Trojan horse downloader.agent 5K, 5L and Dyfica help please

Hi there, I have some virus/trojans I need help in removing please. I apologize for the length of this post, but I wanted
to include all the info I could.

I have read the "read me first...." thread and followed the instructions. Results are listed below, under symptons
and system specs.

On a normal scheduled daily scan, AVG found the following:

trojan horse downloader.agent.5K
trojan horse downloader.agent.5L
trojan horse downloader.dyfica.3.e

As well, my homepage was changed to about:blank.
50+ urls added in a folder to my IE faves.
Numerous add pop-ups, notably adds for virus scanners.

System specs:

AMD Barton 2500 @ 2.2
512mb pc3200 ram
1-30gb + 1-40gb hdd
xp pro sp1

internet is dsl high speed thru a linksys wired router. Also connected to router is a second computer.
I have an up to date purchased Zone Alarm Pro firewall and AVG free edition. Both run at all times. I run
Ad-Aware and Spybot S&D regularly.

"read me first...." results

prep work:

1. System restore disabled.
2. "network security service" disabled, other two were not present (similar but not exact)
3. File viewing enabled.
4. Tools installed and updated as required.


Scanning and Cleaning:

1. Trend Micro scan, tried previously in normal mode, crashes IE. Didn't used to till last week when AVG detected the above
trojans. Ran scan in safe mode and detected the following:

"TROJ HIDEPROC B", listed three times, says uncleanable but I was able to delete them.

Symantec scan in safe mode: One infected file found, but IE crashed before the type was listed. Three re-boots in safe
mode with networking with the same result. Running Symantec in normal mode and it found 17 instances of two files,
"PWS.HOOKER.TROJAN" and "TROJAN.BYTE.VERIFY".

Ran Ad-Aware se in safe mode: 16 new critical objects found. 4 registry keys, 7 registry values and 5 files. The reg keys
and values were all associated with coolwebsearch. The remaining file was DyFuCa located in c:/temp.optimize.exe. All 16
objects were moved to quarantine folder. I deleted the quarantine archive folder. In normal mode, a full scan will be
done and results shown, but Ad-Aware will close when I attempt to delete them. All the files found were related to cws,
yet cwshredder says my system is clean.

McAfee stinger: Scan found 263313 clean files, no viruses/trojans found.

A-Squared scan found four malware files, all in mirc32.exe. I'd rather not delete theses files as I use mirc everyday,
but I'll delete them and try re-installing mirc later when my problems are solved.

After all this was done, I re-booted in normal mode to check the results. My homepage was restored, but within the hour
had reverted to about:blank again. I decided to run thru the procedures a second time. This time Symantec only detected
one file, "pws.hooker trojan" located in "c:/program files/teamspeak2_rc2/keypress.dll" This is an online voice program
I use to play team games. Spybot S&D was clean. Spyware blaster lists several instances of about:blank being the system
home page.

Ad-Aware now finds 20 critical objects. all cww related yet cwshredder says I am clean.

I can't seem to connect to the internet in safe mode anymore, but this may be a problem with the router. It can be
twitchy at times. Trend micro closes IE in normal mode when I try to scan.

I have run hjt as per the sticky thread and fixed several items that were obviously about:blank related, but on re-boot
they come back. My latest log is available.

Any help is appreciated....thanks.

 

Hello and thanks,

mirc is aka internet relay chat, an online method of communication. A chatroom so to speak. mirc32.exe is the applications executable file. I use it daily to chat with friends.

http://www.mirc.com/

I'm guessing the mirc32.exe malware files are named similarly to avoid detection/deletion. Anyhoo, will remove as required.

hjt log attached.

ianc

 

Hmmmm...."network security service" was disabled as per my 1st post. The other two items were similar but not exact, so I left them. I did run HSremove and about:buster before my first post as well. My apologies if I didn't list them. About:buster removed 7 data streams yeaterday. I shall confirm system restore is off and that "network security service" is disabled and then go thru the instructions from your last post.

 

Dohhhh..

network security service was stopped but not disabled. Now fixed.

 

Well ok then....

disabled network security service
ran HSRemove - 8 items removed
ran About:Buster - 6 data streams removed 1st time, 2 data streams 2nd time and clean run the 3rd time.

iplx.exe and winservad.exe were not in task manager.

Ran hjs and removed items as directed.

Re-booted in safe mode for file deletion:
/system32/hgxqh not found
/ievx.dll not found
/iplx.exe found in prefetch folder and deleted
/windows servead folder found and deleted
/d3em32.exe found in prefetch folder and deleted

Rebooted in normal mode and ran hjt, log attached.

I seem to have a clean system. My homepage is back to normal, no new urls in fave folder. I can now connect to trend micro in normal mode and not crash IE.

WOOOHOOO!!!! Mucho thanks.

Couple of questions now though. Regarding the mirc32.exe, was it renamed malware and is irc chat safe/not safe to use.

The various antispy progs I now have running in the background, are they all ok to be running at the same time without conflicts. Apps such as TCactive, Asquared, spysubtract and the usaul zone alarm and AVG

 

Well ok....maybe not then.

I can no longer access windows explorer while in normal mode, only in safe mode. Normally I access windows explorer thru start/my computer. When I do that now, I get a blank screen and the swivelling flashlight icon. After about 30 seconds I get the pop-up with the message about this program not responding. In safe mode, it comes up with no probs.

Can this be related to any of the virus/trojab probs we just cleaned up or is it just co-incidental? Either way, would someone be so kind as to suggest how I might get windows explorer back. Thanks.

 

Spoke to soon it would seem. Now windows explorer pops right up again.

 

Thanks for the help chaslang. Appreciate it. Will keep irc un-installed till I can find some more info as you suggest.