Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

internet security 2011 guide xp recovery console for laptop


  • Please log in to reply
1 reply to this topic

#1 jmnet

jmnet

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 26 February 2011 - 10:47 AM

dell inspirion e 1505
windows xp media center version 2002
service pack 3

The laptop was/is infected with internet security 2011. Tried removing with Avg free 9 found trojan horse psw.agent.ajrw but some of the items were inaccessible. Could not run Malwarebytes receive the following "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item."
I renamed mbam.exe to mbam.com an it ran and reported that it cleaned some stuff(don't have report). But the I kept getting avg security notices so the last thing I did was run avg in safe mode and now it appears I destroyed avg because all the components are gone.

AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2010 AVG Technologies
Program version 9.0.870, engine 9.0.871
Virus Database: Version 271.1.1/3457 2011-02-21

C:\Program Files\AVG\AVG9\avgchsvx.exe Virus identified Win32/Agent.BS
C:\Program Files\AVG\AVG9\avgchsvx.exe (1016) Virus identified Win32/Agent.BS
C:\Program Files\AVG\AVG9\avgcsrvx.exe Virus identified Win32/Agent.BS
C:\Program Files\AVG\AVG9\avgcsrvx.exe (1736) Virus identified Win32/Agent.BS
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Locked file. Not tested.
C:\Documents and Settings\Linda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Linda\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Linda\Local Settings\Temp\1d6ca8ec-ed72-4b02-b248-4cdd0003e8db.tmp Locked file. Not tested.
C:\Documents and Settings\Linda\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\Linda\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\LocalService\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\AVG\AVG9\avgchsvx.exe Virus identified Win32/Agent.BS
C:\Program Files\AVG\AVG9\avgcsrvx.exe Virus identified Win32/Agent.BS
C:\Program Files\AVG\AVG9\avgnsx.exe Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\Program Files\AVG\AVG9\avgrsx.exe Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\Program Files\AVG\AVG9\avgwdsvc.exe Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE Locked file. Not tested.
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\Program Files\HijackThis\HijackThis.exe Locked file. Not tested.
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe Locked file. Not tested.
C:\Program Files\Malwarebytes' Anti-Malware\mbam.com.exe Locked file. Not tested.
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Locked file. Not tested.
C:\Program Files\Malwarebytes' Anti-Malware\winkling.exe Locked file. Not tested.
C:\Program Files\Microsoft SQ Server\MISSAL$MICROSOFTSMLBIZ\Binn\sqlservr.exe Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\Program Files\Windows Defender\MsMpEng.exe Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini Locked file. Not tested.
C:\WINDOWS\system32\BCMWLTRY.EXE Virus identified Win32/Agent.BS Object was moved to Virus Vault.
C:\WINDOWS\system32\config\DEFAULT Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SOFTWARE Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SYSTEM Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.
C:\WINDOWS\system32\drivers\vbma10fc.sys Locked file. Not tested.
C:\WINDOWS\system32\MRT.exe Locked file. Not tested.
C:\WINDOWS\system32\WLTRYSVC.EXE Virus identified Win32/Agent.BS Object was moved to Virus Vault.
D:\System Volume Information\ Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 396374
Found infections : 13
Found PUPs : 0
Healed infections : 13
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------



I found this site and found the remove internet security 2011 guide. But it calls for xp recovery console and I do not have a restore disk for the laptop. So do I follow the dell pc restore(backup files, reset windows to original condition, and then restore files)?


Update: Was worried about avg so downloaded avg 2011.

c:\windows\win32\lsass.exe (968) trojan horse psw.agent.ajrw
c:\windows\assembly\gac_msil\desktop.ini trojan horse psw.agent.ajrw
Avg wil not remove have to use forced removal then it says they cannot be removed do you want to delete which I didnt try.

also showed in rootkit c:\windows\system32\dla\tfsnifs.sys which I googled and it supposed to be a browser redirector.

After a reboot avg 2011 is like version 9 was there are no compnents anymore.

Edited by jmnet, 26 February 2011 - 01:15 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:31 AM

Posted 03 March 2011 - 08:55 PM

Hello.

Here are instructions for creating your own Recovery Console disk completely legally, and free!

Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Your ISO is located on your desktop.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users