at screen top. Unable to use IE.


WHY IS NO ONE HELPING ME???????????

 

You have got to be patient! We are all volunteer in this forum. We have real lives at home and work, those comes first! As time permits we come in and post, if things are busy which they are this time of year then our time here is limited. We make time to come in but it's still tough with our real lives and it being the holidays.

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Step 4:
Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 5: Begin here after rebooting from Step 4!
Next Reset Web Settings & Default Security Settings

Note for IE 6 users:
To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


Step 6:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 7:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

First, I want to apologize for my rude outburst. I spent all weekend fighting with my pc, and my frustration got the better of me.
Popups are gone, as far as I can tell. IE appears normal.
Unable to find one of the files to delete with HJT:O2-BHO:{f21c979e-3a08-4538-etc.....
All else went smoothly, no problems.

Thanks for your help, in spite of me.
I was unable to log into my wife's account (XP) yesterday, and haven't checked that yet.

Please see files attached.
Another post with addt'l file follows.

 

I noticed the shield icons for Live Safety Center and Online Security Guide have reappeared on my desktop, but so far no popups. Is this normal?

Also unable to attach any files in Firefox, am now using IE.

 

First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.

Step 1:
First, we need to remove a bad service…

• Now Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to DomainService
• Then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste DomainService into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Step 2:
Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

Again, make sure ALL browser windows are closed when you click FIX.

Step 3:
Next, we need to run Avenger again, just like you did before.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Step 4: Begin here after rebooting from Step 3!
Next, run CCleaner to clean up cookies and temp files.

Step 5:
After you have completed ALL of the above in the correct order, please attach the following logs.

• HijackThis Log
• ShowNew Log
• GetRunKey Log
• Avenger Log

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

O.K. The shield icons 'Live Safety Center' and 'Online Security Guide' are still on my desktop. When attempting to delete Domain Service after stopping and disabling it, I got error message 'The service you entered is system-critical. It cannot be deleted.'

I also had to reboot before running Avenger, as I was in safe mode (after unsuccessful deletion of DomainService in regular mode - same error message). because Avenger didn't like my typing in the code manually. I went to MajorGeeks and copied the code for Avenger, and it worked fine then.

I'm not sure where I stand now, but here's the logs. 4th file to follow.

 

And the Avenger log.

 

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I'm finished with the cleanup. Deleted the shield icons, and they have not returned on restart. The article 'How to Protect yourself from malware' is about 4 years old, so I hesitate following the instructions/recommended downloads too closely.

Thanks very much for your help, your vast knowledge, and your patience with me.

 

The thread was created in October of 2004 however we keep it updated to stay current. We stay on top of everything in the Malware Forum. It is safe to follow the thread, read a little closer and you'll see it was updated recently.

Your Welcome!:major