BleepingComputer.com: Infected with viruseS but cant remove them (ssvagent)

I was infected with ALOT of viruses-including ssvagent preventing me from opening anything. So i downloaded AVAST ,did a full system scan, got the results, tried to remove the viruses upon reboot but they are still there in my log. It says something along the lines of " will remove upon next reboot" i rebooted my computer and viruses are still there. i did a reboot scan and it found about 6 more viruses that i deleted but the old viruses are still there, i also found about 3 malware by MBAM and removed that with no issue. Its just these 13 viruses and the Ssvagent is still causing problems. Please help me. I also tried Rkill and rebooted it but the viruses are still there. i think i removed the ssvagent because i can open the windows without the little pop up opening. but ir opens up very very slowly .some of the unmoving viruses are :HTML:RedirME-inf (Trj),JavaAgent-ZU etc etc

This post has been edited by maya93: 20 December 2011 - 11:09 PM

Please post the complete results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
  
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
  
• Click on the log name to highlight it.
  
• Go to the bottom and click on Open.
  
• The log should automatically open in notepad as a text file.
  
• Go to Edit and choose Select all.
  
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  
• Come back to this thread, click Add Reply, then right-click and choose Paste.
  
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

Be sure to print out and read the instructions provided in:

How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses

• Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe), select your language and install the utility.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
  
• At the 'Setup page', click Next, check the box to accept the license agreement and click Next twice more to extract the required files.
  
• Setup may recommend to scan the computer in Safe Mode. Click Ok.
  
• A window will open with a tab that says Autoscan. Click the green Start scan button on the Autoscan tab in the main window.
  
• If malware is detected, you will see the Scan Alert screen.
  
• Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  
• After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
  
• Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
  
• If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
  
• In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
  
• Copy and paste the report results of any threats detected. Do not include the longer list marked Events.
  
• When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2011.

-- If you cannot run this tool in normal mode, then try using it in "safe mode".


Then try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.

• If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  
• Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

• Click the green button.
  
• Read the End User License Agreement and check the box:
• Check .
  
• Click the button.
  
• Accept any security warnings from your browser and allow the download/installation of any require files.
  
• Under scan settings, check and make sure that the option Remove found threats is NOT checked.
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• Click the Start button.
  
• ESET will install itself, download virus signature database updates, and begin scanning your computer.
  
• The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  
• When the scan completes, push
  
• Push , and save the file to your desktop as ESETScan.txt.
  
• Push the button, then Finish.
  
• Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

MBAM :Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19170

12/20/2011 7:45:00 PM
mbam-log-2011-12-20 (19-45-00).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 361721
Time elapsed: 1 hour(s), 8 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Guest\AppData\Local\mbb.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Guest\AppData\Local\uwp.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.


AVPTOOL:( no virus/malware found)Automatic Scan: completed 3 minutes ago (events: 5690, objects: 5662, time: 00:06:02)
6595b64144ccf1df_5.82.6002.18305_none_88f3a38569c2c436\comctl32.dll
Object was not changed (iChecker)
12/22/2011 9:42:54 PM OK C:\Windows\System32\mssprxy.dll
12/22/2011 9:42:54 PM OK C:\users\maryam a\appdata\Roaming\Dropbox\bin\msvcr71.dll Object was not changed (iChecker)
12/22/2011 9:42:54 PM OK C:\Windows\System32\tquery.dll
12
12/22/2011 9:43:25 PM OK igfxtray.exe\igfxress.dll
12/22/2011 9:43:25 PM OK igfxtray.exe\hccutils.dll Object was not changed (iChecker)
12/22/2011 9:43:25 PM OK igfxtray.exe\uxtheme.dll
12/


12/22/2011 9:43:29 PM OK explorer.exe\msvcr71.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK explorer.exe\msvcp71.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK dwm.exe\igdumdx32.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK dwm.exe\rpcrt4.dll

12/22/2011 9:43:29 PM OK ConAppsSvc.exe\ConApps.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK ConAppsSvc.exe\RpcSrvApi.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK ConAppsSvc.exe\Diagnostic.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK ConAppsSvc.exe\netcfgx.dll

12/22/2011 9:43:29 PM OK ConAppsSvc.exe\MFC71.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK ConAppsSvc.exe\msvcr71.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK C:\Program Files\Clearwire\Connection Manager\ConAppsSvc.exe
12/22/2011 9:43:29 PM OK RcAppSvc.exe\RcAppSvc.exe
12/22/2011 9:43:29 PM OK RcAppSvc.exe\RpcSrvApi.dll Object was not changed (iChecker)
12/22/2011 9:43:29 PM OK RcAppSvc.exe\Diagnostic.dll Object was not changed (iChecker)

12/22/2011 9:43:31 PM OK IAANTmon.exe\ISDI.dll Object was not changed (iChecker)
12/22/2011 9:43:36 PM OK sprtsvc.exe\libeay32.dll Object was not changed (iChecker)
12/22/2011 9:43:36 PM OK sprtsvc.exe\sprtfod.dll Object was not changed (iChecker)
12/22/2011 9:43:36 PM OK sprtsvc.exe\sprtsched.dll Object was not changed (iChecker)
12/22/2011 9:43:36 PM OK sprtsvc.exe\sprtupdate.dll

