[Peaches4U]

Time to call in the experts ... have been trying to get rid of this trojan ... Trojan.downloader.win32.small.apzd!A2 using A-squared & have currently put it into the vault. Have also send a report to a-squared. I have scanned with avast and it does not find anything. Also, cannot shut down my computer unless I do a reboot. Here is the Hijack log file ....


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:43:47 PM, on 5/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\InkSaver\InkSaver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\Program Files\BillP Studios\Task Catcher\tasktrap.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Citrix\GoToAssist\516\G2AProcessFactory.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\InkSaver\InkSaver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe
C:\Program Files\BillP Studios\Task Catcher\tasktrap.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.inbox.com...w=%s&tbid=70026
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.castanet.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.inbox.com...spx?tb_id=70026
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.inbox.com...aspx?TbId=70026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.inbox.com...spx?tb_id=70026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.inbox.com...aspx?TbId=70026
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - (no file)
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InkSaver] C:\Program Files\InkSaver\InkSaver.exe hide
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PwrUpTweakMe] C:\WINDOWS\system32\PuXpTwks.exe /TWEAK
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [a-squared] "C:\PROGRAM FILES\A-SQUARED ANTI-MALWARE\a2guard.exe" /d=60
O4 - HKLM\..\Run: [Task Catcher] C:\Program Files\BillP Studios\Task Catcher\tasktrap.exe
O4 - HKLM\..\Run: [Task Catcher Real-Time Detector] C:\PROGRA~1\tasktrap.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Strata')
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [PowerBar] (User 'Strata')
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Strata')
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Strata')
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU" (User 'Strata')
O4 - HKUS\S-1-5-21-1004336348-1425521274-839522115-1004\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User 'Strata')
O4 - HKUS\S-1-5-18\..\Run: [Schmaili] C:\Program Files\Schmaili84\schmaili.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Schmaili] C:\Program Files\Schmaili84\schmaili.exe (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Inbox Search - tbr:iemenu
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Shaw Help - {EFE0E59E-BEE5-4205-A7E4-ECE997D779B5} - http://support.shaw.home.com (file missing) (HKCU)
O9 - Extra button: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program Files\PostSmile\postsmile.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start PostSmile - {F596B4DB-835A-4b2f-9BCF-F44FD9705E87} - C:\Program Files\PostSmile\postsmile.exe (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1161007588437
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1245158016875
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - (no file)
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\516\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\516\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O24 - Desktop Component 0: (no name) - http://www.theradio....tile_header.jpg

--
End of file - 16058 bytes


P.S. apparently port entry of this worm was 023. I was using the WindowsXP firewall [have a wireless router] and have since installed Online Armor .. did a ShieldsUP test and passed all tests.


Thanks for your help.... Peaches

[Fred Flintstone]

Hi Peaches,
Nothing much showing in that log now, just a couple of remnant lines.

Give it a run of MBAM and we'll see what's left after that.


Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
  
• Then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  
• When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
  
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Please post the log back and we'll see what (if anything) it finds..

Thanks
Roy

[Peaches4U]

Did a full Avast scan ... nothing found ... A-squared scan found the trojan again. Will rescan and follow up with another post with results.

I am using the full version of MBAM ... log below.....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org Database version: 4066 Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702 5/4/2010 12:38:11 PM
mbam-log-2010-05-04 (12-38-11).txt Scan type: Full scan (C:\|)
Objects scanned: 253889
Time elapsed: 48 minute(s), 56 second(s) Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0 Memory Processes Infected:
(No malicious items detected) Memory Modules Infected:
(No malicious items detected) Registry Keys Infected:
(No malicious items detected) Registry Values Infected:
(No malicious items detected) Registry Data Items Infected:
(No malicious items detected) Folders Infected:
(No malicious items detected) Files Infected:
(No malicious items detected)

[Peaches4U]

At bleeping computer the same issue was posted ... see below ...

a-squared free v. 4.5.0.27
© 2003-2010 Emsi Software GmbH - www.emsisoft.com
ID Object - The item listed I believe is a false positive.

C:\WINDOWS\system32\wbem\wmiprvse.exe Trojan-Downloader.Win32.Small.apzd!A2

http://www.bleepingc...opic313617.html


This false positive, which appears to be the case, has given me grief of several days of searching, scanning and hair pulling. If you agree it is a false positive then I shall put that so called trojan on ignore for scans.

Now I have to find out why my computer will hang when shutting down and does not shut down as set to be done automatically. Any ideas? Most recent software installed was Online Armor.

Thanks

[Peaches4U]

Scan just done now ...

