====Please help me remove trojan.win32.agent.bck====

[TurcoLoco]

[==========] AnalyzerXP 3.7 by TL - IANAG (forum.networktechs.com) [==========]

W32i - - - - 129,536 07-23-1999 c:\windows\auhccup1.dll <-- Part of TrandMicro House call online scanner, likely to be a leftover that can be deleted.
W32i - - - - 30,720 07-15-2000 c:\windows\regtlib.exe <-- Part of MS Vidual Studio, do NOT delete it if it is installed.

Directory of C:\WINDOWS
07/17/2004 02:40 PM 19,528 002391_.tmp <-- Highly suspicious, I'd suggest you delete it.

W32i - - - - 346,112 05-12-2006 c:\windows\system32\as-ifce1.oca <-- Unknown, very suspicious!
W32i - - - - 44,032 05-12-2006 c:\windows\system32\cmdbtnx5.oca <-- Unknown, very suspicious!
W32i - - - - 83,008 09-20-2007 c:\windows\system32\gyvfbnuw.dll <-- Unknown, very suspicious!

W32i - - - - 4,096 02-05-2007
c:\windows\system32\lmmonres.dll <-- Identified Malware related file, must be removed! See this link for further info: http://spywaredlls.prevx.com/RRGHHJ3...ONRES.DLL.html
W32i - - - - 29,184 04-26-2007 c:\windows\system32\msinet.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com.

W32i - - - - 46,592 01-26-2000 c:\windows\system32\prtserv.dll <-- Suspicious but SpywareData.com stated this file to be safe.

W32i - - - - 95,744 08-23-2007 c:\windows\system32\sptll.dll <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com.

W32i - - - - 153,600 03-12-2007 c:\windows\system32\ssdw3b32.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com!

W32i - - - - 100,864 05-12-2006 c:\windows\system32\sstabs32.oca <-- I believe this is related to a Vundo variant, have this file scanned on virustotal.com!

W32i - - - - 131,072 01-11-2000 c:\windows\system32\stringres_en.dll <-- Suspicious but I think it might be a part of Crystal Reports application, if it is not installed then have it scanned on VirusTotal.com.

W32i - - - - 37,888 05-12-2006 c:\windows\system32\treeview.oca <-- Unknown, very suspicious!

W32i - - - - 348,160 01-21-2006 c:\windows\system32\uninstallsqlx42.exe <-- Unknown, very suspicious!


Directory of C:\

I would strongly urge the removal of all files with .tmp extension especially on a system that is experiencing malware infection.
CleanupXP+ should be able to do the job:
09/18/2007 03:16 PM 0 4.tmp
08/30/2007 10:29 AM 0 AF.tmp
08/30/2007 10:29 AM 0 B1.tmp
08/30/2007 10:29 AM 0 B6.tmp
08/30/2007 10:29 AM 0 B8.tmp
01/16/2007 11:51 PM 517,414 Backup Folder.jpg
08/30/2007 10:29 AM 0 C2.tmp
08/30/2007 10:29 AM 0 C4.tmp
08/30/2007 10:29 AM 0 CE.tmp
08/30/2007 10:29 AM 0 D0.tmp
08/30/2007 10:29 AM 0 DC.tmp
08/30/2007 10:29 AM 0 DE.tmp
08/30/2007 10:29 AM 0 EF.tmp
08/30/2007 10:29 AM 0 F1.tmp
08/30/2007 10:29 AM 0 F9.tmp
08/30/2007 10:29 AM 0 FB.tmp

03/13/2007 08:38 AM 4,775,936 EnviroCap3-13.exe <-- Unknown!
08/06/2007 02:30 PM 1,516 fgfg.sav <-- Unknown!
08/28/2007 02:18 PM 19 PccntIOT.log <-- Unknown!
04/27/2007 11:47 AM 55,296 RebateApril.xls <-- Unknown!
02/01/2007 04:50 PM 16,384 repMonthlyClaimsReport.rpt <-- Unknown, do you know if this is used by an installed applications?
02/01/2007 04:50 PM 7,833 repMonthlyClaimsReport.vb <-- Unknown, do you know if this is used by an installed applications?


