Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Serial.sys infected with trojan horse Agent_r.ASB


  • This topic is locked This topic is locked
24 replies to this topic

#16 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 24 November 2011 - 07:54 AM

Delete them. Keep them in the recycle bin. If all is well in a week or so flush them.
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

BC AdBot (Login to Remove)

 


#17 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 24 November 2011 - 10:59 AM

Thanks. Do you have any ideas on how to remove that trojan from serial.sys?
I'm guessing it's a pretty important file if it is protected like that.

#18 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 24 November 2011 - 01:44 PM

That file is normally needed by the operating system.

Look at the properties of the file and find out it it's from Microsoft.

#19 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 24 November 2011 - 01:57 PM

As far as I can see it doesn't mention Microsoft anywhere in the properties.
Just says it's a System file and opens with "Unknown application".

#20 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 24 November 2011 - 02:15 PM

What are the attributes of the file?

#21 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 24 November 2011 - 02:29 PM

Under General Tab in Properties

Location: C:\WINDOWS\system32\drivers

Size: 63.3 KB

Size on disk: 64.0 KB

Created on: Wednesday, July 16, 2003, 8:38:10 AM

Modified: Tuesday, August 03, 2004, 10:15:52 PM

Accessed: Today, November 24, 2011, 10:53:37 AM

"Read-only" and "Hidden" are both unchecked.
The only other tab is the Summary tab which has info.
AVG gave a threat pop up when I checked the properties - "Ignore Threat" was the only option so I clicked it.

#22 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 24 November 2011 - 02:30 PM

Correction: Summary tab has NO info.

#23 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 25 November 2011 - 08:00 AM

I think it's OK as long as you're not using the serial port for anything; VERY few PC's have anything hooked up to the serial port anymore. In years gone by, they were like early USB ports: you could hook up a mouse, or a camera, some small handheld scanners used serial ports, etc...

#24 strangedays

strangedays
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:57 PM

Posted 25 November 2011 - 09:26 AM

Ah yes, I see the serial port on the back of my computer. I never use that thing. I was mostly concerned that it was doing something nefarious in the background, like logging bank passwords or something like that. But if you think it's not likely to do any harm then maybe it's better to leave it be.

If that's true, I guess we're done here. I'll implement those prevention tips in the link you gave and will probably be replacing this computer in a year or two anyway.

Just one last thing... I feel guilty for taking so much of your time. Is there somewhere I can offer a donation? I don't have much, but maybe enough to buy you a couple cups of coffee.

#25 nasdaq

nasdaq

  • Malware Response Team
  • 40,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:57 AM

Posted 25 November 2011 - 10:08 AM

Glad we could help.

Thanks for your offer it's appreciated but we are good.

Regards.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users