Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TrojanPWS.Agent found - maybe more


  • This topic is locked This topic is locked
8 replies to this topic

#1 rich253453

rich253453

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 01 April 2010 - 05:36 PM

I'm re requesting help in this forum since I mis posted in the wrong thread before, and didn't follow the correct procedure. Sorry about that.

Attachments are included now. Including hijackthis log. Also Included adaware log.

My computer was acting slow after I installed a marketing ebook I picked up in a forum.
During restart, I noticed a program shutting down that had the words appshell in it and became suspicious.
I scanned files before, and did full scan after with avast antivirus and housecall online scanner and found nothing.
I used Adaware in safe mode because it ran out of virtual memory on regular boot, and found these:

----------------------------------------------------------------------------------------------------------------------------------------

Removed items:
Description: hxxp://www.cashfiesta.com/php/cf_faq.php#general3 Family Name: Possible Browser Hijack attempt Engine: 1 Clean status: Success Item ID: 0 Family ID: 538
Description: hxxp://www.cashfiesta.com/php/cf_faq.php#general3 Family Name: Possible Browser Hijack attempt Engine: 1 Clean status: Success Item ID: 0 Family ID: 538
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *statse.webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408803 Family ID: 0
Description: *webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408954 Family ID: 0
Description: *.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409033 Family ID: 0
Description: *statse.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409269 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0

Quarantined items:
Description: c:\program files\alarm\alarm.exe Family Name: Win32.TrojanClicker.VBiframe Engine: 1 Clean status: Success Item ID: 2851783 Family ID: 929602 MD5: 1151dd4909146958a513fbff0b2bd8a9
Description: c:\documents and settings\all users\start menu\programs\alarm\alarm.lnk Family Name: Win32.TrojanClicker.VBiframe Engine: 1 Clean status: Success Item ID: 2851783 Family ID: 929602 MD5: 607af1c55bf607f8cf62aa12cb86ee41
Description: c:\documents and settings\user1\desktop\shortcuts\alarm.lnk Family Name: Win32.TrojanClicker.VBiframe Engine: 1 Clean status: Success Item ID: 2851783 Family ID: 929602 MD5: 9f0a55900b2fa92a70e9dd59558e3bd2
Description: c:\documents and settings\user1\application data\macromedia\shockwave player\xtras\download\thegroovealliance\3dgroovextrav18\groove.x32 Family Name: Win32.Dialer.Coulomb Engine: 1 Clean status: Success Item ID: 108162 Family ID: 266 MD5: e9e34657723111913d4a9d7957573c55
Description: d:\mydocuments_d\ebay_resell_pack\25k_ebooks\new folder\597letters\597letters.exe Family Name: Win32.TrojanPWS.Agent Engine: 1 Clean status: Success Item ID: 170452 Family ID: 865 MD5: ade8adc3aed0a4c0d3216ddbcbecb92b
Description: d:\mydocuments_d\ebay_resell_pack\25k_ebooks\new folder\597letters\597letters\597letters.exe Family Name: Win32.TrojanPWS.Agent Engine: 1 Clean status: Success Item ID: 170452 Family ID: 865 MD5: ade8adc3aed0a4c0d3216ddbcbecb92b
---------------------------------------------------------------------------------------------------------------------------------------------

Adaware apparrently took care of the problems, but my computer is still trying to connect constantly through "SYSTEM"
Can't shut it down, and filescab firewall says that the process doesn't exist or something like that. I'm afraid more is going on. Please advise.

Thanks.

Attached Files


Edited by Orange Blossom, 01 April 2010 - 07:37 PM.
Deactivate links. ~ OB


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:34 AM

Posted 05 April 2010 - 12:18 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 10 April 2010 - 11:13 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 10 April 2010 - 04:12 PM

Topic re-opened upon user's request.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 rich253453

rich253453
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 April 2010 - 02:27 PM

Sorry for the late reply. I didn't realize that I had to re do the information. I am re uploading the dds and gmer files as requested. These are both new ones. I will try to get back more often. Thanks.

Attached Files


Edited by rich253453, 12 April 2010 - 02:28 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 12 April 2010 - 07:25 PM

Can you give me an update of the condition of your machine. I don't see much malicious activity going around.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 rich253453

rich253453
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 12 April 2010 - 09:17 PM

Well, my firewall shows a process "SYSTEM" continuously trying to access 255.255.255.255/68 udp/in.
When I try to shut down SYSTEM it says its not a valid process and cant shut down.
system32\services.exe keeps accessing 67.185.218.41/1068 udp/out.

I don't really know what else to mention. Did any of my log files show anything? Like the hijackthis log or any of the others? Sorry I'm not more help. I'm pretty newbish.



#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 13 April 2010 - 02:46 PM

Hi again,

That's fine.

Those two processes however, can't be ended like that as they are part of and running by the system itself. Those in fact are fine, I wouldn't worry about it.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:34 AM

Posted 08 May 2010 - 11:48 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users