Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan-agent.gen.x


  • This topic is locked This topic is locked
2 replies to this topic

#1 usafsmb

usafsmb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 21 November 2009 - 05:09 AM

I have known for quite some time that I had an issue with my system, but was only recently able to figure out that it was a Trojan. All of my analysis programs were missing it during my routine scans, and only when I went into safe mode and ran an analysis did I discover that it was the trojan-agent.gen.x Trojan. Without knowing the precise agent that I am infected with, I do not know where to begin to go to remove it and start the full cleaning of my system, hence why I am here on bended knee pleading in the hopes that one of you wonderful people will be able to assist.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 4:37:28.10 on Sat 11/21/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.83 [GMT -5:00]

AV: avast! antivirus 4.8.1335 [VPS 091120-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner\Desktop\Virus Stuff\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZUfox000&ptb=XADELNpOR3Yl2OW6fuLEIg
uDefault_Search_URL = hxxp://srch-us4.hpwis.com/
mSearch Bar = hxxp://srch-us4.hpwis.com/
uInternet Connection Wizard,ShellNext = hxxp://us4.hpwis.com/
uInternet Settings,ProxyOverride = localhost
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\c06jud2h.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZUfox000&fl=0&ptb=XADELNpOR3Yl2OW6fuLEIg&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-24 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-21 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-21 20560]
S2 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\drivers\pavproc.sys --> c:\windows\system32\drivers\PavProc.sys [?]

=============== Created Last 30 ================

2009-11-21 07:51:40 0 d-----w- c:\windows\system32\dllcache\cache
2009-11-18 12:39:14 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-11-18 12:35:59 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-18 12:22:27 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-18 12:20:05 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-11-18 12:19:39 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-11-18 12:19:38 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-11-18 12:19:38 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-11-18 12:19:38 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-11-18 12:19:37 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-18 12:19:37 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-18 12:19:36 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-11-18 12:19:36 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-11-18 12:11:53 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-11-18 11:28:29 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-18 11:28:26 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-18 11:28:25 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-11-18 11:26:06 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-11-18 11:25:41 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-11-18 11:14:57 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-11-18 11:14:56 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-11-18 11:14:56 1203922 ------w- c:\windows\system32\dllcache\sysmain.sdb
2009-11-18 11:14:04 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-11-18 08:17:16 0 d-sha-r- C:\cmdcons
2009-11-18 08:13:36 77312 ----a-w- c:\windows\MBR.exe
2009-11-11 20:03:53 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

==================== Find3M ====================

2009-11-17 21:17:12 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-21 04:08:54 3598336 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-07 18:22:04 85 ----a-w- C:\bbcatf.bat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:28:59 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 10:28:59 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 05:18:44 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 05:18:41 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-19 16:01:02 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081920090820\index.dat

============= FINISH: 4:39:52.06 ===============


Webroot System Analyzer Report

Computer Name: VICTORIA

Report Name: VICTORIA6

Scan Date: 11/21/2009



Security Software Scan
True online security requires more than one layer of protection. Your scan results below detail the importance of complete and up-to-date protection.


Status
What You Need to Know

Anti-spyware
Found: None
Surfing the Internet without spyware protection leaves you at risk of unknowingly installing malicious programs that can jeopardize your privacy and the performance of your computer.
Recommendations:

You are at risk because you don't appear to have one of the major anti-spyware products installed. Install a good anti-spyware product today.

Anti-virus
Found: None
Using a computer without anti-virus protection risks infection by malicious programs that can cause system damage and change applications so they can spread themselves to other computers.
Recommendations:

You are at risk because you don't have one of the major anti-virus products installed. Install a good anti-virus product today.

Firewall
Found: None
A firewall is an essential defense against hackers and malicious programs, blocking undesirable traffic to and from your computer.
Recommendations:

You are at risk because you don't have one of the major firewall products installed. We strongly recommend that you install a good firewall to protect yourself.





Spyware and Adware Scan

Dangerous






Recommendations:

Spyware was found on your computer, including Trojan spyware. We strongly recommend using a good anti-spyware tool to remove all spyware immediately.

Status
What You Need to Know

Trojans - (1)

trojan-agent.gen.x
A Trojan horse is generally disguised as a harmless software program, but is a malicious program that can allow a hacker to make changes or take control of your computer.

System Monitors
None Found
A system monitor can track the private use of your computer, including the entry of passwords and account numbers, and can report information to others over the Internet.