Emsisoft Anti-Malware - Version 4.5
Last update: 2/27/2010 7:03:19 PM

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 5/4/2010 12:57:18 PM

[4040] C:\WINDOWS\system32\wbem\wmiprvse.exe detected: Trojan-Downloader.Win32.Small.apzd!A2

Scanned

Files: 211402
Traces: 796538
Cookies: 191
Processes: 56

Found

Files: 0
Traces: 0
Cookies: 0
Processes: 1
Registry keys: 0

Scan end: 5/4/2010 2:32:02 PM
Scan time: 1:34:44

[Fred Flintstone]

Hi Peaches,
Sorry for the delay, but it's been a manic week in work and I've just got home!

That file:
C:\WINDOWS\system32\wbem\wmiprvse.exe

Is from Windows Management Instrumentation

It should be ok on that file path, different story if it was in system32 folder or elsewhere etc!

Quote

The wmiprvse.exe file is located in the folder C:\WINDOWS\System32\Wbem. In other cases, wmiprvse.exe is a virus, spyware, trojan or worm!

Can you just go to the file, right click and check the properties to make sure it is a Microsoft file.

Then upload it to Jotti:
Upload file for scanning - Jotti

• Please go to Jotti.org
  
• Click the Browse... button
  
• Copy and paste the full file path below into the 'File name:' box and click Open
  

  Quote

  C:\WINDOWS\system32\wbem\wmiprvse.exe
  
  
• Click Submit file to begin scanning.
  
• Once all the scanners have finished copy the URL from the address bar at the top of the browser and paste it into your next reply.

Thanks
Roy

[Peaches4U]

Hi Roy .. not a problem and I understand completely and happy to have you help me out. Did as requested and posting as follows: ..............

Quote

This file has been scanned before. The results for this previous scan are listed below.


Filename: wmiprvse.exe Status: Scan finished. 1 out of 20 scanners reported malware. Scan taken on: Sun 2 May 2010 19:54:55 (CET) Permalink

2010-05-02 BackDoor.W32.Agent.afqs

Quote

additional information .......... File size: 227840 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: 798a9e6828997eef4517ada8a2259831 SHA1: f36ce7091903b73a6905460069877ddc209ad2e7

[Peaches4U]

Thanks for your help - it is appreciated. I submitted the file to emisoft for analysis and received the following reply so now we know it is a false positive should this scenario come up again .. I did notice that when I quarantined the file, my computer would not shut down & would simply hang and I had to do the shut down manually ... however, if the file is not quarantined, then my computer shuts down as it should . ... guess this file must have something to do with the computer shut down. Learn something new everyday.



Hello,

many thanks for the delivered file:

C:\WINDOWS\system32\wbem\wmiprvse.exe

Your file was initially alerted as: Trojan-Downloader.Win32.Small.apzd!A2

Analysis result:

***** false-positive *****

This file is a so called false-positive according to your analysis.
That means this file was detected in wrong.

Please do not delete this file! The next signature update will fix
the detection and the scanner should not alert this file anymore.

If you need additional help please contact the malware experts in our
malware removal forum: http://support.emsisoft.com


Have a nice (malware-free) day!

Your Emsiosft Analysis Team

[Fred Flintstone]

WOW.. what happened to my reply from yesterday!! it's gone!!

Ah well, as I said then:

Kaspersky and many others have flagged this as a false positive for the file in that location, and 19 out of 20 scanners say it's clean!
The malware version is normally located in the system32 folder.

We can give ComboFix a whirl if you want, just to be sure, but I would say this is a false positive.

Roy


EDIT:Seems we cross posted!!..

This post has been edited by Fred Flintstone: 07 May 2010 - 05:17 PM

[Peaches4U]

I tell you Roy, this thing really took me for a spin the last few days as I am really fussy about keeping my computer secure .. actually at a paranoid level as some might say. For my purposes I need to keep security high given that I have hundreds of emails entrusted via business and I need to not only keep my computer clean but be sure I do not infect others.

Yes, we did cross post .. anyway, I want you to know how much I appreciate your taking the time and effort to help me .... it was a new experience for me and nothing wrong with that.

I do not think I will do anymore on this ... will wait for Emisoft's fix ... if I still have the issue, then I will be back here to pester you.

Thanks again,

[Fred Flintstone]

You're welcome, any probs just let me know..

[Peaches4U]

Just finished a final scan with Emsisoft and the results are clean ... I restored from quarantine, did an update before doing so. Computer shut down normally last night. Anyway, thought this info is good for the record in case anyone else has this issue. Case closed with thanks.

[Fred Flintstone]

Thanks for that Peaches, always useful to have the final conclusion for reference.

Regards
Roy

[Fred Flintstone]

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you.