12/22/2011 9:43:39 PM OK DeviceLaunchSvc.exe\ToolBx.dll Object was not changed (iChecker)
12/22/2011 9:43:39 PM OK DeviceLaunchSvc.exe\RpcSrvApi.dll Object was not changed (iChecker)
12/22/2011 9:43:39 PM OK C:\Program Files\Clearwire\Connection Manager\DeviceLaunchSvc.exe

12/22/2011 9:47:04 PM OK C
12/22/2011 9:47:05 PM OK D
12/22/2011 9:47:05 PM OK \Device\HarddiskVolume3
12/22/2011 9:47:06 PM OK \Device\HarddiskVolume2
12/22/2011 9:47:08 PM OK \Device\HarddiskVolume1
12/22/2011 9:47:08 PM OK \Device\Harddisk0\DR0
12/22/2011 9:47:09 PM Task completed

This post has been edited by maya93: 23 December 2011 - 11:09 AM

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Your log indicates you are using an outdated database version. The database shows 7622. Last I checked it was 911122204.



IMPORTANT NOTE: Your Malwarebytes Anti-Malware log indicates you performed your scan in safe mode. Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If you did not have those problems, please perform your next scan in normal mode.

mbam log:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19170

12/25/2011 12:31:09 AM
mbam-log-2011-12-25 (00-31-09).txt

Scan type: Quick scan
Objects scanned: 223354
Time elapsed: 18 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\temp\qjjhqbrdkq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\amber\Desktop\privacy protection.lnk (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\amber\AppData\Local\temp\thpm7944098937707703320.tmp (Exploit.Drop.3) -> Quarantined and deleted successfully.

ESET SCAN RESULTS:

C:\Program Files\StartNow Toolbar\ReactivateIE.exe a variant of Win32/Toolbar.Zugo application
C:\Program Files\StartNow Toolbar\Toolbar32.dll a variant of Win32/Toolbar.Zugo application
C:\Program Files\StartNow Toolbar\ToolbarBroker.exe a variant of Win32/Toolbar.Zugo application
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application
C:\Users\amber\AppData\Local\SupportSoft\SupportSoftUpdate\SupportSoftupdt32.dll a variant of Win32/Kryptik.TAF trojan
C:\Users\Guest\Documents\8D83104.exe a variant of Win32/Kryptik.XTE trojan
C:\Users\Guest\Documents\Ah462Ug1.exe a variant of Win32/Kryptik.XTE trojan
C:\Users\Guest\Downloads\PicMorph.exe Win32/Toolbar.Zugo application
C:\Users\maryam A\AppData\Roaming\8E7668E4D8D0D6FC7BF0764FC74CAF76\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\maryam A\AppData\Roaming\8E7668E4D8D0D6FC7BF0764FC74CAF76\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.DZ trojan
C:\Windows\temp\4shFA67.tmp a variant of Win32/Toolbar.Zugo application
Operating memory a variant of Win32/Toolbar.Zugo application

Rerun Eset Online Anti-virus Scanner again, but this time under scan settings, be sure to check the option to Remove found threats. Save the log as before and copy and paste the contents in your next reply.

Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure.

C:\Program Files\StartNow Toolbar\ReactivateIE.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files\StartNow Toolbar\Toolbar32.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting (after the next restart) - quarantined
C:\Program Files\StartNow Toolbar\ToolbarBroker.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting (after the next restart) - quarantined
C:\Users\amber\AppData\Local\SupportSoft\SupportSoftUpdate\SupportSoftupdt32.dll a variant of Win32/Kryptik.TAF trojan cleaned by deleting - quarantined
C:\Users\Guest\Downloads\PicMorph.exe Win32/Toolbar.Zugo application deleted - quarantined
C:\Users\maryam A\AppData\Local\temp\NOD7AB3.tmp a variant of Win32/Toolbar.Zugo application cleaned by deleting (after the next restart) - quarantined
C:\Users\maryam A\AppData\Local\temp\NOD8AE9.tmp a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\Users\maryam A\AppData\Roaming\8E7668E4D8D0D6FC7BF0764FC74CAF76\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Users\maryam A\AppData\Roaming\8E7668E4D8D0D6FC7BF0764FC74CAF76\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined

This post has been edited by maya93: 27 December 2011 - 08:16 PM

How is your computer running now? Are there any more signs of infection?

sorry for the late reply,computer`s fine now! thank you!

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to > Programs > Accessories > System Tools and click "System Restore".
  
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

• Then use Disk Cleanup to remove all but the most recently created Restore Point.
  
• Go to > Run... and type: Cleanmgr
  
• Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  
• Click the "More Options" tab, then click the "Clean up" button under System Restore.
  
• Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  
• Click Yes, then click Ok.
  
• Click Yes again when prompted with "Are you sure you want to perform these actions?"
  
• Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links:

• Create a New Restore Point in Vista or Windows 7
  
• Disk Cleanup in Vista
  
• Disk Cleanup in Windows 7