Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Agent_r.QS


  • This topic is locked This topic is locked
4 replies to this topic

#1 GerrTim

GerrTim

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 12 April 2010 - 05:50 PM

First, I would like to pre-thank anyone who might be of some assistance to me regarding this issue.

Now, I will begin by a history of what I have done to try to fix this, so that you might better understand.

I ran AVG 9.0 (fully updated) about a week ago and AVG found several viruses, which it removed and:

C:\WINDOWS\system32\svchost.exe(1224):\memory_001a0000 Object is inaccessible.
C:\WINDOWS\system32\svchost.exe(1224)
C:\WINDOWS\system32\wuauclt.exe(3160):\memory_00b0000 Object is inaccessible.
C:\WINDOWS\system32\wuauclt.exe(3160)
C:\WINDOWS\Explorer.EXE(3044):\memory_001a0000 Object is inaccessible.
C:\WINDOWS\Explorer.EXE(3044)


The three items that do not have the 'Object is inaccessible' were apparently removed. All three items were labeled "Trojan horse Agent_r.QS".

I then googled many different methods of removing these viruses and found very little information thereof, other than different programs to be run. I updated and ran Spybot Search & Destroy, Malwarebytes, and AdAware, and though they found several malware items, none of these programs, to my knowledge, even picked up these trojans, let alone removed them.

I later re-ran AVG, and, in addition to the other three, it picked up:

C:\WINDOWS\system32\crss.exe(740):\memory_00270000
C:\WINDOWS\system32\crss.exe(740)

Except they all had different numbers in the parentheses, I am assuming this has something to do with the memory?

I have not really noticed much difference in my computer's functionality except a definite slowing down. I also have noticed that my browser appears to be hijacked (click on a link, goes to some completely different website), though I am not sure if that has anything to do with the trojans. Please help! I would like to know how to defeat these buggers.
Thanks!

Here is the DDS.txt



DDS (Ver_10-03-17.01) - NTFSx86
Run by Tim Gerrells II at 10:42:15.06 on Mon 04/12/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.463 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Tim Gerrells II\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\apps\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {E1BACF55-35E1-4E47-9247-2D48660E5545} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\DISABLED_IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\DISABLED_ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\DISABLED_hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\DISABLED_HPWuSchd2.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\DISABLED_NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\DISABLED_qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\Disabled_iTunesHelper.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\DISABLED_realsched.exe" -osboot
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [VirtualDrive] "c:\program files\farstone\virtualdrive\VDTask.exe" /AutoRestore
mRun: [RAMDrive] "c:\program files\farstone\virtualdrive\vhd\RDTask.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [NPSStartup_DISABLED]
mRunOnce: [FsVdInstReboot_DISABLED] 1 (0x1)
mRunOnce: [FsVdUnReboot_DISABLED] 1 (0x1)
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\apps\office2000\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\apps\office~1\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\apps\office~1\office12\REFIEBAR.DLL
Trusted Zone: tenderfoot.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147159452421
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v4.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147159440234
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\timger~1\applic~1\mozilla\firefox\profiles\cihn2j08.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\acrobat 5.0\reader\browser\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-4-12 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-22 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-2-19 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-22 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-7 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1265264]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2010-3-29 90240]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-3-29 14976]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-3-29 121856]
S3 TIAcxubt;D-Link WLAN USB Boot Device;c:\windows\system32\drivers\tiacxubt.sys --> c:\windows\system32\drivers\tiacxubt.sys [?]
S3 TIACXUSB;D-Link AirPlus DWL-120+ Wireless USB Adapter;c:\windows\system32\drivers\tiacxusb.sys --> c:\windows\system32\drivers\tiacxusb.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\xdva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva098;XDva098;\??\c:\windows\system32\xdva098.sys --> c:\windows\system32\XDva098.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2010-04-12 16:42:08 0 d-----w- c:\temp\7.tmp
2010-04-12 16:00:16 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-12 08:46:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-04-12 08:46:41 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-04-12 08:35:40 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-12 08:34:50 0 d-----w- c:\program files\Lavasoft
2010-04-12 06:57:28 1033728 ----a-w- c:\windows\explorer.exe
2010-04-11 21:08:14 0 ----a-w- c:\documents and settings\tim gerrells ii\defogger_reenable
2010-04-11 02:26:33 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-08 05:19:00 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-08 05:19:00 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-08 05:19:00 43528 ------w- c:\windows\system32\drivers\PxHelp20.sys
2010-04-08 05:19:00 120056 ------w- c:\windows\system32\pxcpyi64.exe
2010-04-08 05:19:00 118520 ------w- c:\windows\system32\pxinsi64.exe
2010-04-08 05:18:59 129784 ------w- c:\windows\system32\pxafs.dll
2010-04-08 05:14:43 165376 ----a-w- c:\windows\system32\unrar.dll
2010-04-07 19:36:50 0 d-----w- c:\docume~1\timger~1\applic~1\Malwarebytes
2010-04-07 19:36:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-07 19:36:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-07 19:36:17 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-07 19:36:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-07 08:04:27 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-07 08:04:27 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-07 08:01:43 0 d--h--w- C:\$AVG
2010-04-07 07:55:01 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-03-29 06:02:03 90240 ----a-w- c:\windows\system32\drivers\sscebus.sys
2010-03-29 06:02:03 14976 ----a-w- c:\windows\system32\drivers\sscemdfl.sys
2010-03-29 06:02:03 121856 ----a-w- c:\windows\system32\drivers\sscemdm.sys
2010-03-29 06:02:03 12160 ----a-w- c:\windows\system32\drivers\sscewhnt.sys
2010-03-29 06:02:03 12160 ----a-w- c:\windows\system32\drivers\sscewh.sys
2010-03-29 06:02:03 12160 ----a-w- c:\windows\system32\drivers\sscecmnt.sys
2010-03-29 06:02:03 12160 ----a-w- c:\windows\system32\drivers\sscecm.sys
2010-03-29 06:01:59 0 d-----w- c:\windows\system32\Samsung_USB_Drivers
2010-03-29 06:01:45 0 d-----w- c:\docume~1\timger~1\applic~1\Samsung
2010-03-29 06:01:28 0 d-----w- c:\program files\MarkAny
2010-03-29 06:01:08 0 d-----w- c:\program files\Samsung