Adware
None Found
Adware is any software application that may display advertisements on your computer. Some adware may track your surfing habits.

Adware Cookies
None Found
Tracking cookies are small files downloaded from websites to record information. They aren't generally harmful to your computer, but they are used to track your surfing habits and sometimes include personal information including usernames and passwords.





System Information
Processor and Operating System
Recommendations:

You are running Windows XP with Service Pack 3. Make sure you regularly check for Windows Updates to obtain the latest critical and security updates from Microsoft.

Status
What You Need to Know

CPU: Advanced Micro Devices

Speed: 1466 MHz
Your processor affects how quickly computer operations can be performed and is one of the major components that can affect overall computer speed.

OS: Windows XP 5.1.2600 Service Pack 3
The operating system controls all of the tasks carried out by your computer.





Automatic Updates

Status
What You Need to Know

Setting: Off
Installing high-priority updates for your operating system is an essential step in keeping your computer protected from the latest viruses and other security threats. Windows includes an Automatic Updates tool that can routinely find and install all recommended updates as soon as they become available.
Recommendations:

You have turned off Automatic Updates. Your computer will be more vulnerable unless you install updates regularly. We recommend that you allow Automatic Updates to download and install any high-priority updates for your computer automatically.





Memory

Status
What You Need to Know

Total RAM: 480 MB

Slot 1: 256 MB DRAM DIMM

Slot 2: 256 MB DRAM DIMM
RAM controls how many things your computer can do at once. Increasing your RAM is almost always the lowest cost, highest impact improvement you can make to the performance of your computer.
Recommendations:

You have 480MB of RAM. We suggest at least 512MB of RAM for your operating system. We recommend that you add at least 32MB of RAM. Since you do not have an empty memory slot available, you may need to upgrade existing memory as well as purchase additional RAM so you can reach the recommended amount.





Hard Drives
Recommendations:

Your C drive is 56 percent free (28.80 GB / 51.59 GB). Make sure you maintain at least 30 percent free capacity of your hard drive to ensure that you have sufficient storage space, but also to allow proper system performance.

Status
What You Need to Know

Drive 1: C:

Capacity: 51.59 GB

Available: 28.80 GB

Used (44%) Free (56%)


Drive 2: H:

Capacity: 149.05 GB

Available: 123.87 GB

Used (17%) Free (83%)

Extra hard drive space is important because it determines how much room you have to store applications and files, but also because free space is used by the operating system to enable your computer to run properly.





Drive Fragmentation
The Directory and File structure inside your computer relies heavily on the ability to quickly read and write data onto your machine. Frequent defragmentation scans will help keep your computer running smoothly and reduce the risk of corrupted files.

Recommendations:

Your hard drive is 23% fragmented. We recommend keeping it below 10% fragmented. Use the built-in Windows defrag utility or a good third-party program to defragment your drive and improve performance.

Status
What You Need to Know

Fragmentation: 23%
Fragmentation is a normal process caused by your operating system as it breaks up files to better fit them on the available space of your hard disk. As your hard disk becomes more fragmented, overall system performance is degraded.





Web Browsing (Internet Explorer)

Status
What You Need to Know

Recoverable Space

IE Cache 0 bytes
IE Cookies 0 bytes
IE History 0 bytes
Windows Temp 8.00 KB
Total: 8.00 KB
Your operating system regularly collects unnecessary files that can be removed to recover hard disk space and help speed up system performance.
Recommendations:

You have 8.00 KB of hard disk space that is currently being used by unnecessary files. We recommend that you use a good file removal program to automatically find and remove unnecessary files.

Exposed URLs: 0
Internet Explorer keeps a record of the web sites you visit. These can be found by anyone who has access to your computer. This poses a potential risk to your privacy and security as well as taking up space and eventually slowing down your computer.
Recommendations:

You have 0 exposed Web addresses. We recommend that you regularly delete exposed Web addresses using a good program that can erase the records of your Internet activity.





Windows Messenger Service
Recommendations:

Windows Messenger Service is disabled. Make sure you continue to keep it disabled to avoid unwanted notices from being displayed on your computer.

Status
What You Need to Know

Windows Messenger Service: Inactive
Windows Messenger Service allows your computer to display alert-type notices and has no relation to instant message, chat programs. It is generally not needed by home users, but it is often exploited to display advertisements, even when you are not using the Internet.

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:58 PM

Posted 28 November 2009 - 08:22 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:58 PM

Posted 06 December 2009 - 10:16 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users