====Please help me remove trojan.win32.agent.bck====

[tampabay]

Sorry, I am so dump..... I follow your post on 09-20-2007 03:00 PM. The last step is scan the Kaspersky online. after scan completed, I can't see the report.

that was a 6 hrs scan.
OK, let me start over again to see if I can get the report. Look like on my online scan, i have to install that Active X....

[tampabay]

Finally, I got the report up now.
Please see the attached.

thanks.

[jholland1964]

Where is the AnalyzerXP log requested in post #10? I need to see that also.

You are going to have to download two programs. Follow the directions exactly.

Download AVG Rootkit Scanner
That is the download button on the right hand side of that page.
Run that and allow it to fix anything found. Try to save a log if given the option.



Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After you have done both of the above the run another Kaspersky ONLINE scan and save that log also.
Then run a new HJT scan and save that log also.
Post back here with the AnalyzerXP log, the AVG Anti-rookit log, the Vundofix log, the new Kaspersky online log and the new HJT log.

[tampabay]

of all the scan, only AnalyzerXP (Prevx2.0) shows something and Kaspersky shows something. The rest of them can't catch anything.

[jholland1964]

That isn't the AnalyzerXP program I wanted you to run...the one I wanted you to run is THIS one;

AnalyzerXP 3.7

Please run this one and post the log it will appear on your desktop following the scan. PrintScreens are not the way to do things because they do not show full information, we have to have the actual logs.

[tampabay]

Oops... sorry.
I got it now.
Thanks.

[jholland1964]

Have asked ~TL to take a look at this log since this is his program. He will either post to you or give me the info we need. Will get back to you ASAP.
Judy

[TurcoLoco]

[==========] AnalyzerXP 3.7 by TL - IANAG (forum.networktechs.com) [==========]

W32i - - - - 129,536 07-23-1999 c:\windows\auhccup1.dll <-- Part of TrandMicro House call online scanner, likely to be a leftover that can be deleted.
W32i - - - - 30,720 07-15-2000 c:\windows\regtlib.exe <-- Part of MS Vidual Studio, do NOT delete it if it is installed.

Directory of C:\WINDOWS
07/17/2004 02:40 PM 19,528 002391_.tmp <-- Highly suspicious, I'd suggest you delete it.

W32i - - - - 346,112 05-12-2006 c:\windows\system32\as-ifce1.oca <-- Unknown, very suspicious!
W32i - - - - 44,032 05-12-2006 c:\windows\system32\cmdbtnx5.oca <-- Unknown, very suspicious!
W32i - - - - 83,008 09-20-2007 c:\windows\system32\gyvfbnuw.dll <-- Unknown, very suspicious!

W32i - - - - 4,096 02-05-2007
c:\windows\system32\lmmonres.dll <-- Identified Malware related file, must be removed! See this link for further info: http://spywaredlls.prevx.com/RRGHHJ3...ONRES.DLL.html
W32i - - - - 29,184 04-26-2007 c:\windows\system32\msinet.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com.

W32i - - - - 46,592 01-26-2000 c:\windows\system32\prtserv.dll <-- Suspicious but SpywareData.com stated this file to be safe.

W32i - - - - 95,744 08-23-2007 c:\windows\system32\sptll.dll <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com.

W32i - - - - 153,600 03-12-2007 c:\windows\system32\ssdw3b32.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com!

W32i - - - - 100,864 05-12-2006 c:\windows\system32\sstabs32.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com!

W32i - - - - 131,072 01-11-2000 c:\windows\system32\stringres_en.dll <-- Suspicious but I think it might be a part of Crystal Reports application, if it is not installed then have it scanned on VirusTotal.com.

W32i - - - - 37,888 05-12-2006 c:\windows\system32\treeview.oca <-- Unknown, very suspicious!

W32i - - - - 348,160 01-21-2006 c:\windows\system32\uninstallsqlx42.exe <-- Unknown, very suspicious!


