Trojan Horse Downloader Agent ATJC

Fire_Fox

Hi

Firstly I am not massively technical so please be gentle!

My laptop - which was new in September - is currently using Fire Fox web browser, AVG Free for virus protection and presumably has a firewall but no idea what (my dad put this all in place for me, inc. disabling the Microsoft virus protection). I also know to use CCleaner periodically and update various programmes via Filehippo. Not sure if all that is important but thought I'd say it anyway!

Twice AVG has failed to work properly, saying something like "bad file xxx" on the update manager and had not automatically scanned for up to a week. Both times I downloaded AVG again and told it to repair. Then ran a scan - first time nothing, second time it found a Trojan Horse as in the thread title. No other problems with the actual running of my computer.

The second time my dad advised me to run a Panda Security scan which didn't find anything. So the question is do I need to do anything else or is everything definitely fine with my computer? I am student so can't afford to lose any work.

Thanks in advance. :beer:

aliEnRIK

Lets make sure its clean ~

Download MALWAREBYTES (Click 'DOWNLOAD NOW')
http://www.download.com/Malwarebytes-Anti-Malware/3000-18510_4-10804572.html?cdlPid=10997763
UPDATE and FULL scan
Post the log here after its deleted everything

Download SUPERANTISPYWARE (Top right)
http://www.filehippo.com/download_superantispyware/
UPDATE and scan

Download HIJACK THIS (Top right)
http://www.filehippo.com/download_hijackthis/
reboot
SCAN and post the log so we can see whats running

Browntoa

full instructions

http://forums.moneysavingexpert.com/showthread.html?t=133269

Fire_Fox

I will do this over the weekend, thanks very much (am at work this evening!). I do not know how to create a log - is that where the programme tells you how many threats you have after the scan?

aliEnRIK

Yes. Delete everything malwarebytes finds, and then it will auto produce a log. RIGHT click and copy everything, then PASTE here (Split up into sections if its too big to post)

With 'hijack', just right click copy and paste the scan (do NOT tick anything yet)

Fire_Fox

Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 6.0.6001 Service Pack 1

07/02/2009 12:29:29
mbam-log-2009-02-07 (12-29-29).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 118259
Time elapsed: 1 hour(s), 9 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 25
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\!!2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\!!741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\!!147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\!!56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\!!56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\Kitty McKatty\Downloads\MyFunCardsSetup2.3.50.22.ZUfox000(2).exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\Kitty McKatty\Downloads\MyFunCardsSetup2.3.50.22.ZUfox000.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Fire_Fox

AVG Free has just popped up to say it's finished the scheduled scan, and has found 42 tracking cookies. :eek: Shall I delete them or just leave it until the Superantispyware programme has finished it's scan (running at present, seems to have overlapped with AVG)??

How do I know where these things are coming from? I guess I should run all the scans I am doing today again on a regular basis?

Thanks again.

thomas01155

Don't worry about cookies they do no harm accept AVG flags them as dangerous some reason. Its funny when it alerts you that you have been infected by a cookie

Fire_Fox

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2009 at 01:20 PM

Application Version : 4.25.1012

Core Rules Database Version : 3746
Trace Rules Database Version: 1714

Scan type : Complete Scan
Total Scan Time : 00:26:12

Memory items scanned : 782
Memory threats detected : 0
Registry items scanned : 6796
Registry threats detected : 2
File items scanned : 20739
File threats detected : 0

Adware.MyWebSearch/FunWebProducts
HKCR\CLSID\!!9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\!!9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs

Fire_Fox

Just had a folder appear that I don't remember seeing before, called 'Problem Reports and Solutions'. It's listing every time that my 3 mobile internet connection crashed and stopped responding. I have had this for at least four months, but interestingly only had one crash early in November, none in December, seven in January (first one on 10th) and four already in February. And there am I saying I haven't had any problems with the running of my computer. :rolleyes:

Browntoa

malwarebytes has removed some minor things (mywebsearch is Dell related if memory serves me right) and superantispyware has come up clean

there is one Vundo infection that it removed