Can not remove trojan horse dropper

Added info:

I just noticed after the AVG scanned and gives it's detail list, I then noticed that most of the Trojans are "Infected Embedded Objects" and "Infected Archive "...After seeing that, I then re-called how the owner of the computer had mentioned that his Word Perfect no longer worked and was hoping I could get that re-installed...Now I am wondering if something in the Word Perfect got infected, and then Embedded from there ???

 

First, make sure hidden files and folders are set to show.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then go to http://www.thespykiller.co.uk/forum/ , uploads section and upload the following files if present. Leave a link to this topic please.

C:\WINDOWS\mssmbios.exe
C:\WINDOWS\winmon.exe
C:\WINDOWS\taskbarmngr.exe
C:\WINDOWS\System32\msconfig32.exe

Then, please download Ewido security suite it is a free version of the program.

1. Install Ewido security suite
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you may get a warning "Database could not be found! ". Click OK. We will fix this in a moment.
   
6. You will need to update Ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display "Update successful ")

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates


Once the updates are installed do the following:

• Reboot to safe mode
• Open Ewido and click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close Ewido security suite.

Reboot back into normal mode, post the Ewido log and a new HijackThis log.

Can you please give me the exact locations and filenames of the infected files reported by AVG.

 

Hi,
Per your request, here is what the AVG detects and shows:
(1) Trojan Horse Dropper Agent.HG
c:\windows\cmdxp.exe\dreese.exe
(2) Trojan Horse Dropper Agent.IA
c:\windows\cmdxp.exe\setup.exe
(3) Trojan Horse Dropper Agent.HG
c:\windows\cmdxp.exe
(4) Trojan Horse Dropper.7.K
c:\windows\Slipit.exe\dreese.exe
(5) Trojan Horse Dropper Agent.7.K
c:\windows\Slipit.exe
(6) Trojan Horse Dropper Agent.7.K
c:\windows\Slipit.exe\dreese.exe
(7) Trojan Horse Dropper Agent IA
c:\windows\Slipit.exe\Setup.exe
(8) Trojan Horse Dropper Agent.7.K
c:\windows\Slipit.exe
(9) Trojan Horse Dropper Agent.IA
c:\windows\windowmedias.exe
(10) Trojan Horse Dropper Agent.IA
c:\windows\windowsmedias.exe
(11) Trojan Horse Dropper Agent.IA
c:\windows\wingls.exe\omi.exe
(12) Trojan Horse Dropper Agent.IA
c:\windows\wingls.exe

* That is the list of infected files that AVG, Trojan Hunter, Spybot, AdwareSE and CWShredder (along with added protection from Spyware Blaster and Spyware Guard) have not been able to remove in Normal Mode, Safe Mode and with or without show hidden files & folders plus disabling System Restore).

 

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:11:25 AM, 9/17/2005
+ Report-Checksum: 175C73B3

+ Scan result:

C:\AoautoUpdateNav.exe -> Spyware.WinAD : Cleaned with backup
C:\autosupdate.exe -> Spyware.WinAD : Cleaned with backup
C:\AutoUpdate.exe -> Spyware.WinAD : Cleaned with backup
C:\dd.exe -> Spyware.WinAD : Cleaned with backup
C:\des.exe -> Spyware.WinAD : Cleaned with backup
C:\dffjj.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\dffjj.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\ieupdate.exe -> Spyware.WinAD : Cleaned with backup
C:\lp.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\lpe.exe -> Spyware.WinAD : Cleaned with backup
C:\sd934k.exe/kans.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\sd934k.exe/kansup.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\aolmsg.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\aolmsgs.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\defrag.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dreese.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\slipit.exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\split.exe/dreese.exe -> TrojanDropper.Agent.kd : Cleaned with backup
C:\WINDOWS\system32\eraseme_27332.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup
C:\WINDOWS\system32\Jqkxsy.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\system32\msjpnd.dll -> Spyware.WebSearch : Cleaned with backup
C:\WINDOWS\system32\nsj36.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\TFTP1756 -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\TFTP2692 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP3176 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP3780 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\windowsmedias.exe/omi.exe -> TrojanDropper.Agent.hn : Cleaned with backup
C:\WINDOWS\wingls.exe/omi.exe -> TrojanDropper.Agent.hn : Cleaned with backup
C:\wuampdr.exe -> Spyware.WinAD : Cleaned with backup


::Report End

 

Logfile of HijackThis v1.99.1
Scan saved at 12:48:12 AM, on 9/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\mssmbios.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 3 for hijackthis-2.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

 

Please download Agent.zip (a tool I threw together......looks like Ewido got most of what it targets, but I already made it ), save it to the desktop and extract. Reboot to safe mode and open the Agent folder, then double click the Agent.bat file to run it. Reboot when done and locate C:\Agent.txt, then post it's contents.

Were you able to upload those files?

 

I posted a message at thespykiller forum for you.

 

Howdy,
That Ewido was increible, and I was impressed..As for the files that you mentioned, I looked for them but got confused for some reason and sorry to say I did not upload them but can go back later and do so if you still want me to...I have put numerous hours into reviving this computer and trying to post the results of Ewido and a HijackThis log was alot to get done being my first time for doing both, and I was exhausted when I was done...My question with Ewido is, is that a program you recommend when a situation like mine or similiar comes about ???...I will try the Agent.Zip you advised me to do later today and post back..I once again wish to thank everyone for their assistance as this is incredible amount of work, and I find the technical aspect of it all very challenging and hope many readers realize that many people would of done a fdisk and or format, or replaced the hard drive by now...

