Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Agent_r.g Found By Avg


  • Please log in to reply
22 replies to this topic

#1 Pavones

Pavones

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 07:35 AM

Hi there,

This forum is a great resource. A buddy of mine opened an attachment he shouldn't have on his XP SP2 Acer Aspire 1360 laptop from VISA MASTER or something. From what I've read about these trojans, though, it seems like it may be "easier" to format and reinstall windows than to really get rid of this bugger. I can't find much info googling around for agent_r.G, nor on AVG's website's virus encyclopedia.

What I've done so far:
Booted into safe mode, got the icons back, no CD drive. (The drive physically works because I can boot into Ubuntu and copy files to the HD)
Run AVG in command line safe mode. It found the virus and healed it. (supposedly). Reboot.

Boot into normal windows startup, only a cursor shows up. No taskbar, icons, and no right clickie. I can bring up task manager and ran cleanmgr, then tried to run explorer.exe, but it said it couldn't find it. Taking that as a bad sign, I ran AVG again. This time, it found and healed more instances of the same virus. Reboot.
Still no desktop.
I should note at this point, that the screensaver is sysinternal's BSOD, and I almost pooped the first time I saw it. Anyway, the screensaver kept running so I tried to change the desktop properties to turn off the screensaver, but there was NO SCREENSAVER TAB. Not Good.

I then installed, updated and ran Adaware 2008, which hung in the middle of processing current path (blank) current object (scanning inside archive) or perhaps I lost patience. I aborted the scan and went for Macafee stinger. Found nothing but clean files.

Onto MalwareBytes MBAM, found 15 virii, including Trojan.FakeAlert.H, Trojan.Agent, Trojan.Downloader, Rogue.Multiple, Security.Hijack, Hijack.Wallpaper, Hijack.DisplayProperties. No wonder the desktop was screwed up. It successfully quarrantined and deleted all 15 virii. It wanted to restart, so I let it. Reboot.

Desktop icons are back, but it takes a long time to show up. Display properties screensaver tab is back, right click on desktop works too. But no CDrom drive. A look at device manager revealed that the driver was not loaded for it or the modem, or something called "Microsoft Kernel Acoustic Echo Canceler" It seems that the malware infected these driver files (ccdecode.sys and aec.sys were the two drivers infected) and now I have to replace them manually.

For giggles, I ran Adaware again. Nothing bad.

AVG program update. Scan with AVG. Yea! Clean!

Uninstalled devices in device manager that had the Code 39 message with yellow exclamation. Reboot.

No luck. Still needed the drivers, so I downloaded the modem drivers from the acer website. Modem back in action. Reboot.

Cdrom drive still not loading the drivers. Googled around for code 39 cdrom virus and came across a suggestion buried in a forum for "scf /scannow" No dice.

When I try to install an extracted (from an XP SP2 slipstreamed cd) cdrom.sys, I get the "Cannot start this hardware, there was a problem installing this hardware CDROM Drive (I've tried various iterations, IMAPI disable, CDDA accurate, plain old CDROM) Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. I'm considering installing SP3...

AVG is in the middle of an 8 hour scheduled scan, which seems slow to me.

Thanks in Advance.
dean
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 07:42 AM

from an XP SP2 slipstreamed cd


Is this home oem? If so why not run windows as a repair disk, use his numbers

I wouldn't waste any more time with avg or adaware

You will need to use some better programs like MBAM and use repeated scans

sp3 will finish the computer off, never load a service pack on such a messed up machine
Chewy

No. Try not. Do... or do not. There is no try.

#3 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 07:57 AM

from an XP SP2 slipstreamed cd


Is this home oem? If so why not run windows as a repair disk, use his numbers

I wouldn't waste any more time with avg or adaware

You will need to use some better programs like MBAM and use repeated scans

sp3 will finish the computer off, never load a service pack on such a messed up machine


I think it was xp oem, then he added sp2 later.

Repair install? Before or after the repeated MBAM scans?

thanks for the tip on not using sp3 to try to fix the CDrom driver issue... i was headed there (or at least extracting the cd drivers from it..)

dean
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 08:23 AM

I use a slipstreamed sp3 xp cd myself for repairs

http://www.michaelstevenstech.com/XPrepairinstall.htm

this will not remove an infection, but it gives control of the computer to the cdrom and xp disk, which enables an unimpared
repair of the xp shell and registry

After running the repair and before the malware can hose windows again is your chance to kill it off, I stay off the internet

I use an immunized usb drive and then alternate MBAM with atf and SAS followed by SDFix and others

http://www.bleepingcomputer.com/forums/ind...st&p=940180

I consider this a last resort before throwing in the towel and doing a clean install
Chewy

No. Try not. Do... or do not. There is no try.

