Help repairing a Trojan (Log Files Incl.)

[MooseGoose]

I have a trojan which I cannot repair using my anti-virus. I have included the log files which may be of help. Any help would really be appreciated.

SUPERAntisyware Log;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/04/2009 at 04:09 PM

Application Version : 4.26.1006

Core Rules Database Version : 3952
Trace Rules Database Version: 1894

Scan type : Complete Scan
Total Scan Time : 02:11:10

Memory items scanned : 216
Memory threats detected : 0
Registry items scanned : 3728
Registry threats detected : 0
File items scanned : 53490
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Moose\Cookies\[email protected][1].txt
C:\Documents and Settings\Moose\Cookies\moose@interclick[1].txt
C:\Documents and Settings\Moose\Cookies\[email protected][1].txt




Malwarebytes' Log

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/4/2009 8:02:55 PM
mbam-log-2009-07-04 (20-02-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 131589
Time elapsed: 55 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> No action taken.

[crunchie]

Hi and welcome to the VDr forums .

=========

Please update MBA-M and then do the full scan again. The log from MBA-M shows that you took no action. You must remove what is found.
Once you have done that, restart your computer.

Post the log from MBA-M and also a log from hijackthis.

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

[MooseGoose]

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/4/2009 8:03:48 PM
mbam-log-2009-07-04 (20-03-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 131589
Time elapsed: 55 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

[MooseGoose]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:54 PM, on 7/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\AIRPLUS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\DWL-G520M Wireless 108G MIMO PCI Adapter\Reg.exe
O4 - Global Startup: DWL-G520M Wireless 108G MIMO PCI Adapter Utility.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1246665786093
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4655 bytes




I also Have a GMER Log if that would help.

[crunchie]

Please update MBA-M and then do the full scan again.

You never updated.

[MooseGoose]

The update feature is not working. I have reposted the scan results.

[crunchie]

Well maybe you could have mentioned that in your last post so that we did not have to go through this again .

Download the update from here