Win32:Agent-HOP [Wrm] ..Avast cannot delete file

[extreme_21]

I keep getting pop-up windows, my comp gets really slow..my clock changes from 12h to 24h and my computer will randomly shut down, when I try to restart it shuts down at the windows boot screen..the only way to restart is in safe mode..i then run avast thorough scan..then restart as normal. Avast is also going crazy with warnings...but they keep coming back..some can't even be deleted/repaired/moved+renamed. I tried getting help on another forum, but no luck.
So far I've run VundoFix(v6.5.1), ComboFix, SUPERAntiSpyWare..and Avast thorough scan along with Avast Virus Cleaner.
If it helps, here's my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:53:19 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msrr.exe
C:\Documents and Settings\Chris\Desktop\AntiVirus Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177258613250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171083299846
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

[polonus]

Hi extreme_21,

This should be fixed:
Visitor's assessment Analyzerdetails
   R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
   
Kind
   
Neutral
Neutral
   This entry should be fixed by HijackThis!

polonus

[extreme_21]

Ok done, but could that of been causing all the problems??
..latest HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:07:29 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msrr.exe
C:\Documents and Settings\Chris\Desktop\AntiVirus Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108w.bay108.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177258613250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171083299846
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

[extreme_21]

Well just an update..Avast keeps detecting "C:\Windows32\Syetem32\lset.exe[molebox]" ..I'll select to delete, but avast will give another warning in about 30mins of the same file.

[FreewheelinFrank]

Hi extreme_21,

There's nothing in the log. Try looking for and removing rootkits (hidden malware):

Panda Antirootkit

Blacklight

AVG Anti-Rootkit

If anything turns up, run a boot time scan with avast! immediately afterwards. Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

Follow this with a scan with AVG Anti-Spyware:

AVG Anti-Spyware

[Lisandro]

But avast will give another warning in about 30mins of the same file.

If a virus is replicant (coming and coming again), you should:

1) Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3).

2) Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3) Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4) It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5) If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications like Frank suggested.

6) After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

7) Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

[mauserme]

I tried getting help on another forum ...

Could you post a link to that so we can see what's already been done?


EDIT:  I guess I could have looked first ...

http://forums.techguy.org/security/584634-win32-agent-hop-molebox-how.html

[polonus]

Hi extreme_21,

MSN Messenger may be infected, and when you start it reinfects. De-install MSN Messenger just for now.
Download ATF Cleaner from here: http://www.atribune.org/ccount/click.php?id=1 Select All and then Empty Selected. Now Download DrWeb's CureIt from here: http://www.freedrweb.com/cureit/ run it after you started in SafeMode and after that delete C:\qoobox

polonus

[mauserme]

yayvwvv.dll (and possibly some other bad guys) is starting from the registry and won't appear in HijackThis.

[Lisandro]

yayvwvv.dll (and possibly some other bad guys) is starting from the registry and won't appear in HijackThis.

Won't it appear on Autoruns?

[mauserme]

I misspoke - my eyes strayed to the line below in the ComboFix log and I incorrectly read that it was starting from

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg

when it actually loads from

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify

That line was already fixed in HJT but the file remains.

I'm always reluctant to interfere with an ongoing thread from another forum, but I'll look more closely at this a bit later and see if I can offer any suggestions.

[mauserme]

Lets see if we can at least get rid of some of the more stubborn files with OTMoveIt.

Download OTMoveIt  by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\windows\system32\fccayxu.dll
C:\WINDOWS\system32\yayvwvv.dll
C:\WINDOWS\system32\puloruoj.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also upload these to Virus Total for analysis and post the results

C:\DOCUME~1\Chris\psetup.exe
C:\WINDOWS\system32\eqokgmko.dll
C:\DOCUME~1\Steph\spee.exe
C:\WINDOWS\system32\wrxrpybm.exe

[extreme_21]

omg thanx so much guys, i haven't hada chance to try any of the fix's in this post yet..i've been trying since last week just to get my computer to start up again..if i got it to start up, i lost internet. ne-waz I'm gonna get home at around 6 tonite and will try anything that was mentioned. Here's the link to the other forums describing everything i've done+ I've disabled and anabled system restore..no difference

[extreme_21]

http://forums.techguy.org/security/584634-win32-agent-hop-molebox-how.html#post4815641

[mauserme]

Seems like that other thread is has died, and since its been a while we should probably start over (sorry).

Please post fresh ComboFix and HJT logs which you already know how to do, plus a WinPFind log:

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Under Additional Scans click the checkboxes in front of the following items to select them:
  
  Non-Microsoft Only
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.



These scans should be done in the order I posted.  Also, please download and scan with a new copy of ComboFix as the signatures may have been updated since you last used it.  I linked to it above.


EDIT:  If you haven't already rid your computer of the old Java please do.  Here's a link to the current version

http://filehippo.com/download_java_runtime/

After installing it open Add/Remove Programs in the Control Panel and uninstall any versions older than the one you just downloaded (the update process will not do this for you).