Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am infected with Trojan.Agent


  • Please log in to reply
8 replies to this topic

#1 zavalaj17

zavalaj17

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 20 April 2009 - 07:24 AM

Hello,

I keep receiving several red alert error stating something is wrong. I don't know exactly what it is telling me because they are long address paths. My computer is really slow and sometimes it reboots on its own. Yesterday, I receive a blue screen and then it reboot.

I have done the Malwarebytes' Anti-Malware and below is my log. If someone can please help me, I will really appreciated it. Thanks.



Malwarebytes' Anti-Malware 1.34
Database version: 1927
Windows 5.1.2600 Service Pack 3

4/20/2009 8:06:34 AM
mbam-log-2009-04-20 (08-06-34).txt

Scan type: Quick Scan
Objects scanned: 66871
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\600453902.exe (Trojan.Downloader) -> Delete on reboot.

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 20 April 2009 - 11:42 AM

Hi,

Welcome here. :thumbsup:

Please perform a new, full scan, with MBAM and post the log in your next reply. :flowers:

#3 zavalaj17

zavalaj17
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 20 April 2009 - 01:37 PM

Hello,


Malwarebytes' Anti-Malware 1.34
Database version: 1927
Windows 5.1.2600 Service Pack 3

4/20/2009 2:36:37 PM
mbam-log-2009-04-20 (14-36-37).txt

Scan type: Quick Scan
Objects scanned: 68252
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a5af42a3-94f3-42bd-f634-0604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a5af42a3-94f3-42bd-f634-0604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\yaubfh983ind.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\750991794.exe (Trojan.Downloader) -> Delete on reboot.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 21 April 2009 - 04:33 AM

Hi,

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
If you need a tutorial, see here

#5 zavalaj17

zavalaj17
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 21 April 2009 - 07:22 AM

Hello Superbird,

I have tried many, many, times going to that site that you have indicated. But I keep receiving an PAGE LOAD ERROR message stating that address can not be found. Anything else, I can do?


Thanks

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 21 April 2009 - 07:33 AM

You could first try updating Malwarebytes through the program, or if that doesn't work, using this link http://www.gt500.org/malwarebytes/database.jsp

#7 zavalaj17

zavalaj17
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 21 April 2009 - 07:59 AM

k, the updating of Malwarebytes through the program did not work at all. It says "Update Failed". I tried the link below as well and nothing. It gives me a page saying "500 Servlet Exception [show] java.lang.StackOverflowError"

#8 bandit4747

bandit4747

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 21 April 2009 - 07:59 AM

I have the same problem I can't goto any helpful sites. All my apps for windows are getting critical errors. I have run malwarebytes several times and Im still having problems

#9 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 21 April 2009 - 09:01 AM

Hi,

This counts only for zavalaj17 and bandit4747:

I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.
Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Good luck. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users