Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-AlerterALG


  • Please log in to reply
11 replies to this topic

#1 adm1r4l_4ckbar

adm1r4l_4ckbar

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 02:51 PM

Hello everyone, I am Eric. I am new here. I have been infected for a couple of days now, and the trojan is starting to interfere.

I use SUPERAntiSpyware as my anti-spyware and ESET NOD32 as my anti-virus. I am running on Windows XP.
The trojan that I am infected with is detected with SAS. NOD32 does not detect any corrupted files on my computer.

There are either 5 or 7 files each time I do a scan. After scanning I reboot, and the files have returned.
They are in my registry:

Trojan.Agent/Gen-AlerterALG
HKU\.DEFAULT\Software\S45
HKU\S-1-5-18\Software\S45
HKLM\Software\S45
HKLM\Software\S45\Par
HKLM\Software\S45\Par#ID

I've tried manually deleting these files, but they just return on reboot.



The main thing this trojan does (that I am aware of) is screws with my search engines. Most websites I go to will redirect me to a fake result page. I've tried system restore, but each point I choose says that no changes to the C drive have been made, so it doesn't revert. (I have tried going back to late May, and there are still no changes).


I'm a computer noob, so any help would be greatly appreciated. If you need anymore information on my computer and what not, feel free to ask.

Edited by adm1r4l_4ckbar, 18 June 2009 - 03:21 PM.


BC AdBot (Login to Remove)

 


#2 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 18 June 2009 - 03:48 PM

Please run a scan with Malwarebytes Anti-Malware. You can download it from here: http://www.malwarebytes.org. Please update it, run a quick scan, and then post the log back here. This might help us discover anything else that you might have.

Thanks,
Alex

#3 adm1r4l_4ckbar

adm1r4l_4ckbar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 04:47 PM

Here is the full scan.


Malwarebytes' Anti-Malware 1.38
Database version: 2305
Windows 5.1.2600 Service Pack 3

6/18/2009 5:45:52 PM
mbam-log-2009-06-18 (17-45-48).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 256073
Time elapsed: 42 minute(s), 54 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\g.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s45 (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
c:\system volume information\_restore{c207e901-5221-4840-9bec-8cba58a04f71}\RP550\A0167370.dll (Trojan.FakeAlert) -> No action taken.
c:\system volume information\_restore{c207e901-5221-4840-9bec-8cba58a04f71}\RP557\A0168399.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{c207e901-5221-4840-9bec-8cba58a04f71}\RP566\A0171532.sys (Backdoor.Rustock) -> No action taken.
c:\system volume information\_restore{c207e901-5221-4840-9bec-8cba58a04f71}\RP566\A0171661.exe (Trojan.Downloader) -> No action taken.
c:\system volume information\_restore{c207e901-5221-4840-9bec-8cba58a04f71}\RP571\A0175556.sys (Backdoor.Rustock) -> No action taken.
c:\WINDOWS\system32\jeyanima.exe (Trojan.Vundo.V) -> No action taken.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Downloader) -> No action taken.
c:\windows\system32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\st_1245031155.exe (Backdoor.Bot) -> No action taken.
c:\WINDOWS\system32\g.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

#4 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 18 June 2009 - 04:51 PM

Ok, I see that you did not choose to delete any of the files. I'm sorry to ask you to do this, but please run the scan again and make sure that all of the items are checked, then push the remove button (once the scan is completed). This will then get rid of all of this nasty malware and we can proceed from there :thumbsup:.

Alex

Edited by Alex_Computer, 18 June 2009 - 04:51 PM.


#5 adm1r4l_4ckbar

adm1r4l_4ckbar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 04:56 PM

My bad, here it is


Malwarebytes' Anti-Malware 1.38
Database version: 2305
Windows 5.1.2600 Service Pack 3

6/18/2009 5:56:15 PM
mbam-log-2009-06-18 (17-56-15).txt

Scan type: Quick Scan
Objects scanned: 93465
Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\g.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s45 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
c:\WINDOWS\system32\jeyanima.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\st_1245031155.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\g.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#6 Alex_Computer

Alex_Computer

  • Banned
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:42 AM

Posted 18 June 2009 - 05:04 PM

I know that you said you have some viruses that were contained in the system restore. To get these out, you dont have to run the Malwarebytes scan again. They will be detected when you run the Kaspersky scan. To do so please:

Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Read the requirements and privacy statement then click on the Accept button.
The program will launch and start to download the latest definition files.
You will be prompted to install an application from Kaspersky. Click Run
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
Click on Save Report As....
Change the Files of type to Text file (.txt) before clicking on the Save button.
Save this report to a convenient place.
Copy and paste that information into your next post


The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

#7 adm1r4l_4ckbar

adm1r4l_4ckbar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 05:38 PM

okay, kaspersky has finished updating and has just begun scanning. I will post the results when its done

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 AM

Posted 18 June 2009 - 06:37 PM

One or more of the identified infections is a backdoor trojan. You also have rootkits.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 adm1r4l_4ckbar

adm1r4l_4ckbar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 06:39 PM

okay, i was thinking of reformatting anyway


since the virus is in my registry, how can i know which files are safe and which are dangerous?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 AM

Posted 18 June 2009 - 07:02 PM

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 adm1r4l_4ckbar

adm1r4l_4ckbar
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:South Jersey
  • Local time:04:42 AM

Posted 18 June 2009 - 08:26 PM

Can any1 walk me through backing up all of my e-mails. Thats one of the only things left that I'm not sure how to keep.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 AM

Posted 18 June 2009 - 09:31 PM

Hello Open a topic here http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/
Mention you have XP and what ever email program you use. They will tell you where to find them.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users