Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.agent/Gen-AlcFakeAlert


  • Please log in to reply
7 replies to this topic

#1 Biffmo

Biffmo

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 29 April 2009 - 07:02 PM

Hi, trojan.agent/Gen-AlcFakeAlert has shown up on my computer an I am unable to delete it with either Superantispyware or Malwarebytes. Can someone please help me get rid of these trojans?

I am running:

Windows XP SP1 (unable to update to sp2)
Zone Alarm Firewall (outdated due to above)
Spywareblaster
Superantispyware
Malwarebytes
ATF cleaner

I know I have not been very thourough so far, but wish to be.

I have run ATF cleaner and SAS in Safe Mode with no further results.

Malwarebytes showed additional infections, but I have not yet run in safe mode.


Logs:

Scan type : Complete Scan
Total Scan Time : 00:41:08

Memory items scanned : 234
Memory threats detected : 0
Registry items scanned : 6317
Registry threats detected : 5
File items scanned : 25556
File threats detected : 1

Trojan.Agent/Gen-AlcFakeAlert
HKLM\Software\Classes\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}\InprocServer32
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AUTHZ(6.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D7AEA87-B325-448D-A415-86C02F99405F}


MBAM:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 1

04/29/2009 4:22:14 PM
mbam-log-2009-04-29 (16-22-14).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 232133
Time elapsed: 1 hour(s), 55 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\authz(6.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ehixawajur (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\services\del (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: stinro.dll -> Delete on reboot.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\STINRO.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\authz(6.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\ejagosuli.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0025353.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0028E2C.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c002E091.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c003138.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c003A290.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0069CE4.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0077860.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0082122.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c0086D1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00A70BF.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00A7210.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00B4DFC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\__c00C15D8.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Edited by Biffmo, 30 April 2009 - 10:51 AM.

Windows xp sp3

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 30 April 2009 - 07:23 PM

Your SAS and MBAM programs need updating. Just open each one and click on update.
You should be able to remove all of the Vundo related malware by using these two programs.
Malware is constantly changing file names and locations to hide from the security programs.
So it is Very important to make sure you have the latest updates.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Biffmo

Biffmo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 01 May 2009 - 03:33 AM

Thanks for your reply:

Mbab will not allow me to update, I get an error message suggesting I am not connected or have firewall issues.

SAS updates no prob.

I will post the latest logs.
Windows xp sp3

#4 Biffmo

Biffmo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 01 May 2009 - 06:19 AM

Latest SAS log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/01/2009 at 03:14 AM

Application Version : 4.26.1002

Core Rules Database Version : 3873
Trace Rules Database Version: 1821

Scan type : Complete Scan
Total Scan Time : 01:40:28

Memory items scanned : 357
Memory threats detected : 0
Registry items scanned : 6338
Registry threats detected : 5
File items scanned : 101242
File threats detected : 2

Trojan.Agent/Gen-AlcFakeAlert
HKLM\Software\Classes\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}\InprocServer32
HKCR\CLSID\{4D7AEA87-B325-448D-A415-86C02F99405F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AUTHZ(6.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D7AEA87-B325-448D-A415-86C02F99405F}

Adware.Tracking Cookie
C:\Documents and Settings\Geoffrey Moler\Cookies\geoffrey moler@msnportal.112.2o7[1].txt


Still unable to update Mbab, but latest log:

alwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 1

04/30/2009 9:22:05 AM
mbam-log-2009-04-30 (09-22-05).txt

Scan type: Full Scan (C:\|)
Objects scanned: 220895
Time elapsed: 1 hour(s), 0 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\authz(6.dll (Trojan.Downloader) -> Delete on reboot.
Windows xp sp3

#5 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 01 May 2009 - 07:08 AM

A bit unusual that you can update one and not the other. You may need to reinstall MBAM, but first try this.
If you encounter any problems while downloading the updates, manually download them from http://www.malwarebytes.org/mbam/database/mbam-rules.exe and just double-click on mbam-rules.exe to install.


EDIT: It is also possible to have a friend email the manual update file to you or use another computer and transfer
via a CD or other medium.

Edited by buddy215, 01 May 2009 - 07:11 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Biffmo

Biffmo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 01 May 2009 - 12:59 PM

I clicked on the link you provided and installed. Ran an Mbam quick scan, rebooted, ran another quick scan. Installed Dr.WebCureIt which found 2 infections. Rebooted, ran another Mbam quick scan. Ran another DrWeb express scan which showed no infection.

Here are the last 2 mbam logs.

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 1

05/01/2009 10:23:33 AM
mbam-log-2009-05-01 (10-23-33).txt

Scan type: Quick Scan
Objects scanned: 120567
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\authz(6.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d7aea87-b325-448d-a415-86c02f99405f} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\authz(6.dll (Trojan.Downloader) -> Delete on reboot.

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 1

05/01/2009 10:48:10 AM
mbam-log-2009-05-01 (10-48-10).txt

Scan type: Quick Scan
Objects scanned: 121130
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Next, I will run a SAS scan and post the results.

Thanks again.
Windows xp sp3

#7 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:57 PM

Posted 01 May 2009 - 01:39 PM

Looks like you are malware free for the moment. But as you probably know your computer is
very vulnerable because of missing Windows updates and probably some of the more vulnerable
programs such as Adobe Flash, Adobe Reader, Java and any media player(s) you have installed.

http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Some of your restore points are infected. The only way to remove those is to delete all of them.
Follow the instructions in the link below to delete the restore points and reset a new one.
http://www.bleepingcomputer.com/forums/ind...t&p=1246201
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Biffmo

Biffmo
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 PM

Posted 04 July 2010 - 02:46 PM

For the record, I ended up wiping the hard drive and reinstalling windows. Seems to work great. I have not run any Java updates until recently, and I think that's why I may have picked up the nasty virus I have now. I'm ready to switch to Mozilla!
Windows xp sp3




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users