==================== Find3M ====================

2010-04-12 03:11:52 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2010-04-07 08:01:16 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-07 08:01:13 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-07 08:00:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2009-03-08 00:21:12 71977 -c--a-w- c:\program files\INSTALL.LOG
2007-09-07 17:37:31 28296636 -c--a-w- c:\program files\installer_portal_v337.exe
2006-12-11 18:09:36 8 -csh--r- c:\windows\system32\A19E960D1C.sys
2006-12-11 18:21:47 2516 -csha-w- c:\windows\system32\KGyGaAvL.sys
2008-11-26 23:29:21 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat

============= FINISH: 10:44:08.90 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 16 April 2010 - 06:43 PM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 GerrTim

GerrTim
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:44 AM

Posted 18 April 2010 - 02:26 PM

Hello etavares!!

Thank you so much for your help! However, I had to get my computer up and running for school/work, therefore I went ahead and just reinstalled Windows. AVG has been fully updated, and the viruses were removed. I do greatly appreciate your help, and figured I'd let ya know so that you might help others in need at this time.

I do have one question, if you don't mind, regarding something potentially wrong with my computer. The computer would not boot from a CD (I had to create a new folder for XP and then delete the old version). I checked the BIOS settings and noticed nothing wrong with that (boot order was CD-ROM first, Hard-drive second). I did not notice anything during start-up indicating a 'press any key to boot from CD'. If you have a moment, perhaps you might shed a little light?

Otherwise, thanks again for what you guys do here!!!

Take care, and happy hunting,

Tim

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 19 April 2010 - 05:33 PM

Hello, GerrTim.

Did you reformat or only do a repair install? I will caution you that your logs show you were infected with a backdoor rootkit.


Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall



As for not booting from the CD when the BIOS is set up like that...that's a new one for me. This particular kind of malware does infect device drivers, but I haven't seen it not let you boot from a CD before. It could be hardware related:
http://www.computerhope.com/issues/ch000217.htm#056

You may want to post in our Windows XP forum (or hardware since that could be the BIOS as well).




etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:44 AM

Posted 24 April 2010 - 10:47 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. smile.gif

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users