Help cleaning up Trojan.Agent/Gen-Nullo[Short]

Corrine · February 10, 2013, 05:40:04 PM

Thank you, Susan.

Please scan with ESET again and this time, check the option for "Remove found threats".

Please download AdwCleaner by Xplode to your Desktop.

Double-click AdwCleaner.exe to run the tool.
Click Search.
A logfile will automatically open after the scan has finished.
Please post the contents of that logfile with your next response.

Note: The log can also be found at C:\AdwCleaner[XX].txt where XX denotes the number of times the application has been run, i.e., R1

rutabaga · February 12, 2013, 03:35:14 AM

AdwCleaner log:

# AdwCleaner v2.112 - Logfile created 02/11/2013 at 21:30:23
# Updated 10/02/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Susan - SMITHCORONA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Susan\Desktop\adwcleaner.exe
# Option [Search]

***** [Services] *****

***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\All Users\Application Data\Partner

***** [Registry] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
Key Found : HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll
Key Found : HKLM\SOFTWARE\Classes\kt_bho.KettleBho.1
Key Found : HKLM\Software\PIP

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6000.17115

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.2 (en-US)

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\419pah3j.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\f3ngf4nx.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\iyccwre8.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\pff32bui.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Susan\Application Data\Mozilla\Firefox\Profiles\r5dv8uet.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Neil\Application Data\Mozilla\Firefox\Profiles\by9qm3dr.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Glenna\Application Data\Mozilla\Firefox\Profiles\sc7x83kf.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Jacob\Application Data\Mozilla\Firefox\Profiles\n99gklgt.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Documents and Settings\Susan\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.14.1738.0

File : C:\Documents and Settings\Susan\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [2362 octets] - [11/02/2013 21:30:23]

########## EOF - C:\AdwCleaner[R1].txt - [2422 octets] ##########

Corrine · February 12, 2013, 03:56:13 PM

Did you scan with ESET again?

rutabaga · February 13, 2013, 02:16:06 AM

Yes, I ran eset again before AdwCleaner. Log is below. It looks like it appends the new log to the old?

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=7.00.6000.17115 (vista_gdr.121029-1623)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=b983bb85891d9740b2219356c3bfcba9
# engine=13113
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-02-10 06:14:37
# local_time=2013-02-10 12:14:37 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 10822386 13173049 0 0
# scanned=67570
# found=6
# cleaned=0
# scan_time=6773
sh=C02423884B82F50565A8AA2BE8F974E821760F18 ft=0 fh=0000000000000000 vn="Eicar test file" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temp\Av-test.txt"
sh=F53194FE335C1DF41F1BC945626206D3F844FA89 ft=1 fh=d05664838e1e7c7e vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temp\fox33.tmp\Foxit Reader en5.4.5.124(toolbar) Setup.exe"
sh=DE069B1F515C20517E8A2A54011ABD2D6711A7D6 ft=0 fh=0000000000000000 vn="Win32/OpenCandy application" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\R030AT19\stubinst_pkg_en-us[1].cab"
sh=91EC186153FB33A4562204E4BE5631168C2BA206 ft=1 fh=eb969c333e6297d9 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\My Documents\Downloads\CuteWriter.exe"
sh=AC92E28269FBECA27F00EC0759C77D8AE1FBBA7D ft=1 fh=ed5561659328eb74 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\My Documents\Downloads\FoxitReader502.0718_enu_Setup.exe"
sh=80EC40B449844036AF4397EA6A83E6413B05FE1D ft=1 fh=0a2342e7b0e140db vn="probably a variant of Win32/Adware.Softomate.AD application" ac=I fn="C:\Documents and Settings\Susan\My Documents\My Archives\My Documents on Popcorn\Downloads\couponprinter.exe"
# version=8
# iexplore.exe=7.00.6000.17115 (vista_gdr.121029-1623)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=b983bb85891d9740b2219356c3bfcba9
# engine=13129
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-02-12 03:25:18
# local_time=2013-02-11 09:25:18 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 10985027 13335690 0 0
# scanned=67685
# found=6
# cleaned=6
# scan_time=6978
sh=C02423884B82F50565A8AA2BE8F974E821760F18 ft=0 fh=0000000000000000 vn="Eicar test file (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Susan\Local Settings\Temp\Av-test.txt"
sh=F53194FE335C1DF41F1BC945626206D3F844FA89 ft=1 fh=d05664838e1e7c7e vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Susan\Local Settings\Temp\fox33.tmp\Foxit Reader en5.4.5.124(toolbar) Setup.exe"
sh=DE069B1F515C20517E8A2A54011ABD2D6711A7D6 ft=0 fh=0000000000000000 vn="Win32/OpenCandy application (deleted - quarantined)" ac=C fn="C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\R030AT19\stubinst_pkg_en-us[1].cab"
sh=91EC186153FB33A4562204E4BE5631168C2BA206 ft=1 fh=eb969c333e6297d9 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Susan\My Documents\Downloads\CuteWriter.exe"
sh=AC92E28269FBECA27F00EC0759C77D8AE1FBBA7D ft=1 fh=ed5561659328eb74 vn="a variant of Win32/Bundled.Toolbar.Ask application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Susan\My Documents\Downloads\FoxitReader502.0718_enu_Setup.exe"
sh=80EC40B449844036AF4397EA6A83E6413B05FE1D ft=1 fh=0a2342e7b0e140db vn="probably a variant of Win32/Adware.Softomate.AD application (cleaned by deleting - quarantined)" ac=C fn="C:\Documents and Settings\Susan\My Documents\My Archives\My Documents on Popcorn\Downloads\couponprinter.exe"

