win32.agent.bck infestation

[jholland1964]

Tell you what Gene, you need to go here to READ ME Before Posting A Request For Assistance!
You need to follow the instructions there for the proper location AND renaming of HiJackThis.
Then you need to download AVG Anti-spy program from the link above. Follow the installation instructions exactly.


You said you uninstalled Norton but it still shows in this new log. You will need to do a File Search for it and look for All Files and Folders named Norton and delete any found. Then you need to do that again and look for Files and Folders named Symantec and delete all of those found.

After you have done that then shut down the computer. Unplug the internet cable from the computer.
Reboot in Safe Mode
Once in SAFE Mode then run the full system scan with the AVG Anti-spy program and have it fix everything found. Save the Log.
Shut down the computer. Reconnect the internet cable.
Reboot to normal mode and run a new scan with the newly located and newly name HiJackThis.
Post both logs here.

[gene593]

OK, I did everything twice. The first time I started in normal mode I got creamed with virus alerts.

The AVG did not provide a log either time.

When I start up in normal mode the only error I got this time was - can not find (it had symbols of a period & a square) \rapimger.exe

I have attached the hjt log.

The computer is still running slow so don't I think I'm out of the woods yet.

By the way, thanks for your time & help with this!

[gene593]

The 'Drivercleaner' popup struck again.

valera.exe was blocked by kaspersky.

[jholland1964]

Download and run VundoFix
Just run in normal.
* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
See if you can get a log from this one also.



Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot

After that;

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Attach this log in the thread you are working in.

Note:

• Do not mouseclick combofix's window while it is running. That may cause it to stall.

[gene593]

Did both. 1st one removed 4 files.

Combo fix did a lot more. I attached the log.

Also attached is the new hjt log.

I am wary of saying it's fixed, since it has come back so often, but maybe you can tell by looking at the logs.

Thanks again!

[jholland1964]

First of all it looks much better. I still see entries in the HJT log concerning Norton or Symantec products. You first need to make sure that they really are off the machine.
But I really need to see that VundoFix log.
Look for C:\vundofix.txt
Post it here
Do a file search for first Norton delete any found.
Then do a file search for Symantec and delete any found.

After you have done that run HiJackThis again.
Place a checkmark next to the following entries if they still remain;

O2 - BHO: (no name) - {456D6D7E-BB07-41C5-8E0D-7D5801E1B6AD} - (no file)
O2 - BHO: (no name) - {87EFA84F-E98F-43FA-9686-BB864524C33E} - (no file)
O2 - BHO: (no name) - {EB7C4E17-D1FE-40F0-BE99-1CF8338EAA90} - (no file)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

Once you have placed the checkmarks then click the Fix Now button.
Exit HJT.
Reboot the computer and run a new scan with HJT. Save that new log and post it here.

[gene593]

I did as you instructed.

Attached are the 2 logs.

Before I did the reboot Kaspersky detected 2 viruses -
win32.pakes.eb
win32.pakes.ds

It deleted both.

[jholland1964]

Did your Kaspersky FIX/Quarantine the two win32.pakes entries it alerted you about?

Logs look pretty good. There are some programs though you need to remove via Add/Remove;
All of these old Java versions noted by the VundoFix; Remove all that are showing and download the newest version which is Version 6 Update 3. You do show version 6 Update 2 but uninstall that one, along with all the others.
Also uninstall the Viewpoint Media Player. Now this is installed along with Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). It claims to be required by why you would need another media player beats me. Just the fact that you are not given the option to install makes me say, remove it.
You all ready have Windows Media Player, it comes with the system, you are running Quicktime...I just don't feel it is needed and many people complain of firewall notifications that the Viewpoint software is trying to access the internet. There is no reason for this either.

You also have some things you will need to fix once you do the above but I will need a new HJT log AFTER you have done the above and then rebooted.

[gene593]

Kaspersky deleted the 2 viruses.

I removed all of the old Java versions and installed the new. I also uninstalled Viewpoint.

Attached is the new hjt log.

[jholland1964]

This one looks pretty good.
Now you need to run HJT again and place checkmarks next to the following entries;
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\

O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

Once you have placed the checkmarks then click the Fix Checked button.
Exit HJT
Reboot.
Now you do have some unnecessary programs running at start up that can easily be run manually, if you like I can give you a list on which ones to disable. This should speed the computer.