#5 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 09:13 AM

I use a slipstreamed sp3 xp cd myself for repairs

http://www.michaelstevenstech.com/XPrepairinstall.htm

this will not remove an infection, but it gives control of the computer to the cdrom and xp disk, which enables an unimpared
repair of the xp shell and registry

After running the repair and before the malware can hose windows again is your chance to kill it off, I stay off the internet

I use an immunized usb drive and then alternate MBAM with atf and SAS followed by SDFix and others

http://www.bleepingcomputer.com/forums/ind...st&p=940180

I consider this a last resort before throwing in the towel and doing a clean install


Nice. I have a slipstreamed sp3 cd too, i'll use that. Thanks for the link, I've read through it and will preform the steps for pre-repair install as soon as the currnet MBAM scan finishes.

I've actually kept this machine off the internet entirely and have my laptop next to it doing the downloading, research, etc, then copying to a sd card with a write protect switch, and putting MBAM, updates, SAS, ATF, etc. on the infected pc.

I was using a combo of the MBAM ATF SAS and the prep for hijackthis log posts, but I'll stick to the one you've pasted.

thanks again for your help
dean
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#6 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 10:35 AM

Hmm, it looks like i can't repair as I don't have that option. Windows boots normally, so i'm guessing the boot.ini is fine. I think it may not find the partition because there is a recovery partition "in front" of the windows partition on this laptop. Does that make sense? Is there a work around without formatting and reinstalling? Maybe a partition editor?

dean
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 10:52 AM

have the disk in the drive, access bios and make sure the cd drive is selected as first boot device
Chewy

No. Try not. Do... or do not. There is no try.

#8 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 11:33 AM

The CD boots, i press enter to start setup, it says it's detecting previous windows installs, but does not find one and only gives the option for a clean install, not a repair. I tried the "warning 2" checklist to fix boot.ini on the page you gave me, but no dice.
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 11:47 AM

I have had that happen with Vista but not XP, let me ask someone else. What is the make and model of the computer in question?
Chewy

No. Try not. Do... or do not. There is no try.

#10 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 11:55 AM

Acer Aspire 1362LCI... duh I just noticed that the sticker on the bottom says XP pro and I was using an XP home slipstream disk. I don't even have an xp pro disk, just the recovery disks and system disk from Acer. Damn.
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 12:18 PM

http://www.bleepingcomputer.com/forums/ind...st&p=948894

let's do another scan with MBAM and then run ATF cleaner and SAS from safe mode
Chewy

No. Try not. Do... or do not. There is no try.

#12 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 12:24 PM

Precisely what I'm doing. Mbam was clean, ATF in safe mode got rid of some stuff, and SAS is running now and found Rootkit.Protect/win32 9 times, 8 registry instances and one file so far... I'll post the log when it's done. I'll be out for a while, so it'll be tonight.

thanks for your help
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#13 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 21 September 2008 - 08:14 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/21/2008 at 12:00 PM

Application Version : 4.21.1004

Core Rules Database Version : 3555
Trace Rules Database Version: 1543

Scan type : Complete Scan
Total Scan Time : 01:26:11

Memory items scanned : 157
Memory threats detected : 0
Registry items scanned : 4974
Registry threats detected : 8
File items scanned : 59892
File threats detected : 2

Rootkit.Protect/WinNT32
HKLM\System\ControlSet001\Services\ati8hlxx
C:\WINDOWS\SYSTEM32\DRIVERS\ATI8HLXX.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_ati8hlxx
HKLM\System\ControlSet002\Services\ati8hlxx
HKLM\System\ControlSet002\Enum\Root\LEGACY_ati8hlxx
HKLM\System\ControlSet003\Services\ati8hlxx
HKLM\System\ControlSet003\Enum\Root\LEGACY_ati8hlxx
HKLM\System\CurrentControlSet\Services\ati8hlxx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ati8hlxx

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\SYSTEM VOLUME INFORMATION\_RESTORE{25DED19D-DAD5-4A21-BD2B-CE31ADCB4BC6}\RP3\A0000404.SCR
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:27 AM

Posted 21 September 2008 - 08:29 PM

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Would you run sdfix

Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan

followed with another MBAM scan(after updating and from normal mode boot)
Chewy

No. Try not. Do... or do not. There is no try.

#15 Pavones

Pavones
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Location:the jungle
  • Local time:05:27 AM

Posted 22 September 2008 - 09:29 AM

SDfix didn't find anything, but MBAM did, log pasted below. AVG resident shield also found it while the scan was running but I let MBAM remove it.

Malwarebytes' Anti-Malware 1.28
Database version: 1191
Windows 5.1.2600 Service Pack 2

9/22/2008 8:19:30 AM
mbam-log-2008-09-22 (08-19-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 99577
Time elapsed: 31 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{25DED19D-DAD5-4A21-BD2B-CE31ADCB4BC6}\RP3\A0000402.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{25DED19D-DAD5-4A21-BD2B-CE31ADCB4BC6}\RP3\A0000408.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users