Corrine · February 13, 2013, 02:50:30 AM

Excellent! That's what I wanted to see since you had a problem with ComboFix.

I know the original concern was after a problem with G-mail but before I provide instructions for removing all the tools and such that I had you download, does everything seem to be in good working order?

Oh, and in case you missed it, in addition to Microsoft Security Updates today, Adobe Flash Player, AIR and Shockwave Player have critical security updates. See Adobe® Shockwave & Flash® Player News.

rutabaga · February 13, 2013, 02:00:25 PM

Thanks, Corrine.

I am a little concerned about what ComboFix appeared to do to the directory structure. I'll look at it again after I uninstall all the tools.

My computer seems to be working as well as it did before. I have a longstanding (months) problem with it suddenly becoming very slow. I have ruled out several things. It can happen both when working online and when using strictly local applications. The only thing I have pinned down for sure is that when the fan is running everything is ok. When the machine slows to molasses the fan is never running. Of course, there are inbetween times when everything is ok but the fan is not running. So the question is: Does the machine overheat but the fan doesn't come on for some reason so it slows to a crawl to save itself? Or does the machine slow for some reason, so it's not doing much, so the fan doesn't need to come on?

Now I have ruled out malware. Thank you!

I am fortunate to have a Microsoft guru in the family. I haven't asked him about it because I suspect he will first tell me to reload Windows. I am perfectly competent and willing to do that, but know that it takes some planning and a day of focused attention. I haven't had the personal bandwidth to do that lately.

Thanks,
Susan

Corrine · February 13, 2013, 07:53:39 PM

Hi, Susan.

As to slowness, as a Windows XP OS, your computer is aging. I suggest maintaining a good backup of important documents, pictures and other files that would cause a hardship to replace.

Indeed, it does sound as though your computer is overheating, which will cause problems. If you are uncomfortable doing it, I suggest you ask the family guru to carefully clean the dust from the computer.

Let's take care of the other tools so I don't forget and then see what shows in C:\. Another thing I don't want to forget is to remind you to update Internet Explorer to IE8. Even if IE isn't your primary browser, you still need to update it and get the security updates installed. Download Windows Internet Explorer 8 for Windows XP from Official Microsoft Download Center

Please do the following to uninstall AdwCleaner.

