Trojan Horse Downloader.Agent.ACAC

hi there,
first got to say thanks for any help you can give me on this one!
2 or 3 days ago windows warned me i picked up Trojan Horse Downloader.Agent.ACAC.
i found you guys and followed the instructions in READ & RUN ME FIRST Before Asking for Support post the best i could.
every this seems to be runing ok but i'm posting the logs just incase.
thanks again for any help mac666

 

here's the last log

 

Hi mac666,
Welcome to Major Geeks!

You have most of the infections removed. Please do the following:

1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm


2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"


After you click fix, just close hijackthis.


4) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
gel90xne

FILE::
C:\DOCUME~1\Owner\LOCALS~1\Temp\gel90xne.sys

FILELOOK:
C:\WINDOWS\num41.jbd

DIRLOOK:
C:\8278d48afe59555442a3f3
C:\Remote Programs

FILELOOK:
C:\Windows\System32\ezsidmv.dat

REGISTRY::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

hi abri, i've done all you asked and here's the fresh logs.
thanks for your help, my pc's been running fine so without you guys i wouldn't have known i still had crap on it.
again thanks mac666

 

Hi mac666,
Not to worry. Your computer was not in bad shape at this point. Please go ahead with the final cleanup instructions, which will have you remove most ot the tools and logs you have on your computer as a result of the cleaning procedures we had you run and which will have you wipe out your previous restore points and set a fresh clean one.

abri