Trojan Horse Downloader.Agent.6.I

The online scanners in the READ ME thread are not optional. They must be run. Did you skip anything else?

Have you manually gone in yourself in safe mode and looked for the files (like C:\WINDOWS\SYSTEM32\MSWX.DLL ) and look to see if still present and delete them.

 

The READ ME tells you:

You need to run them in normal boot mode and you should have reported that you had a problem trying to run them in safe mode so you ran them in normal mode.

Complete the scans and report back!

 

What is your complete version number of AVG?
And have you run a full scan with AVG in safe mode?

 

If it is always changing names, something else must be spawing the DLLs.
Besides C:\WINDOWS\SYSTEM32\MSWX.DLL what other names have you seen?
Is it still called C:\WINDOWS\SYSTEM32\MSWX.DLL?

Please download Pocket KillBox do not run yet.
Here are the files that we need to delete using PocketKillbox.

C:\WINDOWS\SYSTEM32\iecust.exe
C:\WINDOWS\SYSTEM32\openconf.exe
C:\WINDOWS\SYSTEM32\pentxpl.exe
C:\WINDOWS\SYSTEM32\qappsrvc32.exe
C:\WINDOWS\SYSTEM32\taskopen.exe
C:\WINDOWS\SYSTEM32\unlodctl.exe
C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
C:\WINDOWS\SYSTEM32\msqr.dll
C:\WINDOWS\SYSTEM32\iecust.dll
C:\WINDOWS\SYSTEM32\dnsauth.dll
C:\WINDOWS\SYSTEM32\dx9vbc.dll
C:\WINDOWS\SYSTEM32\msuv.dll
C:\WINDOWS\SYSTEM32\mswx.dll
C:\WINDOWS\SYSTEM32\msvw.dll
C:\WINDOWS\SYSTEM32\menu.txt
C:\WINDOWS\SYSTEM32\msno.dll
C:\WINDOWS\SYSTEM32\msab.dll
C:\WINDOWS\SYSTEM32\hdon.dll
C:\WINDOWS\SYSTEM32\msxy.dll
C:\WINDOWS\system32\msfg.dll
C:\WINDOWS\system32\mstu.dll
C:\WINDOWS\system32\mslm.dll

and C:\WINDOWS\system32\mswx.dll


Here is the procedure to use to delete them. Run Pocket Killbox. Select the option to Replace on Reboot.

Now you are going to repeat the below steps for every file except C:\WINDOWS\system32\mswx.dll (we will add it separately at the end). Replace the the word fullpathfile with the actual full file name path from above (one file at a time). For example, the first time you paste in C:\WINDOWS\SYSTEM32\iecust.exe



1) Now, Copy and Paste fullpathfile into the box
2) Check the option to Use Dummy.
3) Now, Click the Red X and Yes to the confirmation message.
4) A message will ask if you want to reboot now – Click NO.
5) Repeat for all files except the last one

For the last file, we will be rebooting when prompted. Here is the final step of the file deletions:

Now, Copy and Paste C:\WINDOWS\system32\mswx.dll into the box. Check the option to Use Dummy and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your machine to reboot but boot into Safe Mode and run a full scan with AVG and let's see what happens. Write down any files that it finds.

If you still have the problem, download the below file to your computer where you can find it.

RemV3.Zip

Extract all the files to a folder (make it a folder for only these tools).
Then boot into safe mode and run the remv3.bat file.

Now reboot in normal mode and try running AVG.

 

Well at least we now have a clean AVG scan!
qappsrvc32.exe is not a system file. It is part of the infection we were trying to clean. Something is trying to load it. Please post a HijackThis log attachment.

 

You're welcome.

Yes! msi.dll is needed. See this: http://www.liutilities.com/products/wintaskspro/dlllibrary/msi/

You have some new stuff in your log to fix. One of them is a trojan. Also stop using HSremove unless you have an HSA hijack.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll (file missing)
After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\system32\taskopen.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

Now you really need to perform the steps here: How to Protect yourself from malware!

 

You're welcome.

No HJT does not delete files. It only fixes (removes) registry entries.

At any rate, your log is clean now.

 

You're welcome. The How to protect will help prevent problems but nothing can stop them completely.

 

That BHO is part of FlashGet. I'm not sure why it says no file if you still have FlashGet installed. There should be a file associated with it. Do you use FlashGet? You could try uninstalling FlashGet and rebooting and then re-installing it and see if the file now shows up.

I believe the file should be jccatch.dll

I had you remove the O2 - BHO line earlier because there was no file, but since they keep putting it back you may need to re-install to get the file back.