No-Subject - Free Antivirus Forum

No-Subject

BullGuard Antivirus Forum > Virus Removal > Removal Help > No-Subject

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Infected
New Member

Date Joined Nov 2004
Total Posts : 3

Posted 11-15-2004 7:18 (GMT +1)

I got this virus called Trojan horse Downloader.Agent.AS. AVG keeps finding it and it can't heal the file. It gives me the option to move to the virus vault but whenever I do my PC freezes up and I have to restart. Anyway then I find something in the virus vault called POLALL1L.EXE and I delete it, but it keeps coming back! So I tried Housecall's online virus scan and it can't detect any virus. I have hijackthis here's the log file (I hope I did this part correctly).

Logfile of HijackThis v1.98.2
Scan saved at 4:36:01 PM, on 11/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\temp\salm.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [pspkn] C:\WINDOWS\pspkn.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4ff5c7fab0c65e932eaa5dc98deadd8dc28470e1370cfc64cbe012acfd59df5f1ac4e42e1fb14b1633b0e8258af195b728572a7d1705ab00aa0a01510ef96bf0:872f1e63d289d95ca7ec47c4891aa171
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBE2F5ED-A8CB-40F6-BDF6-587A77AB00A5}: NameServer = 10.0.0.138

What do you think? I hope you can help me with this. Thanks and regards

Infected

PS if your advice will include things like using the PC in Safe Mode or anything like that, I don't know what those things are so please explain carefully.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14295

Posted 11-16-2004 1:52 (GMT +1)

Hey

Scan with Hijacktis, close all other windows, put a checkmark to these, and fix:

O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [pspkn] C:\WINDOWS\pspkn.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=4ff5c7fab0c65e932eaa5dc98deadd8dc28470e1370cfc64cbe012acfd59df5f1ac4e42e1fb14b1633b0e8258af195b728572a7d1705ab00aa0a01510ef96bf0:872f1e63d289d95ca7ec47c4891aa171

Show hidden files: Push on the link!
http://www.xtra.co.nz/help/0,,4155-1916458,00.html=

Reboot into Safe Mode (hit F8 key until menu shows up).

Find and delete these witkh bold:

C:\Program Files\Windows AdControl\WinAdCtl.exe
c:\temp\salm.exe
C:\WINDOWS\pspkn.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Delete files/folder from the following directories, for example delete all files/folder IN temp.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
Empty your "Recycle Bin"

Reboot.
Run this scanner – mwav exe : http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe
Activate all, in settings- Scan

And post new log file

Touch

Member of - Alliance of Security Analysis Professionals

Infected
New Member

Date Joined Nov 2004
Total Posts : 3

Posted 11-16-2004 11:36 (GMT +1)

Thanks for your reply, but I'm still stuck with this. I don't know how to run my PC in safe mode. I'm gonna sound like an idiot but when you say 'hit F8 until menu pops up', when and where do I do this? On the desktop? After restarting from the start menu? Its Windows XP I'm using. Sorry but I don't get it. When I go to restart my computer there are no menus or anything that pop up and pressing F8 (repeatedly or holding down the key?) isn't doing anything. If you can walk me through this part maybe I can repair my virus problems. Thanks again

Infected

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14295

Posted 11-17-2004 9:21 (GMT +1)

Try if you do it from normal mode, or else-

It is probably some system files there is damaged.

Start-Run, type: sfc /scannow (space between sfc and/)

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Tuesday, January 06, 2009 4:19 PM (GMT +1)
There are a total of 65.870 posts in 16.165 threads.
In the last 3 days there were 21 new threads and 92 reply posts. View Active Threads