Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cc.agent.cz Infected Me From Aim, Need Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 yurei

yurei

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:35 AM

Posted 01 March 2008 - 11:55 PM

After not having my computer available to me for 2 months due to a move i finally got it online today and started updating things- security programs first, etc. Well aim popped up saying there was a new version and asked if i wanted to update, so i said yes and went through the motions, unselecting all the toolbars and junk. a little while later i go to reboot for an update to another program and i get a weird message from my newly updated spybot SD upon reboot saying some registry thing had been deleted or changed and did i want to accept or deny the change. I denied it and went on my merry way. A little while later my screen starts to shake on my CRt moniter. I run a virus scan and low and behold, ten seconds in it catches something called cc.agent.cz.

i googled this thing, not much help on it out there. from what i gathered it comes from the new aim update, 5.6.9.1 i believe. anyhow, i'm running XP SP 2, using firefox.


i have uninstalled aim and rebooted. still doing funny registry things.
i attempted a system restore. it failed and came back incompleted.
i've rerun my virus scan- the program is anti vir after i quarantined and deleted the items the first time around, i'm still waiting for the final 35 of this second scan.

i have a hijack this log i am going to go find the correct forum to post it in, and in the meantime i'll post some of my spyboy and antivir logs. Can someone please tell me how to fix this? i'm afraid this might end up with me having to format this thing.

from antivir:

AntiVir PersonalEdition Classic
Report file date: Saturday, March 01, 2008 21:39

Scanning for 1129035 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: ONIWOLF

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 9/7/2007 13:58:06
AVSCAN.DLL : 7.0.6.0 49192 Bytes 9/7/2007 13:58:06
LUKE.DLL : 7.0.5.3 147496 Bytes 9/7/2007 13:58:08
LUKERES.DLL : 7.0.6.1 10280 Bytes 9/7/2007 13:58:08
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 13:58:43
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 14:13:52
ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 2/24/2008 21:27:09
ANTIVIR3.VDF : 7.0.2.215 117248 Bytes 2/29/2008 21:27:09
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 3/1/2008 21:27:10
AVWINLL.DLL : 1.0.0.7 14376 Bytes 4/21/2007 04:49:52
AVPREF.DLL : 7.0.2.2 25640 Bytes 9/7/2007 13:58:06
AVREP.DLL : 7.0.0.1 155688 Bytes 4/21/2007 04:49:54
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/1/2008 21:27:10
AVREG.DLL : 7.0.1.6 30760 Bytes 9/7/2007 13:58:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 9/7/2007 13:58:04
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 9/7/2007 13:58:06
NETNT.DLL : 7.0.0.0 7720 Bytes 4/21/2007 04:49:53
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 9/7/2007 13:57:58
RCTEXT.DLL : 7.0.62.0 86056 Bytes 9/7/2007 13:57:58
SQLITE3.DLL : 3.3.17.1 339968 Bytes 9/7/2007 13:58:09

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: off

Start of the scan: Saturday, March 01, 2008 21:39

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'bittorrent.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sgbhp.exe' - '1' Module(s) have been scanned
Scan process 'sgmain.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'pg2.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'tfswctrl.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
34 processes with 34 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '27' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\inst.exe
[DETECTION] Contains detection pattern of a probably damaged sample CC/Agent.CZ
[INFO] The file was moved to '483d140c.qua'!
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1400\A0114515.exe
[DETECTION] Contains detection pattern of a probably damaged sample CC/Agent.CZ
[INFO] The file was moved to '47fb1d04.qua'!


End of the scan: Saturday, March 01, 2008 22:37
Used time: 57:55 min

The scan has been done completely.

5771 Scanning directories
217439 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
2 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
217437 Files not concerned
3473 Archives were scanned
2 Warnings
0 Notes


from spybot: (i accidentally clicked allow on one thing.)

3/1/2008 5:14:10 PM Denied (based on user decision) value "InnoSetupRegFile.0000000001" (new data: "") deleted in System Startup global entry!
3/1/2008 10:51:05 PM Denied (based on user decision) value "Aim6" (new data: "") deleted in System Startup user entry!
3/1/2008 10:51:10 PM Denied (based on user decision) value "InnoSetupRegFile.0000000001" (new data: "") deleted in System Startup global entry!
3/1/2008 10:56:36 PM Allowed (based on user decision) value "*Restore" (new data: "C:\WINDOWS\system32\restore\rstrui.exe -i") added in System Startup global entry!
3/1/2008 10:59:39 PM Denied (based on user decision) value "InnoSetupRegFile.0000000001" (new data: "") deleted in System Startup global entry!

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,711 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:35 AM

Posted 02 March 2008 - 12:08 AM

Hello yurei and welcome to BC :flowers:

I see you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/134070/ccagentcz-see-post-in-otherforum-please/ Because you have this log posted, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:12:35 AM

Posted 02 March 2008 - 01:18 AM

I'm closing this topic until you are cleared by the HJT Team.
If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic.

If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users