Trojan Propogator.

[Soulmonger]

My PC is a Dell 9200 running XP home edition plus a Seagate external hard drive.

Some time ago my PC contracted a win32.bagle.hi trojan which disabled Avast, system restore, Malwarebytes, start in safe mode etc. and would not allow me to run Combofix, Hijack this, Superantispyware or any online scanner. After days of trying to sort the problem I managed to save my files using a Linux version, and totally wiped the harddrive and reinstalled XP. I reinstalled certain programmes from scratch, ie IE8 and Firefox, Avast etc and the Windows updates.
I scanned the external hard drive using several tools (Malwarebytes, Spybot S&D, etc.), then reconnected it. I soon noticed that the PC was running really slowly and yet scans revealed nothing. I downloaded the 30 day trial version of "a squared" anti virus and ran it. It revealed a host of trojans (including bagel) which it removed. I ran the SFC /Scannow command along with the Windows reinstallation disc where some of the DLL files had been corrupted. On connecting to the Net it soon became apparent that the PC was running slowly again and after a further scan it revealed another host of trojans including trojan dropper, Delf and Bagle 32. A squared av cleared the trojans yet again. Whilst not connected to the internet I needed to scan some files using the all in one HP printer, but it would not save the pdf file to the hard disc but it would to a memory stick. HP suggested reinstalling their software, but I was unable to remove the HP software using the "add or remove software" feature in XP.
It appears that the Trojan is still resident on my PC in some form, and a further scan with "a squared" revealed trojans in the HP software programme, so perhaps this is why I can't uninstall it. I have attached the scans as required and have run the Hijack this analysis tool but nothing is highlighted.

I'm totally fed up and daren't connect to the internet for fear of cantracting even more viruses.
Any suggestions would be more than welcome.

Many thanks.

[Saving space, attachment deleted by admin]

[SuperDave]

Hello Soulmonger and welcome to Computer Hope Forum. My name is Superdave but you can just call me Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

=============================================================
Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

=====================================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)
O4 - HKLM\..\Run: [WinampAgent] \"C:\Program Files\Winamp\winampa.exe\"
(Description: The WinAmp Agent. This puts a WinAmp icon is your system tray. It is completely unnecessary, and some viruses may hide in this file. Removing this entry will free up a small amount of system resources.)
O4 - HKLM\..\Run: [WinampAgent] \"C:\Program Files\Winamp\winampa.exe\"
(Description: Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs. If you don't use WinAmp constantly, removing this entry will free up some system resources. )
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
================================================================
There doesn't appear to be any malware in your log that would cause a slowdown. Please try all the steps in the following link to see if it will cure the slowness of your computer. If it doesn't help, please download and run ComboFix and post the log.

==================================================================
Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.

===================================================================
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts. (you will receive a UAC prompt, please allow it)

Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[Soulmonger]

Hi Dave, many thanks for your help it is much appreciated.
Firstly, I do have antivirus software - "a squared" 30 day full trial version.
I have removed Windows messenger as instructed and I ran the Hijack this "system scan only".
Several of the listed items came up but two of them do not have a "\" after the ".exe".
Are these different entries or are they the ones to delete. They are on the :-
04 - Hklm\..\Run: [Winamp agent] \"c\program files\Winamp\winampa.exe\ and
04 - Hklm\..\Run: [adobe reader speed launcher] \"C:Program files\adobe\reader9.0\reader\_sl.exe\"
files.


As for the slow running of the PC, I can fix that by running the SFC /Scannow command and using the XP reinstallation cd.  At present it is Ok. I think that this is a result of the virus/trojan changing some of the original DLL files.
Hope this helps. 
thanks, Brian.

[evilfantasy]

Just keep going with the ComboFix instructions. That's the main log that SuperDave will need to move forward with.

[Soulmonger]

Had to connect to the internet on Combofix instructions to download Windows recovery programme, so I could now have some interesting malware installed.
Requested Combofix and hjt logs attached.

[Saving space, attachment deleted by admin]

[SuperDave]

According to the logs you posted, A-Squared is only for malware. I don't believe you have an Anti-Virus program installed.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

=================================================

[Soulmonger]

Thanks Dave.

You are correct about the antimalware programme, but I was sure that it said in the advertising blurb that "antivirus was the past and antimalware the future".
What's more galling is the fact that I uninstalled Avast in favour of "a squared" so that there would be no conflict between the two. My apologies. I have now redownloaded Avast and it now runs alongside "a squared". Apparently the two should run together with no problems.
Please find attached the log you requested.
By the way I have run these checks with the external hard drive off. If this is incorrect should I run all these checks again and post fresh logs?
Once again my apologies.

[Saving space, attachment deleted by admin]

[SuperDave]

Once again my apologies.

Not a problem. MSE is my personal favourite because of it's 98% efficiency and not being a resource hog. One more scan to run.

By the way I have run these checks with the external hard drive off. If this is incorrect should I run all these checks again and post fresh logs?

If you just use your external drive for storage the only way it would be infected is if you transferred an infected file to it. You can configure SAS, MBAM and Avast to scan this drive, if you wish.
=================================

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[Soulmonger]

Hi Dave.

I ran the Eset online scanner and it reported no threats found.
No report to post. So far so good.

[SuperDave]

How's your computer running now? Any problems like before?

[Soulmonger]

Hi Dave,

Booted up the PC this morning and it is running very slowly, ie, click on "start" and it will take approx 6 or 7 seconds before the window opens. If I then close the window and click "start" again, it will come up almost immediately. This goes for anything else as well. I haven't run any other scans but it doesn't look promising. These are the symtoms it was exhibiting before. Shall I run an "a squared" scan and post the log, or HJT?

Thanks, Brian.

[SuperDave]

How much RAM do you have on your computer? Did you do all the steps in that link about slow computers? Please try this program to see what's running on start-up.You may have too many programs starting.

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

[Soulmonger]

Hello Dave,

thanks for your time and efforts.

My PC has 2G of Ram and normally it responds very quickly.
Since I reinstalled XP I only have a skeleton of programs running at present.
I read and followed the instructions in the "slow computer" link, many of which I run already.
As I stated before, if I run the SFC command I need to use the reinstallation disc to repair or replace some Dll files. This restores the speed to normal. However very soon after a restart it is back to slow, unless I disconnect the wireless link to the router and thus the internet before starting the PC.
I downloaded and ran the startlite program but it has made little or no difference.
I suspect that a new scan would reveal an infected system, but I haven't run any as per your instruction.

[SuperDave]

All the scans you have run so far do not show any infections but we'll try another.

Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

•Double click on RSIT.exe to run.

•Click Continue at the disclaimer screen.

•Once it has finished, two logs will open.
•log.txt <will be maximized and info.txt <will be minimized

•Please post the contents of both logs in the next reply.

[Soulmonger]

Thanks for persevering.

Logs attached as requested.
Hope they help.

Regards

Brian

[Saving space, attachment deleted by admin]