Trojan Propogator.

[SuperDave]

I'm really puzzled. I can't see any signs of malware that would cause a slowdown.

but I was sure that it said in the advertising blurb that "antivirus was the past and antimalware the future".

But, you still need to protect against both.
=============================

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

=================================
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky.fr and save it to your Desktop.

• Please close all other applications running on your system.
• Please double click GetSystemInfo.exe to open it.
  
• Click the Settings button.
  
• Set it to Maximum
  
• IMPORTANT! Then please click Customize - choose Driver / Ports tab and Uncheck Scan Ports.
  
• Click Create Report to run it.
  
• It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser and click the Submit button.
  

Please copy and paste the url of the GSI Parser report (not the log) in your next reply.

[Soulmonger]

Hi Dave,
Sorry, haven't been around for much of the day.
I ran the Kapersky GSI, but was unable to configure it the way you suggested. I could set to max or uncheck port box, but not the two together. The report at this URL is for a medium setting with the unchecked port box.
http://www.getsysteminfo.com/read.php?file=1119df933a96f252387084347f734145

I have noticed that the PC retuirns to normal speed a significant time after I boot it up, typically 20 mins. (Not using it at present due to the persistent problem), however within that period it took just over a minute between clicking on the "run " command and the window appearing. Combofix took two attempts and 13 mins to uninstall. This is very unusual behaviour since it ran pretty *censored* quick with all my previous applications loaded and fighting for memory.

Many thanks,
Brian.

[SuperDave]

One more scan please.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

•Double-click on drweb-cureit.exe and then click Start

•An information notice will appear, click OK.

•This starts a short scan that will scan the files currently running in memory.
•If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version

•If or when something is found, click the Yes button when it asks you if you want to cure it.
•Once the short scan has finished, Click Settings > Change Settings

•Under the Scanning tab UNcheck Heuristic analysis and click OK

•Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.

•Click Yes to all if it asks if you want to cure/move any file(s).

•When the scan is done.
•In the Dr.Web CureIt menu on top left, click File and choose Save report list.

•Save the DrWeb.csv report to your Desktop.

•Exit Dr.Web Cureit.
•Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
* Copy and paste that log in the next reply

[Soulmonger]

Dr Web has at least confirmed that I am not going mad.
On the first scan it highlighted "Hosts File modified" which it cleared.
On the second part of the scan it Identified three trojans and some adware.
The first Trojan was on the C drive: Trojan Startpage.1505
The second was on the external hard drive: Trojan Stinger and I did not note the third.
I cannot remember any more details of it I'm afraid.
Unfortunately I cannot post any logs since the utility hung and then crashed the PC at approx 80% complete (whilst scanning the J drive):
J:\...B}\RP27\A0015521.exe/Cab/00317882.cab

I tried again and the same thing happened.
Technical details as follows:

A Problem was detected
Kernel_Data_Inpage_Error

Stop: 0x0000007A (0xE1D2C910, 0xC0000185, 0xBF919D3D, 0x6728D860)

WIN32.SYS - Address BF919D3D base at BF800000 Datestamp 4A8564C7


The system was running abysmally slowly prior to the crash. The two scans took several hours to complete.

Sorry I can't provide any logs; when I tried right clicking the icon I did not get an "open with" option, I guess because the scan did not finish.
Thanks Dave.

[SuperDave]

* Please uninstall your current version of SUPERAntiSpyware. <- This is important!
* Download and install the new version of SUPERAntiSpyware
* After installing the new version, it may tell you that you need to reboot to complete the installation. You must reboot at this time!
* After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get any available updates.
* Now run a new full scan of your system.
* Post the log in your next reply.

Re-run MBAM:

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply..

[Soulmonger]

Hello Dave,
uninstalled, then reinstalled the latest version of SAS as requested, (seems to be the same). Ran scans, logs attached.

[Saving space, attachment deleted by admin]

[Soulmonger]

Oops, forgot to update Malwarebytes before running the scan, so ignore the last scan.
Ran updates and rescanned.
Log attacned.

[Saving space, attachment deleted by admin]

[evilfantasy]

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code: [Select]

Comment:

Files to delete:
C:\WINDOWS\SET26.tmp
C:\WINDOWS\SET25.tmp
C:\WINDOWS\SET8.tmp
C:\WINDOWS\SET4.tmp
C:\WINDOWS\SET3.tmp
C:\DOCUME~1\Bri\LOCALS~1\Temp\catchme.sys

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Add the Avenger log in your next post.

----------

When did these errors start happening?
Have you added any new hardware recently?

Is a-squared what reported the malware? What all did you let a-squared fix?

[Soulmonger]

Log attached as requested.
These errors only happened when I ran the Dr Web scan and I haven't added any new hardware recently.
Thanks
Brian

[Saving space, attachment deleted by admin]

[Soulmonger]

I don't know if it's of any consequence, but somehow the external hard drive designation has been changed from "K" to "J"  at some point recently.

[evilfantasy]

None of the scanners are finding anything so I think it's safe to say that this is not a malware issue.

[Soulmonger]

Just noticed your final question in your last post.
Spybot search and destroy is what alerted me to the trojan originally, but it could not get rid of it. I tried several other tools but they found nothing. I then tried "a squared" which found a host of trojans including the original: bagle.hi
It removed them, but I then noticed other anomalies such as slow running and inability to delete the HP software, when a trojan had been found in its software. "a squared" also alerted me to several attempts to contact "known malware distribution sites" whilst using Firefox. Although "a squared"got rid of the malware, my PC became reinfected every time I used it, to the  extent it found 42 instances of trojans (ie,maybe nine trojans in 42 total locations). Then I contacted you guys. I don't think that "a squared" is at fault since my wife uses it (since I started using it) with no problems or evident false positives.

[evilfantasy]

a-squared is not a something that should be used by just anyone. It has many false positives and if you don't know what you're doing with it you can damage the OS which is what I think happened here.

Look in a-squared and see if you can restore what it removed from quarantine. Then uninstall a-squared.

Or at least see if you can get me a log from a-squared.

[Soulmonger]

Dr Web did find three trojans as I indicated before, but crashed before it finished and hence no log, but I can only tell you what I know.
I appreciate immensely your time and trouble in trying to resolve my problem and I can understand your frustration at being unable to find a solution, or indeed, a problem.
Are there any housecleaning issues to deal with, re uninstalling programmes
etc.?

I have got Event and Quarantine logs for "a squared", but I don't know how to retrieve/copy them to you other than by screenshot. Any ideas?

Thanks
Brian

[Soulmonger]

Sorry it's not an event log, it's a Malware IDS log. Not much use I don't think.
Brian.