a variant Win32TrojanDownlaoder.Agent..AWF trojan

I have adware on a work computer and I don't want to power it down because I'm afraid it's going to spread once I power down and restart. I tried to run Malwarebytes but the files is corrupted and I apparently can't download it again??? I actually have the adware on a browser right now it says a-antisyware.com/1/ on the link address and it gives me a prompt "The computer is infected click Ok or cancel" naturally I don't want to hit Ok. What should I do??? What's my next step? Thanks!

Hi,

Please do the following:

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.


NEXT

What antivirus do you have installed? You're showing Norton in your add/remove programs, but there is no indication of it in your log?
Has it expired and did you uninstall it?

If you need another antivirus, download ONE of the following, update it and run it...post the log

(If you are happy with Norton, update it and run it)

Avira AntiVir
Avast


NEXT

Update your Spybot Search and Destroy, run a scan and post the results

I tried to copy and paste that file in the RUN box and an error message popped up saying it couldn't find it.

Norton is on this computer but it's not active.

My other question is... I have two other girls who work for me but they shouldn't be on the internet anyways. This computer is equipped with a PCI Card that can pick up an internet signal in the error. I don't want the girls using the internet while I'm not around. What can I do to stop them from using it? Every time I think I disabled the card... once you restart the computer the internet connection is open and LIVE. Just wondering what I could do that would be simple so they couldn't use the internet on this computer? Thanks!

I will post the extra logs in a few minutes. Thanks!

I tried to update Avira Virus program before it ran it's cycle but it wouldn't update. I ran it without an update and here is the log:

Avira AntiVir Personal
Report file date: Tuesday, November 10, 2009 10:04

Scanning for 1562564 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : SOUTHWESTBEACH

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 19:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 15:21:42
ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 04:08:01
ANTIVIR3.VDF : 7.1.5.19 139776 Bytes 7/23/2009 13:36:13
Engineversion : 8.2.0.228
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 19:31:50
AESCRIPT.DLL : 8.1.2.18 442746 Bytes 7/23/2009 15:59:39
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 15:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 15:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 19:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39
AEHEUR.DLL : 8.1.0.143 1864055 Bytes 7/23/2009 15:59:39
AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 15:59:39
AEGEN.DLL : 8.1.1.50 352629 Bytes 7/23/2009 15:59:39
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 15:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, November 10, 2009 10:04

Starting search for hidden objects.
'37102' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'SunTouch.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'X1Exec.exe' - '1' Module(s) have been scanned
Scan process 'exec.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'exec.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'SymWSC.exe' - '1' Module(s) have been scanned
Scan process 'EloDkMon.exe' - '1' Module(s) have been scanned
Scan process 'WlanMon.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'MDM.EXE' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'EloSrvce.exe' - '1' Module(s) have been scanned
Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '63' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\Program Files\iTunes\iTunesHelper.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe
[DETECTION] Is the TR/PSW.Stealer.724081 Trojan
C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe
[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP925\A0049182.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\WINDOWS\system32\hkcmd.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
C:\WINDOWS\system32\igfxtray.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
Begin scan in 'D:\' <HP_RECOVERY>
D:\I386\Apps\APP08006\App08006.exe
[0] Archive type: ZIP SFX (self extracting)
--> hp/tmp/src/SpyPreInstall.exe
[1] Archive type: RSRC
[DETECTION] Is the TR/Hijacker.Gen Trojan

Beginning disinfection:
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b5a8a1a.qua'!
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b6d8a1d.qua'!
C:\Program Files\iTunes\iTunesHelper.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b6e8a0a.qua'!
C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe
[DETECTION] Is the TR/PSW.Stealer.724081 Trojan
[NOTE] The file was moved to '4b6c8a09.qua'!
C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe
[DETECTION] Contains recognition pattern of the DIAL/90112 dialer
[NOTE] The file was moved to '4b658a2a.qua'!
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b5e8a1f.qua'!
C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP925\A0049182.pif
[DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was moved to '4b2989e6.qua'!
C:\WINDOWS\SMINST\RECGUARD.EXE
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b3c89fb.qua'!
C:\WINDOWS\system32\hkcmd.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b5c8a21.qua'!
C:\WINDOWS\system32\igfxtray.exe
[DETECTION] Is the TR/Mitglider.WP Trojan
[NOTE] The file was moved to '4b5f8a1d.qua'!
D:\I386\Apps\APP08006\App08006.exe
[NOTE] The file was moved to '4b698a26.qua'!


End of the scan: Tuesday, November 10, 2009 10:41
Used time: 35:48 Minute(s)

The scan has been done completely.

4862 Scanned directories
469760 Files were scanned
11 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
11 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
469747 Files not concerned
14734 Archives were scanned
2 Warnings
13 Notes
37102 Objects were scanned with rootkit scan
0 Hidden objects were found

Hi,

Please do the following:

Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 11/10/2009
The current time is: 11:48:10.59


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06/04/2004 09:38 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/21/2004 12:51 AM 118,784 hkcmd.exe
08/21/2004 12:55 AM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK

11/10/2004 11:15 PM 111,816 ViewMgr.exe
1 File(s) 111,816 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/21/2004 08:39 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 10:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

10/21/2004 07:27 PM 32,881 jusched.exe
1 File(s) 32,881 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
118784 Aug 21 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
155648 Aug 21 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
111816 Nov 10 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
149280 Nov 8 2009 "C:\Program Files\Java\jre6\bin\jusched.exe"
32881 Oct 21 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


end of report

Fix AWF Infection Step 2

Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 11/14/2009
The current time is: 9:23:36.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06/04/2004 09:38 PM 286,720 iTunesHelper.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 10:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/21/2004 12:51 AM 118,784 hkcmd.exe
08/21/2004 12:55 AM 155,648 igfxtray.exe
2 File(s) 274,432 bytes

Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK

11/10/2004 11:15 PM 111,816 ViewMgr.exe
1 File(s) 111,816 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/21/2004 08:39 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 10:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

10/21/2004 07:27 PM 32,881 jusched.exe
1 File(s) 32,881 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
118784 Aug 21 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Aug 21 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hkcmd.exe"
118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Aug 21 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\igfxtray.exe"
155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
111816 Nov 10 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
149280 Nov 8 2009 "C:\Program Files\Java\jre6\bin\jusched.exe"
32881 Oct 21 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"


end of report

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the following bolded list of folders to be removed from the code box below.

CODE

C:\Program Files\iTunes\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\Viewpoint\Viewpoint Manager\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\j2re1.4.2_03\bin\bak

Click below the line of folders.txt and paste the list.
Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.
______________________________________________________________________________

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 11/14/2009
The current time is: 19:07:27.54


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

The AWF infection generally adds entries to the registry that can give trusted permissions to many bad domains. Lets make sure we remove those.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
then press 1 to continue at the next screen.
This removes all entries from the domain zones.
At the next screen, press 1 to return to the main screen or E to exit.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


NEXT

please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

Due to inactivity this topic will be closed.
If you need help please start a new thread.