Trojan Horse Downloader

I'm running Windows XP Home with Avenger Free as my virus software. Last Thursday, Avenger alerted me to the presence of a virus, but did not move it to the vault as it usually does. When I tried to manually remove the files, the virus reappeared as another file. I then followed your instructions on removing the virus on Friday and it actually seemed to do the trick. Today it was back attached to two wininet.dll files on my D drive (recovery partition). I tried to carve them out by going into safe mode and dos, but they're back again on D in the System Volume Information folder. Avenger identifies the virus as Trojan horse Downloader.Agent.ETP. To my knowledge, it hasn't really done anything (no pop-ups or other annoying things), but I'm concerned that it may have opened a portal into my computer. I've disconnected my Internet access.
By the way, I also have an E drive for my backups and the infected computer was networked to another desktop and a laptop, although these two have not shown any indication of being infected.
Really getting desperate here. Any help would be IMMENSELY appreciated.

 

Welcome to Majorgeeks!

Sounds like the ones in the Volume Information might be an infected restore point but we'll come to that later:

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat[/B]
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Thanks for your help. Have run all the steps outlined to the best of my ability and here are the logs.

 

Here is the second set. Thanks.

 

Was in a bit of a hurry earlier when I sent in the log and didn't provide all the details you requested. Sorry 'bout that. Here are the answers to your questions:

Yes, the restore points seem to be infected, but it looks to me like that's just what the virus happened to glom onto. It was bouncing around in my C drive on Friday and, after doing all the steps, it seemed to be gone, only to resurface in the restore files on my D drive (partition of C).

Have followed, to the best of my ability, all the steps outlined in "Read and Run Me First".
The versions should all be up to date as of at least last Thursday and even since then.
All of the required scans ran perfectly and Panda found the files exactly where Avenger identified them (D, System Volume Information). Other scans came up empty.
Was able to download all recommended items.
Did all the online scans recommended. They worked fine.

Right now the Trojan seems to be happily sitting back in the two files in the D, System Volume Information and isn't doing much unless I try to delete the two files. In which case it hops over to another safe haven on C or D. It doesn't some to have found its way over to E which is another hard drive completely.

That's about all I know to tell you. REALLY appreciate your help on this.

 

Here's an update. Just ran Avenger and it seems I now have Trojan Horse Downloader Generic2.JOM on an .exe restore file in C:\System Volume Information. I keep the computer disconnected from the network (am sending/receiving messages from my laptop) so I don't think new infections are coming in, assume that there's something in the machine that's self propagating. Do I need to purge and rebuild my system? Am getting desperate. Thanks.