Double-click AdwCleaner.exe to run the tool.
Click Uninstall
Confirm with yes

Delete the following from your desktop: Security Check. You can also uninstall ESET.

Before I have you run chkdsk and uninstall ComboFix, let's see what SystemLook shows.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code Select

 :dir
c:\

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

rutabaga · February 13, 2013, 11:22:53 PM

Corrine, I've had new computer fever for quite a while. I'm aware of its agedness. Plus I'm getting tired of the 10 inch screen. My eyes aren't getting any younger either.

I upgraded to IE8. I'm surprised I still had 7.
I uninstalled AdwCleaner and ESET, and deleted SecurityCheck.

The links to SystemLook were wonky, but I figured it out. Here's the log:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:09 on 13/02/2013 by Susan
Administrator - Elevation successful

========== dir ==========

c: - Parameters: "(none)"

---Files---
AUTOEXEC.BAT   --a---- 0 bytes   [18:11 06/04/2009]   [18:11 06/04/2009]
Boot.bak   --a---- 211 bytes   [00:15 09/02/2013]   [04:50 27/11/2009]
boot.ini   -rahs-- 327 bytes   [19:50 06/04/2009]   [00:15 09/02/2013]
cmldr   -rahs-- 260272 bytes   [00:15 09/02/2013]   [05:00 04/08/2004]
CONFIG.SYS   --a---- 0 bytes   [18:11 06/04/2009]   [18:11 06/04/2009]
drivers.log   --a---- 763816 bytes   [20:16 14/08/2010]   [21:25 06/02/2011]
hiberfil.sys   --ahs-- 1063702528 bytes   [10:23 27/07/2009]   [22:32 13/02/2013]
IO.SYS   -rahs-- 0 bytes   [18:11 06/04/2009]   [18:11 06/04/2009]
mbam-error.txt   --a---- 109 bytes   [01:57 13/06/2010]   [01:57 13/06/2010]
MSDOS.SYS   -rahs-- 0 bytes   [18:11 06/04/2009]   [18:11 06/04/2009]
NTDETECT.COM   -rahs-- 47564 bytes   [19:49 06/04/2009]   [12:00 14/04/2008]
ntldr   -rahs-- 250048 bytes   [19:49 06/04/2009]   [12:00 14/04/2008]
pagefile.sys   --ahs-- 1598029824 bytes   [10:23 27/07/2009]   [22:32 13/02/2013]

---Folders---
ab0163ddb064801ced453459   d------   [03:24 20/08/2009]
cmdcons   drahs--   [00:15 09/02/2013]
ComboFix   d---s--   [00:12 09/02/2013]
Config.Msi   d--hs--   [23:15 08/02/2013]
Documents and Settings   d------   [11:05 06/04/2009]
KPCMS   d------   [02:11 18/09/2009]
ll20v170   d------   [04:28 20/02/2010]
MSOCache   dr-h---   [21:40 23/08/2009]
Program Files   dr-----   [11:06 06/04/2009]
Qoobox   d------   [00:12 09/02/2013]
RECYCLER   d--hs--   [22:59 13/02/2013]
System Volume Information   d--hs--   [03:16 09/04/2009]
temp.alps   d------   [00:13 06/07/2010]
TOSHIBA   d------   [19:45 06/04/2009]
WINDOWS   d------   [10:59 06/04/2009]

-= EOF =-

Corrine · February 14, 2013, 01:44:18 AM

Hi, Susan.

Sorry about the wonky links. My "canned" instructions had quotes around the URLs. Glad you figured it out.

The log shows me that the standard folders and files I was expecting to find are indeed located where I would expect to find them. From the screen image, I couldn't tell if they were still located at the root of the C: drive (i.e., Documents and Settings).

Just to be sure the folders at the root of C: are complete, compare the properties between a couple. For example, navigate to C:\Documents and Settings as well as the ComboFix sub folder for Documents and Settings folder. Right-click on the folders and compare the properties and let me know what you find.

Thanks!