guard.exe <--- This is used by AVG AV-Scanner, is that what you are using? I also noticed Avast program folder, is that still installed and used as well? Remember you should only have one Virus and one Spyware scanner actively running on the same system!!

mdm.exe <-- Do you debug applications? If not you could disable this service to free up resources and speed up your system.
AcroTray.exe <-- Another unneeded startup entry imo.
qttask.exe 2936 Console 0 2,328 K <-- Apple QuickTime related and quite unneeded.
snagit32.exe 2352 Console 0 2,640 K <-- Unnecessary resource hog to have it in startup unless you are using it all the time.



"C:\WINDOWS\SYSTEM32\"
dwwplcon.exe Sep 20 2007 75328 "dwwplcon.exe" <-- Unknown, suspicious!
wxqqluxr.exe Sep 20 2007 75328 "wxqqluxr.exe" <-- Unknown, suspicious!

"C:\WINDOWS\Installer\{C04E32E0-0416-434D-AFB9-6969D703A9EF}\"
icon.exe Aug 15 2007 32768 "icon.exe" <-- Identified Malware (a variant of RapidBlaster parasite)!

"C:\WINDOWS\Installer\{FDB883E8-C101-472C-B30E-09BBD51D44B0}\"
iconf6~1.exe Sep 21 2007 401408 "IconF61D3384.exe" <-- Very suspicious, possibly Malware related file.

"C:\Applications Development\VB NET\ServicingApp\Complete Source Code\Software\EnviroCap-Client\bin\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!
"C:\Applications Development\VB NET\ServicingApp\Complete Source Code\Software\EnviroCap-Client\obj\Debug\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!
"C:\Documents and Settings\jlassiter\Application Data\Microsoft\VisualStudio\7.1\ProjectAssemblies\ u9sgymku01\"
enviro~1.exe Sep 20 2007 2936832 "EnviroCap.exe" <-- Unknown, suspicious if you do not know anything about it!

Hope this helps you guys, good luck!

[jholland1964]

First of all;
~TL notes regarding all those temp files;

I would strongly urge the removal of all files with .tmp extension especially on a system that is experiencing malware infection.
CleanupXP+ should be able to do the job

I asked you to run this before and you said;

I followed you instructions.

Since we never saw a log from this I have to ask you, did you actually run the program once before or not?

Now ~TL has noted there are some very suspicious files showing in the AnalyzerXP log, and we can not find any info on many of them. He suggests, and I totally agree that a second opinion is needed on many of them. To get this second opinion you need to go to this website;
http://www.virustotal.com/

Following ~TL's instructions here this is what you will need to do when you get to this site;
Step 1: Submit the file in question by clicking on Browse button to locate the file and select it.

Step 2: Click Send button to have the file uploaded and queued for processing.

Step 3: Wait for scanning to complete; STATUS should read COMPLETED

We need all of the information given to you concerning each one of these files and please, NO SCREEN SHOTS, they are unreadable.
Here are the files you need to check out there this time, there may be others later;
c:\windows\system32\as-ifce1.oca
c:\windows\system32\cmdbtnx5.oca
c:\windows\system32\gyvfbnuw.dll
c:\windows\system32\msinet.oca
c:\windows\system32\sptll.dll
c:\windows\system32\ssdw3b32.oca
c:\windows\system32\sstabs32.oca
c:\windows\system32\stringres_en.dll
c:\windows\system32\treeview.oca
c:\windows\system32\uninstallsqlx42.exe

Once you have gotten the information on each file please post back here with all that you have found.

[tampabay]

Wow, it is a lengthy process.
I run it and able to identify and delete most of them. a few of them I can't delete, but so far it is running ok now. No more pop up and it runs a bit faster now.
Thanks so much for your help. Thanks TL too.

One more image for you