Posted 21 September 2008 - 07:35 AM
This forum is a great resource. A buddy of mine opened an attachment he shouldn't have on his XP SP2 Acer Aspire 1360 laptop from VISA MASTER or something. From what I've read about these trojans, though, it seems like it may be "easier" to format and reinstall windows than to really get rid of this bugger. I can't find much info googling around for agent_r.G, nor on AVG's website's virus encyclopedia.
What I've done so far:
Booted into safe mode, got the icons back, no CD drive. (The drive physically works because I can boot into Ubuntu and copy files to the HD)
Run AVG in command line safe mode. It found the virus and healed it. (supposedly). Reboot.
Boot into normal windows startup, only a cursor shows up. No taskbar, icons, and no right clickie. I can bring up task manager and ran cleanmgr, then tried to run explorer.exe, but it said it couldn't find it. Taking that as a bad sign, I ran AVG again. This time, it found and healed more instances of the same virus. Reboot.
Still no desktop.
I should note at this point, that the screensaver is sysinternal's BSOD, and I almost pooped the first time I saw it. Anyway, the screensaver kept running so I tried to change the desktop properties to turn off the screensaver, but there was NO SCREENSAVER TAB. Not Good.
I then installed, updated and ran Adaware 2008, which hung in the middle of processing current path (blank) current object (scanning inside archive) or perhaps I lost patience. I aborted the scan and went for Macafee stinger. Found nothing but clean files.
Onto MalwareBytes MBAM, found 15 virii, including Trojan.FakeAlert.H, Trojan.Agent, Trojan.Downloader, Rogue.Multiple, Security.Hijack, Hijack.Wallpaper, Hijack.DisplayProperties. No wonder the desktop was screwed up. It successfully quarrantined and deleted all 15 virii. It wanted to restart, so I let it. Reboot.
Desktop icons are back, but it takes a long time to show up. Display properties screensaver tab is back, right click on desktop works too. But no CDrom drive. A look at device manager revealed that the driver was not loaded for it or the modem, or something called "Microsoft Kernel Acoustic Echo Canceler" It seems that the malware infected these driver files (ccdecode.sys and aec.sys were the two drivers infected) and now I have to replace them manually.
For giggles, I ran Adaware again. Nothing bad.
AVG program update. Scan with AVG. Yea! Clean!
Uninstalled devices in device manager that had the Code 39 message with yellow exclamation. Reboot.
No luck. Still needed the drivers, so I downloaded the modem drivers from the acer website. Modem back in action. Reboot.
Cdrom drive still not loading the drivers. Googled around for code 39 cdrom virus and came across a suggestion buried in a forum for "scf /scannow" No dice.
When I try to install an extracted (from an XP SP2 slipstreamed cd) cdrom.sys, I get the "Cannot start this hardware, there was a problem installing this hardware CDROM Drive (I've tried various iterations, IMAPI disable, CDDA accurate, plain old CDROM) Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. I'm considering installing SP3...
AVG is in the middle of an 8 hour scheduled scan, which seems slow to me.
Thanks in Advance.
ACER Aspire 5630 2gig ram, 160gig HD, XP sp3, Firefox, AVGfree
(2) Toshiba Satellite 2455-s305 laptops, 768MB ram and 512MB, 60Gig HDs, WinXP SP2, Firefox/Thunderbird, AVGFree, Adaware2007, Spybot SD