Win32/TrojanDownloader.Agent problem

[Heavy Metal]

This is the ESET online log:

Code:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d70a423dc745ef4da123fa19d7bcd2f7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-03 09:13:04
# local_time=2010-01-03 11:13:04 (+0200, GTB Standart Saati)
# country="Turkey"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 1133867 1133867 0 0
# compatibility_mode=8200 39157077 100 100 4842 28625961 0 0
# scanned=259281
# found=3
# cleaned=1
# scan_time=11685
# nod_component=V3 Build:0x30000000
C:\WINDOWS\system32\actxprxy.dll	probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean)	00000000000000000000000000000000	I
H:\SLATKO\torta.exe	a variant of Win32/Peerfrag.FU worm (cleaned by deleting - quarantined)	00000000000000000000000000000000	C
${Memory}	probably a variant of Win32/TrojanDownloader.Agent trojan	00000000000000000000000000000000	I

Still two left, huh?

[Jintan]

In looking back through our posts here I see I asked twice about the proxy settings. I'll try to not ask a third time.

This is of some concern, as it suggests some action hidden in something's memory there (not added to the actual file):

${Memory} probably a variant of Win32/TrojanDownloader.Agent trojan 00000000000000000000000000000000

But that file Eset was unable to clean is the same one your Eset Nod there located earlier. By name it is a legitimate Windows file, so let's check that and see.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


Then just go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.

C:\WINDOWS\system32\actxprxy.dll

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

[Heavy Metal]

Hi Jintan,

Sorry for being late. I was so busy with my work. I uploaded the file. Here's the link:
http://thespykiller.co.uk/index.php/topic,9084.0.html

[Jintan]

No file was uploaded, or at least what was uploaded had zero bytes. Not typical behavior for a legit file to be locked like that. See if you can instead copy the file, then past it in a different location to then upload from, or zip a copy of the file, then upload that please.

[Heavy Metal]

I cannot copy nor zip it. It seems that the file is locked. Any other ideas?

[Jintan]

That actxprxy.dll file, by name and location there, is a legit file. I sense that because both the installed and the online scan version of Eset identified it as malware, the installed Eset there is locking access to the file. Try disabling Eset and see if you can access the file then.

[Heavy Metal]

Let's see if you can download it now:
http://thespykiller.co.uk/index.php/topic,9090.new.html

[Jintan]

I received the file, thanks. A malware altered file, so it was locked due to malware functions, and it does need to be removed there.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

KillAll::
Rottkit::
File::
C:\WINDOWS\system32\actxprxy.dll

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-------------

Then repeat the follow-up scan steps again.

Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.


Post that log, the C:\ComboFix.txt log and the Malwarebytes log please.

[Heavy Metal]

Hi Jintan, sorry for not replying to you for a long time, but shortly after your last message my computer crashed permanently and for some time I had to use Ubuntu Live CD's to continue my work. Later, I formatted my harddisk and the problem automatically solved.

Thanks again anyway.

[Jintan]

I appreciate you taking time to post back an update. Be well.