 

Good Morning,

You bet - but I also understand what you're doing and why

Regards - Charles

 

pre-run check


c:\windows\cmdxp.exe present
c:\windows\cmdxp.exe\dreese.exe not present
c:\windows\cmdxp.exe\setup.exe not present
c:\windows\Slipit.exe\dreese.exe not present
c:\windows\Slipit.exe not present
c:\windows\windowmedias.exe not present
c:\windows\windowsmedias.exe not present
c:\windows\wingls.exe\omi.exe not present
c:\windows\wingls.exe not present



pre-run check


c:\windows\cmdxp.exe\dreese.exe not present
c:\windows\cmdxp.exe\setup.exe not present
c:\windows\cmdxp.exe not present
c:\windows\Slipit.exe\dreese.exe not present
c:\windows\Slipit.exe not present
c:\windows\windowmedias.exe not present
c:\windows\windowsmedias.exe not present
c:\windows\wingls.exe\omi.exe not present
c:\windows\wingls.exe not present


~~~~~~~~~~~~~~~~~~~~~~~
after reboot


c:\windows\cmdxp.exe\dreese.exe not present
c:\windows\cmdxp.exe\setup.exe not present
c:\windows\cmdxp.exe not present
c:\windows\Slipit.exe\dreese.exe not present
c:\windows\Slipit.exe not present
c:\windows\windowmedias.exe not present
c:\windows\windowsmedias.exe not present
c:\windows\wingls.exe\omi.exe not present
c:\windows\wingls.exe not present

 

Yes, Ewido is a great tool, and yes, I recommend using it, especially in situations such as yours. The Agent.txt log looks good, and that should have AVG satisfied. However, there's still work to be done. Please do upload those files for me. I'll hold off with any further instructions till then.

 

Hi,
After I did the Agent scan...I ran the X-Cleaner and it found nothing to remove, I then ran AdwareSE and while scanning (which it only found one tracking item), AVG virus popped up a detection indicating a virus/trojan in:
c:\windows\system32\msconfig32.exe which was moved to the vault...Then another popped up: c:\systemvolumeinformation\_restore (combo of numbers & letters)...So I disabled system restore and ran AVG and you were right there were no more viruses/trojans "FINALLY "...

I will try and get those files done now...In the mean time, I hope to find a way to get the computer to boot up faster as it hangs for approx one minute when it says "windows starting up "...Other than that, I am totally impressed and once again I will say for all our readers out there, this forum can take what seems like the impossible and make it all possible...

 

Hi,
I tried doing the files and I'm not so sure I am doing them correctly. Here are the steps I did so you can correct me if need be:
(1) www.thespykiller.co.uk./forum/
(2) Clicked on uploads section
(3) At the bottom, I typed in the files and then clicked browse and another
screen would appear with the last part of the file in the file box. The only
three that it said check and verify the file name is correct was:
C:\WINDOWS\winmon.exe
C:\WINDOWS\taskbarmngr.exe
C:\WINDOWS\System32\msconfig32.exe
(4) After each one, I clicked to the right "attachments" and when all four
listed, I clicked on post but I see nothing anywhere afterwards.

 

In the same topic you peviously posted to at thespykiller, click reply, then click 'browse' next to the 'Attach' address bar. In the window that opens, navigate to the C:\Windows directory and search for the filenames listed. When found, double click one and the window should close, leaving the filepath in the 'Attach' window. Click 'more attachments' and another 'Attach' address bar and browse button will appear. Repeat the above for the next filename, then do the same for the file in C:\Windows\system32. Click 'post' and you're done.

 

Have you confirmed that this
C:\WINDOWS\taskbarmngr.exe
Is not this
Worm_SDbot.XB


This
C:\WINDOWS\winmon.exe
This?
Worm_SDbot.vb

And this
C:\WINDOWS\System32\msconfig32.exe
this
Win32Tulu

 

Hi,
At this point I'm not gonna rule anything out but with the advice to go to spykiller site and follow the directions as provided has not found those particular files...I did it step by step and checked other areas as well and I am having no luck at all so far...

 

Hi,
I just ran AVG and it found: "Trojan Horse Backdoor.Generic.MHJ "
c:\windows\system32\mappedpc.exe
AVG removed it...

In regards to one of the files I was suppose to find and was unable to is the same file that zone alarm keeps asking if I want to allow or deny "mssmbios "

 

Looking back I see this.

I would say that this means that that file has been removed, but you should assume that you did in fact have these virus/worms. In that case you should double check the links I gave to find if they have any additional recovery steps such as removing registry keys or closing ports opened by the worm (many will for example open an IRC port in your firewall to allow additional nasties to be automatically installed on your computer at a later date) .

Yes , that is the correct proceedure when you get this message. Good work.

 

Hi,

Attn:noahdfear...Is the spykiller site primarily a site to kill those files if indeed I was able to locate them ? And by not finding them, is that good news or should I assume they have to be there and I missed them ???

Attnshwyn5...I thank you very much for your information and will definetely look into them later this evening.

Note: As a reminder, when I encountered the pleasure of fixing this computer I was up against many problems;
X-Cleaner ..........found 22 spyware (plus)
Spybot...............found 45 spyware (plus)
AdwareSE...........found 16 critical (plus)
AVG...................found 34 virus/trojans
*WE HAVE BATLLED PAST ALL OF THE ABOVE AND THE TRICK NOW IS TO CLOSE THE BACK DOOR, SOMETHING I COULD NOT OF DONE WITHOUT THE SPECIALIZED ASSISTANCE OF EVERYONE WHO HAS DONE THEIR BEST TO HELP ME DESPITE MY EXPERIENCE(S)...

 

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:28:09 PM, 9/18/2005
+ Report-Checksum: 48E4F533

+ Scan result:

:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pgl6297a.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup


::Report End