Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AGProtect trojan keeps coming back


  • This topic is locked This topic is locked
3 replies to this topic

#1 gobsgraham

gobsgraham

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 07 July 2009 - 04:25 PM

I am in need of help as despite running every online scan I can find this AGProtect keeps coming back. Below are my logs from the dds.scr file and I will run a Kaspersky scan right away and post those logs when it is complete (likely tomorrow though). Can someone please help me get rid of this and if possible let me know their thoughts on the how dangerous they think this trojan is/was. Symantec doesn't seem to think it is a big deal but they also just say run a scan to remove it which I know is not true.


DDS (Ver_09-06-26.01) - NTFSx86
Run by rgraham at 15:00:26.76 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.266 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UltiDev\Cassini Web Server for ASP.NET 2.0\UltiDevCassinWebServer2a.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Microsoft Office12\Office12\OUTLOOK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rgraham\Desktop\Virus removal\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://nickel
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 172.23.45.60:8080
uInternet Settings,ProxyOverride = hxxp://nickel;<local>
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\miafac~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\miafac~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\miafac~1\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: mei.ca\enterpriseportal
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.epost.ca/printing/smsx.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179330523953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.installengine.com/engine/isetup.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E7-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-4-25 33408]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-27 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-7-7 28544]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-5-16 58464]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-3-17 65536]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-5-16 102463]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 UltiDev Cassini Web Server for ASP.NET 2.0;UltiDev Cassini Web Server for ASP.NET 2.0;c:\program files\ultidev\cassini web server for asp.net 2.0\UltiDevCassinWebServer2a.exe [2007-2-8 49152]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-5-16 108480]
S2 0241548E562972C0;0241548E562972C0;\??\c:\documents and settings\rgraham\0241548e562972c0\0241548e562972c0 --> c:\documents and settings\rgraham\0241548e562972c0\0241548E562972C0 [?]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-6-30 42112]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2008-7-29 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2008-7-29 61696]

=============== Created Last 30 ================

2009-07-07 14:48 <DIR> --dsh--- c:\documents and settings\rgraham\IECompatCache
2009-07-07 14:47 <DIR> --dsh--- c:\documents and settings\rgraham\PrivacIE
2009-07-07 14:43 <DIR> --dsh--- c:\documents and settings\rgraham\IETldCache
2009-07-07 14:29 <DIR> --d----- C:\9be3e9db071797475f3a77cd
2009-07-07 14:14 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 14:14 <DIR> --d----- c:\windows\ie8updates
2009-07-07 14:14 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 14:13 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 14:12 <DIR> -cd-h--- c:\windows\ie8
2009-07-07 14:02 <DIR> --d----- c:\program files\McAfee
2009-07-07 08:42 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-07-07 08:42 <DIR> --d----- c:\program files\Panda Security
2009-07-07 07:56 389,120 a------- c:\windows\system32\CF16272.exe
2009-07-07 07:56 <DIR> --ds---- C:\ComboFix
2009-07-06 14:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-06 14:49 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-06 14:49 <DIR> --d----- c:\docume~1\rgraham\applic~1\SUPERAntiSpyware.com
2009-07-06 12:50 <DIR> --d----- c:\windows\system32\dllcache\cache
2009-07-06 08:14 <DIR> a-dshr-- C:\cmdcons
2009-07-06 08:13 161,792 a------- c:\windows\SWREG.exe
2009-07-06 08:13 155,136 a------- c:\windows\PEV.exe
2009-07-06 08:13 98,816 a------- c:\windows\sed.exe
2009-07-06 03:02 <DIR> --d----- C:\8f1b9bb5f1f8159cfc45c32ee50ba7c0
2009-07-05 18:40 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-07-05 18:39 <DIR> --d----- c:\windows\ERUNT
2009-07-05 17:31 <DIR> --d----- c:\program files\CCleaner
2009-07-05 17:19 <DIR> --d----- C:\SDFix
2009-07-05 17:08 <DIR> --d----- c:\program files\Trend Micro
2009-07-01 08:24 131,678,771 a------- c:\temp\2009-06-30 - Barcelona, Spain - Camp Nou.zip
2009-06-25 08:18 <DIR> --d----- c:\program files\iPod
2009-06-25 08:18 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 23:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-12 23:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 15:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 15:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 15:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 15:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 15:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 05:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 22:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-28 22:55 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-04-28 03:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-24 15:13 14,336 a------- c:\windows\system32\svchost.exe
2009-04-24 15:13 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-04-24 15:13 14,336 a------- c:\windows\system32\dllcache\cache\svchost.exe
2009-04-21 14:42 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 06:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 08:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-03-16 11:35 256 a------- c:\documents and settings\rgraham\pool.bin
2008-12-15 15:41 47,360 a------- c:\docume~1\rgraham\applic~1\pcouffin.sys
2007-08-16 07:45 92,064 ac------ c:\documents and settings\rgraham\mqdmmdm.sys
2007-08-16 07:45 79,328 ac------ c:\documents and settings\rgraham\mqdmserd.sys
2007-08-16 07:45 66,656 ac------ c:\documents and settings\rgraham\mqdmbus.sys
2007-08-16 07:45 9,232 ac------ c:\documents and settings\rgraham\mqdmmdfl.sys
2007-08-16 07:45 6,208 ac------ c:\documents and settings\rgraham\mqdmcmnt.sys
2007-08-16 07:45 5,936 ac------ c:\documents and settings\rgraham\mqdmwhnt.sys
2007-08-16 07:45 4,048 ac------ c:\documents and settings\rgraham\mqdmcr.sys
2007-08-16 07:45 25,600 ac------ c:\documents and settings\rgraham\usbsermptxp.sys
2007-08-16 07:45 22,768 ac------ c:\documents and settings\rgraham\usbsermpt.sys

============= FINISH: 15:01:03.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gobsgraham

gobsgraham
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:46 PM

Posted 08 July 2009 - 02:43 PM

I finally got SuperAntivirus to run and it looks as though this is finally gone. I have restarted a few times and it has not come back. I am going to turn my system restore back on and hopefully this is behind me now.

I would still appreciate it if anyone had a look at my logs if they could let me know if there is anything else they think I should clean as well as let me know how bad they think the AGProtect malware is.

Thanks

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:46 PM

Posted 16 July 2009 - 11:48 AM

Hello gobsgraham,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:46 PM

Posted 22 July 2009 - 10:11 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users