Directory of C:\

I would strongly urge the removal of all files with .tmp extension especially on a system that is experiencing malware infection.
CleanupXP+ should be able to do the job:
09/18/2007 03:16 PM 0 4.tmp
08/30/2007 10:29 AM 0 AF.tmp
08/30/2007 10:29 AM 0 B1.tmp
08/30/2007 10:29 AM 0 B6.tmp
08/30/2007 10:29 AM 0 B8.tmp
01/16/2007 11:51 PM 517,414 Backup Folder.jpg
08/30/2007 10:29 AM 0 C2.tmp
08/30/2007 10:29 AM 0 C4.tmp
08/30/2007 10:29 AM 0 CE.tmp
08/30/2007 10:29 AM 0 D0.tmp
08/30/2007 10:29 AM 0 DC.tmp
08/30/2007 10:29 AM 0 DE.tmp
08/30/2007 10:29 AM 0 EF.tmp
08/30/2007 10:29 AM 0 F1.tmp
08/30/2007 10:29 AM 0 F9.tmp
08/30/2007 10:29 AM 0 FB.tmp

03/13/2007 08:38 AM 4,775,936 EnviroCap3-13.exe <-- Unknown!
08/06/2007 02:30 PM 1,516 fgfg.sav <-- Unknown!
08/28/2007 02:18 PM 19 PccntIOT.log <-- Unknown!
04/27/2007 11:47 AM 55,296 RebateApril.xls <-- Unknown!
02/01/2007 04:50 PM 16,384 repMonthlyClaimsReport.rpt <-- Unknown, do you know if this is used by an installed applications?
02/01/2007 04:50 PM 7,833 repMonthlyClaimsReport.vb <-- Unknown, do you know if this is used by an installed applications?


guard.exe <--- This is used by AVG AV-Scanner, is that what you are using? I also noticed Avast program folder, is that still installed and used as well? Remember you should only have one Virus and one Spyware scanner actively running on the same system!!

mdm.exe <-- Do you debug applications? If not you could disable this service to free up resources and speed up your system.
AcroTray.exe <-- Another unneeded startup entry imo.
qttask.exe 2936 Console 0 2,328 K <-- Apple QuickTime related and quite unneeded.
snagit32.exe 2352 Console 0 2,640 K <-- Unnecessary resource hog to have it in startup unless you are using it all the time.



"C:\WINDOWS\SYSTEM32\"
dwwplcon.exe Sep 20 2007 75328 "dwwplcon.exe" <-- Unknown, suspicious!
wxqqluxr.exe Sep 20 2007 75328 "wxqqluxr.exe" <-- Unknown, suspicious!

"C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\"
icon.exe Aug 15 2007 32768 "icon.exe" <-- Identified Malware (a variant of RapidBlaster parasite)!

"C:\WINDOWS\Installer\{FDB883E8-C101-472C-B30E-09BBD51D44B0}\"
iconf6~1.exe Sep 21 2007 401408 "IconF61D3384.exe" <-- Very suspicious, possibly Malware related file.

"C:\Applications Development\VB NET\ServicingApp\Complete Source Code\Software\EnviroCap-Client\bin\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!
"C:\Applications Development\VB NET\ServicingApp\Complete Source Code\Software\EnviroCap-Client\obj\Debug\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!
"C:\Documents and Settings\jlassiter\Application Data\Microsoft\VisualStudio\7.1\ProjectAssemblies\ u9sgymku01\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!

Hope this helps you guys, good luck!

[jholland1964]

First of all;
~TL notes regarding all those temp files;

I would strongly urge the removal of all files with .tmp extension especially on a system that is experiencing malware infection.
CleanupXP+ should be able to do the job

I asked you to run this before and you said;

I followed you instructions.

Since we never saw a log from this I have to ask you, did you actually run the program once before or not?

Now ~TL has noted there are some very suspicious files showing in the AnalyzerXP log, and we can not find any info on many of them. He suggests, and I totally agree that a second opinion is needed on many of them. To get this second opinion you need to go to this website;
http://www.virustotal.com/

Following ~TL's instructions here this is what you will need to do when you get to this site;
Step 1: Submit the file in question by clicking on Browse button to locate the file and select it.

Step 2: Click Send button to have the file uploaded and queued for processing.

Step 3: Wait for scanning to complete; STATUS should read COMPLETED

We need all of the information given to you concerning each one of these files and please, NO SCREEN SHOTS, they are unreadable.
Here are the files you need to check out there this time, there may be others later;
c:\windows\system32\as-ifce1.oca
c:\windows\system32\cmdbtnx5.oca
c:\windows\system32\gyvfbnuw.dll
c:\windows\system32\msinet.oca
c:\windows\system32\sptll.dll
c:\windows\system32\ssdw3b32.oca
c:\windows\system32\sstabs32.oca
c:\windows\system32\stringres_en.dll
c:\windows\system32\treeview.oca
c:\windows\system32\uninstallsqlx42.exe

Once you have gotten the information on each file please post back here with all that you have found.

[tampabay]

Wow, it is a lengthy process.
I run it and able to identify and delete most of them. a few of them I can't delete, but so far it is running ok now. No more pop up and it runs a bit faster now.
Thanks so much for your help. Thanks TL too.

One more image for you