VBS:Agent-IL

[ben83]

Hi

Avast has detected "VBS:Agent-IL" a couple of times trying to access mshta.exe

The trojan seems to be located in the following path every time - C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\xxxxxxxxxx\ and is in a file called "jhkhj[1].htm"

There are sometimes multiple copies of this file in this cache.

After Avast has detected this in the background I have run a full scan and restarted to do a boot scan where Avast removes jhkhj.htm.

When I have rebooted and run in normal Windows for a while this trojan reappears however.  I have also tried booting into safe mode and manually deleted all files in this cache which has the same result.

I do not use Internet Explorer (but have v8 installed).  I use Firefox v3.6.13 and Avast Pro v5.1.889.

I have also scanned with Malwarebytes which does not pick the trojan up.

I have also noticed that I cannot do file searches in File Explorer or print in Outlook Express v6.

Attached is the hijackthis report.  Thanks

[Pondus]

Try cleaning your temp files

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Did it help ?

[ben83]

Ran the above (which cleared 2+ Gb of temp files) and also downloaded and run Super Anti Spyware (which found Trojan Agent:Gen-Nullo).

Been working on laptop for around an hour and Avast has background scanned jhkhj[1].htm in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\MXRBOCE5 trying to access mshta.exe again.

I've noticed since I've rebooted 3 other cache folders have been created with nothing in.

I've run hijackthis and attached a new log before I reboot.

[Pondus]

OK, i PM Essexboy...


while waithing you can do this


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(do not post log`s in the guide)

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)

[essexboy]

Monitoring

Could you scan this file with Avast C:\WINDOWS\awizacanuveruqap.dll if it finds nothing then add it to the chest and upload it to the labs as malware

[ben83]

Monitoring

Could you scan this file with Avast C:\WINDOWS\awizacanuveruqap.dll if it finds nothing then add it to the chest and upload it to the labs as malware

Moved above file into chest and submitted it to Labs.

I've also run OTL as suggested by Pondus and the results are attached.

[essexboy]

OK lets now kill it    On completion of the OTL fix could you re-run Malwarebytes please

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - No CLSID value found.
  O4 - HKLM..\Run: [Wfunoh] C:\WINDOWS\awizacanuveruqap.dll ()
  [2011/01/31 20:22:31 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tlepomucetuhes.dat
  
  :Files
  ipconfig /flushdns /c
  C:\WINDOWS\tasks\At*.job
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[ben83]

Ran the cure in OTL.  So far it looks like the trojan has gone.

Malwarebytes doesn't pick up anything (it hasn't all the way through anyway).
Avast doesn't pick up anything.

The temporary internet cache is still empty.

The file search in Windows and the print function in Outlook Express still isn't working but that could be something else.

Attached are the OTL log (it hasn't produced Extra.txt this time).  Do you have any idea what the trojan did/does?

Thanks for all your help.  I'll update later after using the computer today to let you know if the trojan comes back.

[Pondus]

Attached are the OTL log (it hasn't produced Extra.txt this time).

I think it is only produced the first time you run it for extra system info

Essexboy is back about 8:00pm - 11:59pm uk time

[essexboy]

Yes it will only produce the extras on the first run unless specifically asked for

One remnant now revealed, and this was a Vundo variant - a trojan downloader.  What problems are you having with file search ?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  [2011/01/31 13:29:30 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Hjukis.bin
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

[ben83]

Ok I've run that again as instructed.  I haven't had any of those htm files appearing today so that problem has definitely been fixed.

I've run OTL again for you just in case you need it.

The problems I am having with my system are as follows:

• Outlook Express 6 will not produce a print dialog when selecting file > print or Ctrl-P.
• Windows file search is not working - stupid dog just appears (see screenshot).
• I do not appear to be able to System Restore through Start Menu > Help and Support.
• I cannot get onto Windows Update through IE8 (I've reinstalled IE8 as well).

I don't know whether these are related to the trojan or not?

Is there any steps I should be taking with passwords etc after having this infection?

[essexboy]

For the restore do you get a blank calendar ?
When you try to get windows updates what error do you get ?

I saw no indication of a password stealer - but it is always prudent after an infection to do the following

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

[ben83]

For the restore I click on Start Menu > Help and Support and an hourglass briefly shows but then nothing.  Tried in Safe Mode as well but it appears something has disabled it.

For Windows Updates when I click on Start Menu > Windows Update it loads IE8 to the following address http://windowsupdate.microsoft.com/ and I get a white screen and nothing more.  I can browse the rest of the Microsoft site apart from that page.  I've reinstalled IE8 and checked all the ActiveX controls but nothings working.  I'd just use Firefox or Chrome but they just bring up a page saying I need to use IE5+. 

I do have Automatic Updates turned on and the system does update itself but I wanted to check through the traditional interface that I was all up to date.  Plus its irritating and worrying when things don't work.

Fixed Outlook Problem by installing Thunderbird  (its a much better program than it was last time I used it)

[essexboy]

Go to start > All Programs > Accessories
Click Command Prompt
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

[ben83]

Go to start > All Programs > Accessories
Click Command Prompt
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

The above ran but didn't appear to find anything.  On reboot all problems described are still the same.