Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse.Agent and some others


  • This topic is locked This topic is locked
4 replies to this topic

#1 Mowery

Mowery

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 15 March 2009 - 08:00 PM

Hope your day is going better than mine!

On an XP (SP3) system, my antivirus (AVG Free 8.5) is showing the following infections:

Trojan Horse.Agent_R.CX
Trojan Horse Injector.BP
Trojan Horse Dropper Generic
Trojan Horse Generic11.AEFN

Originally, it showed the items removed to vault. Still showing symptoms - Very slow startup, error message for Missing DLL (xccdf16_090313a.dll), and now when I try scanning with AVG, it gets through some of the registry and then goes to a blue-screen stop. No driver listed on the blue screen, just an address (0x0000008e:0xc0000005,0x8062dfb1, 0xae219b74, 0x00000000). On a lark, I tried MalwareByte's Anti-Malware. Same thing happened, but the Blue screen listed BAD_POOL_CALLER as the culprit and gave a slightly different address.

DDS Log is as follows:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Rick at 17:49:11.90 on Sun 03/15/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1403 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Microsoft\ActiveSync\Wcescomm.exe
C:\Program Files\DNA\btdna.exe
E:\PROGRA~1\MICROS~3\ACTIVE~1\rapimgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\actcontroller.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "e:\program files\microsoft\activesync\Wcescomm.exe"
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090313a.dll xccd16
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareblaster\spywareblaster.exe
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\progra~1\micros~3\active~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\progra~1\micros~3\active~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166624446986
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rick\applic~1\mozilla\firefox\profiles\6dc2n2yx.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-24 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-12-14 27656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-10-15 353680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-24 298264]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-15 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-20 1174152]

=============== Created Last 30 ================

2009-03-15 17:26 <DIR> --d----- c:\docume~1\rick\applic~1\Malwarebytes
2009-03-15 17:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-15 17:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 17:26 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 17:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-15 14:25 33,280 a------- c:\windows\system32\reader_s.exe
2009-03-15 14:25 33,280 a------- c:\documents and settings\rick\reader_s.exe
2009-03-15 14:25 46,080 a------- c:\windows\system32\actcontroller.exe
2009-03-15 14:24 29,696 a------- c:\windows\services.exe
2009-03-15 14:24 65,536 a------- c:\windows\system32\4.tmp
2009-03-15 14:24 29,696 a------- c:\windows\system32\3.tmp
2009-03-15 14:24 124 a------- c:\windows\system32\2.tmp
2009-03-15 02:48 <DIR> --d----- C:\VAULT
2009-03-14 23:55 <DIR> --d----- C:\6fb2bb97f454d8ae7baff29b76524e3e
2009-03-14 12:47 0 a------- c:\windows\system32\387.tmp
2009-03-14 12:46 130,235 a------- c:\windows\system\xccef090313.exe
2009-03-14 12:46 <DIR> --d----- c:\windows\system32\inf
2009-03-14 12:46 188,416 a------- c:\windows\system32\sopidkc.exe
2009-03-14 12:46 130,235 a------- c:\windows\system32\adx.exe
2009-03-14 12:46 32,768 a------- c:\windows\system32\dctool32.sys
2009-03-14 12:46 8 a------- c:\windows\system32\comsa32.sys
2009-03-14 12:46 223,744 a------- c:\windows\system32\w.exe
2009-03-14 12:46 206,336 a------- c:\windows\system32\tpszxyd.sys
2009-03-14 12:46 189,440 a------- c:\windows\system32\afisicx.exe
2009-03-14 12:46 65,536 a------- c:\windows\system32\381.tmp
2009-03-14 12:46 28,672 a------- c:\windows\system32\37F.tmp
2009-03-14 12:45 124 a------- c:\windows\system32\37E.tmp
2009-03-11 19:46 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-10 21:17 50,200 a------- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-03-10 21:17 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-03-10 21:16 <DIR> --d----- c:\windows\system32\RsFx
2009-03-10 20:59 <DIR> --d----- c:\program files\Microsoft SQL Server
2009-03-10 20:56 <DIR> --d----- c:\program files\common files\Merge Modules
2009-03-10 20:54 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-10 20:53 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-10 20:53 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-10 20:53 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-10 20:53 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-10 20:53 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-10 20:53 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-10 20:53 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-10 20:53 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-07 13:38 531 a------- c:\windows\eReg.dat
2009-02-21 17:40 301,056 a------- c:\windows\uninst.exe
2009-02-21 17:40 <DIR> --d----- c:\documents and settings\rick\WINDOWS
2009-02-21 14:00 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-02-21 14:00 17,212 a------t c:\windows\system32\SIntf32.dll
2009-02-21 14:00 12,067 a------t c:\windows\system32\SIntf16.dll
2009-02-21 13:57 246 a------- c:\windows\SIERRA.INI

==================== Find3M ====================

2009-03-15 17:33 90,112 a------- c:\windows\DUMP3af5.tmp
2009-02-24 21:13 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-24 21:13 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-23 20:16 0 a---h--- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-01-23 20:16 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-01-23 20:16 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2007-02-12 20:26 17,992 a------- c:\docume~1\rick\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:49:54.06 ===============



Looking forward to any help you can give - Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 16 March 2009 - 11:03 AM

Hello Mowery :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you.


I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.


In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please perform the following:



Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)





When completed please both both logs fromRSIT as well as the one from Kaspersky.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Mowery

Mowery
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:59 AM

Posted 19 March 2009 - 12:01 PM

Well, that did not go well for me.

7 hours later, my machine finished the Kaspersky scan. Found about 2,000 infected files (9 threats). It also lost the ability to connect to any web page, or open the task manager.

At this point, I think I will go ahead and wipe the drive and reinstall.


Thank you very much for the time and help! Even if I'm borked, I still appreciate you taking the time to try and help.
Have a good weekend!

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:59 PM

Posted 19 March 2009 - 03:29 PM

You're welcome and I totally understand. Looks like you have are a really severe infection and the path you are taking sounds like the best one.

Sorry we could not do more and best of luck to you. :thumbup2:
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:59 AM

Posted 20 March 2009 - 02:43 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users