cousincuzzer
2008-12-31, 14:25
Hi all,
I have also tried using counterspy, spyware doctor, SDFix, MalwareBytes Anti-Malware, Super Anti-Spyware, McAfee, AVG, BitDefender and Kaspersky however i still have an infection. Spybot reports an infection Win32.Agent.pz but it's not able to remove it as even though it says successful remove, it keeps appearing on each and every scan including after reboot.
This link:
http://www.threatexpert.com/report.aspx?md5=577dd5767303e715fd27cb1cc0dfbcd9
shows a report and I believe this is the exact infection that I have since. twex.exe has been identified by kaspersky not as a virus but placed in "Low Restricted" group of items. My Kaspersky firewall is collecting data attempting to be sent to 195.2.252.140. I have the registry key[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] infected with the twex.exe name which I have manually removed the twex.exe part but not re-checked for presence. I also have the %system%\twain32 and localservice\twain32 presence. AVG also reported the %system%\twain32 in the rookit scan however, doesn't seem to have removed it.
I have used the sysinternals filemon application and determined that svchost is locking the %system\twain32 files local.ds etc. and therefore I believe that svchost is infected, svchost is also mentioned in the report link above.
I have combofix installed on the computer not trend micro hijack this. The HJT logs seem to help identify infection but I think i've done that. My guess is with the right script and the information in the report I can clean up the system with combofix. Please advise.
What should be the next step? At present I am connecting to the internet with another computer in the home since when I connect infected computer, it downloads other malware from the net (presumably from 195.2.252.140).
Thanks in advance.
I have also tried using counterspy, spyware doctor, SDFix, MalwareBytes Anti-Malware, Super Anti-Spyware, McAfee, AVG, BitDefender and Kaspersky however i still have an infection. Spybot reports an infection Win32.Agent.pz but it's not able to remove it as even though it says successful remove, it keeps appearing on each and every scan including after reboot.
This link:
http://www.threatexpert.com/report.aspx?md5=577dd5767303e715fd27cb1cc0dfbcd9
shows a report and I believe this is the exact infection that I have since. twex.exe has been identified by kaspersky not as a virus but placed in "Low Restricted" group of items. My Kaspersky firewall is collecting data attempting to be sent to 195.2.252.140. I have the registry key[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] infected with the twex.exe name which I have manually removed the twex.exe part but not re-checked for presence. I also have the %system%\twain32 and localservice\twain32 presence. AVG also reported the %system%\twain32 in the rookit scan however, doesn't seem to have removed it.
I have used the sysinternals filemon application and determined that svchost is locking the %system\twain32 files local.ds etc. and therefore I believe that svchost is infected, svchost is also mentioned in the report link above.
I have combofix installed on the computer not trend micro hijack this. The HJT logs seem to help identify infection but I think i've done that. My guess is with the right script and the information in the report I can clean up the system with combofix. Please advise.
What should be the next step? At present I am connecting to the internet with another computer in the home since when I connect infected computer, it downloads other malware from the net (presumably from 195.2.252.140).
Thanks in advance.