I've spent the day trying to clean-up my computer after a virus/trojan infection and now have an issue I can't nail down. If any one has an idea what is going on and how to fix it, your help would be greatly appreciated.
My computer has been infected by several items, a worm identified as "win32.agent.icb" by spybot and "a.exe" and "nvaux32.dll" which AVG identifies a Klone. I believe they are all part of the same package.
After working on these items today, I am getting a lot of changed modules/programs alerts by Zone Alarm Pro (ver 8.0.059.000). Of particular concern is the behavior of Explorer.exe and svchost.exe Watching the Alert's log, Programs, Explorer.exe is trying to access the internet every minute or two without being prompted - so far there are over 400 "program access" alerts, all rated High threat. Here is exactly what is being logged:
Rating, High. time, (multiple). Type: Program access. Program: explorer.exe. SourceIP, (blank). Destination IP: 127.0.01:4054. Direction: Outgoing (connect). Action Taken: Blocked. Destination DNS: 99% show "loopback" but several have tried to go to SA.Windows.com and a1363.q.akamai.net.
Same info with the svchost.exe.
I'm running a Toshiba laptop, Windows XP Home, updated with SP3, AVG antivirus, and ZA Pro.
Operating System:Windows XP Home Edition
Product Name:ZoneAlarm Pro