Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan horse Agent CBX detected


  • Please log in to reply
5 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:08:09 PM

Posted 14 December 2009 - 07:01 PM

Someone gave me a CD with a copy of Photo Shop on it and I put the disc in the tray and ran it, .


My Scanner flashed a warning that it was on the CD so I have it in the AVG Vault, . .

I discontinued running the CD, . . but today I noticed saving a Paint that I could not find it, and searched it the search revealed that it was in My Docs, but I could not find it, I sent it into my Docs file from the search and it was then there however another search then reveals two copies , and now three, I can only account for one, . .

is it possible that it may have done some damage, as it seems that the warning and having it removed to the vault should have prevented it from running, I did another full scan of dick C:
and found nothing therefore I assume that if it detected it the first time there should be no further problem ?? Right ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 14 December 2009 - 08:22 PM

That should be correct. C is the CD drive with the CD in it? In other words scan the Hard drive and the suspect CD. Is the removed file in the AVG quarantine?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:08:09 PM

Posted 14 December 2009 - 09:51 PM

I think not
Ref. AVG Virus Vault;
Infection Trojan horse Agent CBX D:A\Adobe Photoshop 7.0 KeyGen.exe

I think it might be still on the CD, . .

I've seen this same virus referencing google docs, seemingly within the same
Photoshop association, . I did not keep record of it so I can't tell you exactly where that was, . . however if you would like I can go back a search it ?

in regards to my original question, do you think that the scan warning concerning the placing this in the vault, . I don't recall whether this was placed there manually after I received the warning or it was done automatically by the program, . (BTW, . is that ref. above, the virus or just information about what is still on the CD), would this have had time to expose my PC to it ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 14 December 2009 - 10:49 PM

It looks to me as if they used A crack software to get you the program. KeyGen.exe
These are known great sources of malware. it is most likely on the CD as it was packed with the software.
Good chance you are not infected if you did not install the app off the CD.


Please run this and Mbam.

Please download Rooter.exe and save to your desktop.
alternate download link
  • Double-click on Rooter.exe to start the tool. If using Vista, right-click and Run as Administrator...
  • Click the Scan button to begin.
  • Once the scan is complete, Notepad will open with a report named Rooter_#.txt (where # is the number assigned to the report).
  • A folder will be created at the %systemdrive% (usually, C:\Rooter$) where the log will be saved.
  • Rooter will automatically close. If it doesn't, just press the Close button.
  • Copy and paste the contents of Rooter_#.txt in your next reply.
Important: Before performing a scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 14 December 2009 - 10:50 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Jove

Jove
  • Topic Starter

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:08:09 PM

Posted 15 December 2009 - 02:00 AM

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 11 Stepping 1, GenuineIntel
.
[wscsvc] STOPPED (state:1) : Security Center -> Disabled !
[SharedAccess] STOPPED (state:1) : Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.5 (en-US)
.
A:\ [Removable]
C:\ [Fixed-NTFS] .. ( Total:149 Go - Free:132 Go )
D:\ [CD_Rom]
E:\ [Fixed-NTFS] .. ( Total:37 Go - Free:31 Go )
.
Scan : 01:37.55
Path : C:\Documents and Settings\Jp\Desktop\Rooter.exe
User : Jp ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (448)
______ \??\C:\WINDOWS\system32\csrss.exe (508)
______ \??\C:\WINDOWS\system32\winlogon.exe (532)
______ C:\WINDOWS\system32\services.exe (576)
______ C:\WINDOWS\system32\lsass.exe (588)
______ C:\WINDOWS\system32\svchost.exe (732)
______ C:\WINDOWS\system32\svchost.exe (796)
______ C:\WINDOWS\System32\svchost.exe (852)
______ C:\WINDOWS\System32\svchost.exe (920)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (948)
______ C:\WINDOWS\system32\spoolsv.exe (1020)
______ C:\Program Files\Comodo\Firewall\cmdagent.exe (1084)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1172)
______ C:\WINDOWS\Explorer.EXE (1288)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1332)
______ C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (592)
______ C:\WINDOWS\system32\carpserv.exe (740)
______ C:\Program Files\Java\jre6\bin\jusched.exe (876)
______ C:\WINDOWS\System32\svchost.exe (1284)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (3112)
______ C:\Program Files\AVG\AVG9\avgwdsvc.exe (3784)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (3952)
______ C:\Program Files\AVG\AVG9\avgtray.exe (668)
______ C:\Program Files\Internet Explorer\iexplore.exe (3904)
______ C:\Program Files\Internet Explorer\iexplore.exe (648)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3596)
______ C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (672)
______ C:\Documents and Settings\Jp\Desktop\Rooter.exe (3468)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:160038756864)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Registration reminder 1.job
C:\WINDOWS\Tasks\Registration reminder 2.job
C:\WINDOWS\Tasks\Registration reminder 3.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 01:38.00
.
C:\Rooter$\Rooter_1.txt - (15/12/2009 | 01:38.00)





==============================================


Malwarebytes' Anti-Malware 1.42
Database version: 3363
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/15/2009 1:49:27 AM
mbam-log-2009-12-15 (01-49-27).txt

Scan type: Quick Scan
Objects scanned: 107385
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0




Boopme, . .

As always Thank you so very much !

Jove

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:09 PM

Posted 15 December 2009 - 08:29 PM

Ok,hook on another piece of squid and sit back and relax.. you're welcome Jove!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users