Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am infected with trojan.agent


  • Please log in to reply
20 replies to this topic

#1 susanj

susanj

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 19 May 2009 - 08:40 PM

Hi

A few weeks ago was infected with a Cryptor trojan it came up with winpc antivirus..had a friend help clean it off with malwarebytes but still now when do a scan with malwarebytes it comes up with trojan.agent & i restart to clean it off but it comes back the next time i do it..
i have noticed that now my security centre is not working also system restore wasn't working so i reset that but don't think its still working...my daughter who likes to go on myspace cannot login and i have tried to go on different sites this morning on ie8 but its no responding...it searches for a while then comes up with 'oops! this link appears to be broken" though i was able to get to this site through favorites..

have done nod32 scan it came up with nothing & microsofts malicious software removal tool nothing there also..

hope you can help... i have windows xp

thank you
Sue

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 20 May 2009 - 08:16 PM

Please run part 1 of SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


Next Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 21 May 2009 - 03:58 AM

Hi,

Thanks for coming to my aid....

this is the result of the smitfraudfix...

SmitFraudFix v2.375

Scan done at 18:52:56.20, Thu 05/21/2009
Run from C:\Documents and Settings\HP_Administrator\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Documents and Settings\HP_Administrator\My Documents\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\HP_Administrator


C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp


C:\Documents and Settings\HP_Administrator\Application Data


Start Menu


C:\DOCUME~1\HP_ADM~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!



404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 16.92.3.242
DNS Server Search Order: 16.92.3.243
DNS Server Search Order: 16.81.3.243
DNS Server Search Order: 16.118.3.243

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 10.0.0.138
DNS Server Search Order: 10.0.0.138

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0F4A327C-59B9-4854-9B70-D8FBAF8AEAAD}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D1ED57DB-54BC-4A28-882E-3073C1B6101A}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0F4A327C-59B9-4854-9B70-D8FBAF8AEAAD}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D1ED57DB-54BC-4A28-882E-3073C1B6101A}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0F4A327C-59B9-4854-9B70-D8FBAF8AEAAD}: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D1ED57DB-54BC-4A28-882E-3073C1B6101A}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0F4A327C-59B9-4854-9B70-D8FBAF8AEAAD}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D1ED57DB-54BC-4A28-882E-3073C1B6101A}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.0.0.138 10.0.0.138
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


Scanning for wininet.dll infection


End

#4 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 21 May 2009 - 04:05 AM

Here's the mbam report...thanks

Malwarebytes' Anti-Malware 1.36
Database version: 2161
Windows 5.1.2600 Service Pack 3

5/21/2009 7:04:32 PM
mbam-log-2009-05-21 (19-04-32).txt

Scan type: Quick Scan
Objects scanned: 90963
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 21 May 2009 - 06:36 PM

Hi, Have you done the required reboot after that scan? How is it running now?

Please run the Cleaner of S!Ri's SmitfraudFix \, let me know if your clock changes to military format.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 21 May 2009 - 08:16 PM

Hi..
tried doing the clean as suggested after registry cleaning a text file came up..it didn't ask to check wininet.dll so i restarted into normal mode but the text file didn't come up...can't find it anywhere in comp..
comp still not working right yet...and no change happened in the clock..
sorry i have to go to work now so will try it again this afternoon Thank you

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 21 May 2009 - 09:17 PM

OK we will do 2 more things as I suspect this rootkit is still here.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Rootkit scanning
Before performing a Anti rootkit scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


Now run AVG Anti-Rootkit.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 22 May 2009 - 05:55 AM

Hi

This is tonights mbam result...the same as before. I will do the other suggestions now as you mentioned after i reboot....thanks.

Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

5/22/2009 8:54:45 PM
mbam-log-2009-05-22 (20-54-45).txt

Scan type: Quick Scan
Objects scanned: 91263
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

#9 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 22 May 2009 - 06:16 AM

Sorry i just realised i don't have Avg Anti rootkit i only have avg8 Free

#10 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 22 May 2009 - 06:23 AM

Hi

I probably sound like an idiot but before when i tried to access the link for avg anti rootkit i got nothing but now i have downloaded it & will do as required...sorry but my ie8 is not working correctly so.....

#11 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 22 May 2009 - 06:50 AM

Did the search & it came up with 10 items found..do i just delete them? or should i have performed an in depth search?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 22 May 2009 - 11:25 AM

Guess this would have helped,sorry..
Download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to begin installation.
  • Click Next to select the Normal interface.
  • Accept the license and follow the prompts to install. (By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit)
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with three buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, if anything was found, click "Remove selected items"
  • If nothing is found, a message will appear "Congratulations! There were no installed rootkits found on your computer."
  • Click close, then select "Perform in-depth Search".
  • When the scan has finished, if anything is found, click "Remove selected items"
  • Again, if nothing was found, you will see the message "Congratulations! There were no installed rootkits found on your computer."
  • Exit AVG ARK.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 22 May 2009 - 11:27 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 22 May 2009 - 07:36 PM

Hi again..

did the rootkit and now here is the report from mbam. Will reboot now to finish..

Malwarebytes' Anti-Malware 1.36
Database version: 2168
Windows 5.1.2600 Service Pack 3

5/23/2009 10:33:03 AM
mbam-log-2009-05-23 (10-33-03).txt

Scan type: Quick Scan
Objects scanned: 91461
Time elapsed: 5 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACctpyhjwrsfkpuhb.dl_ (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACdrxkusibwhjkluc.dl_ (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACiyxurumltiqtkal.dl_ (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACjorwtxmjduliwsn.dl_ (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACksqoknbakjqwhxv.dl_ (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACtyxtqlrmycijewm.sy_ (Rootkit.TDSS) -> Quarantined and deleted successfully.

#14 susanj

susanj
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Australia
  • Local time:06:03 PM

Posted 24 May 2009 - 12:13 AM

Hi

did mbam scan today as i do now often & looks like i have something else now...will post it for you. Sue

Malwarebytes' Anti-Malware 1.36
Database version: 2173
Windows 5.1.2600 Service Pack 3

5/24/2009 3:10:06 PM
mbam-log-2009-05-24 (15-10-06).txt

Scan type: Quick Scan
Objects scanned: 91326
Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:03 AM

Posted 24 May 2009 - 07:16 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users