Viruses in system32 folder

[mauserme]

Can you post the AVG log while I look at hjt?

[Steven6767]

yea sure here it is

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   7:58:14 AM 4/15/2007

 + Scan result:   



C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000019.exe -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001014.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002069.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\tmp2.tmp.vir -> Backdoor.Apex : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002061.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003049.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003040.dll -> Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\windm[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001045.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[1] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[2] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[3] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[4] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[5] -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000021.exe -> Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\partnership.dll -> Proxy.Xorpix.bc : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.31:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.41:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.68:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.54:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.53:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.34:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.36:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.37:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.38:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.33:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\mine\Cookies\mine@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.35:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[4] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[5] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[1] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[2] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[3] -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000016.exe -> Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000018.exe -> Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002068.dll -> Trojan.Vqten : Cleaned with backup (quarantined).


::Report end

[mauserme]

Click Start > Run

In the empty filed type cmd and click OK

At the command prompt type

sc delete Microsoft IEUpdater2

and hit enter.

When you ran AVG the first time did you qurantine everything?  Are all these in your AVG log new items now?

[Steven6767]

When I do the cmd and type it it says " The specified service does not exist as an installed service"

I qaurantined everything but what do you mean are they new items now?

[mauserme]

I qaurantined everything but what do you mean are they new items now?

At the end of the first AVG scan there should have been an option to set Quarantine as the option to apply and a button to Apply All Actions.  If you did that on the first scan then all of the items you just posted on the subsequent scan are new and there is still a problem.

But looking at this logically I think you didn't quarantine the first time.  This is the only way I can make sense of the empty log from the first scan and the fact that System Restore files are being tagged in the second scan.

But, do you remember either way?  I would like to confirm my hypothesis if possible.

[Steven6767]

Yea I think I forgot to click apply all actions because I thought they were all quarantined. I might have just x'ed out of it.

[Steven6767]

I'm gonna go for a while, i'll be back on in a half hour or so. So I'll reply back then

[mauserme]

Yea I think I forgot to click apply all actions because I thought they were all quarantined. I might have just x'ed out of it.

I think that's probably it.

I asked you to run CleanUp earlier in this process but maybe that got missed too.  Go ahead and run it now to clean up any remaining temporary internet files (close your browser first).  When it asks about logging out you don't need to do that immediately.

Your computer should be running a bit faster now that it's clean.

Since it is clean let's create a new system restore point and get rid of the old ones.

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialog box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

To get rid of the old ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialog box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close

The files you moved to the user section of the avast! chest should be emailed to Alwil by highlighting them and clicking the email icon.  After successfully sending them they should be deleted.

SDFix and the backups can also be deleted now (there's no need to keep the program.  It's updated very often so if you ever needed it again you would want to download a fresh copy).

Keep AVG AntiSpyware even after the trial period ends.  Its good to scan with it from time to time (I scan weekly).  You can augment this with Super AntiSpyware if you like - its also free

http://www.superantispyware.com/

You should also download Spyware Blaster.  Install it, update, and "enable all protection".  Do this now, while your computer is clean

http://www.javacoolsoftware.com/spywareblaster.html

The free version needs to be manually updated about once a month.

And, without wanting to sound like your mom, I would have to say there are safer surfing habits than you've been exercising lately    For sure set your Web Shield to high - its not going to slow you down noticeably.  But also think about the sites you visit -  before you get there.

And don't forget to get SP2.

Finally, DavidR posted some information about Drop My Rights in your other thread.  That advice is well worth following.


EDIT:  Please take a quick look for C:\WINDOWS\system32\clcl3.exe.  I just want to confirm that it's been deleted.

[Steven6767]

Ok, I will tommorow though, because I don't have enough time tonight. I'll reply to you tommorow and tell you how everything went.

[mauserme]

Ok - see you later.

[Steven6767]

It says for the Cleanup "Do you want to delete everything that isn't recent?" wouldn't that wipe out some of my programs that I use but don't use them often?

[mauserme]

I don't remember ever seeing that statement with CleanUp.  Here's how mine is set





Instead of CleanUp you could use ATF Cleaner

http://www.atribune.org/content/view/19/2/

On the main ATF Cleaner page check everything except Prefetch and click Empty Selected.  Since you use Firefox make sure you click that tab too and check everything except Saved Form Info and Saved Passwords.  Then click Empty Selected again.

[Lisandro]

It says for the Cleanup "Do you want to delete everything that isn't recent?" wouldn't that wipe out some of my programs that I use but don't use them often?

From which application does this error message belong?

[polonus]

Hi Steven6767,

Forward the infected file(s) to Avast please (info on their Website), before cleaning it out.
Information on this malware can be found here:
http://411-spyware.com/remove-trojan-downloader-small-2

polonus

[polonus]

Hi Mauserme,

You perform this cleansing routine here. Nothing wrong with this. But you saw that Avast missed the malware file definition. Why you stated that it was not to be mailed by the victim further up in this thread?
Avst should have detection for this as well, isn't it? Or what were your considerations?

polonus