Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.32 agent infection


  • Please log in to reply
13 replies to this topic

#1 tumtumm

tumtumm

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 07 January 2012 - 12:06 AM

hello i have a hp pavilion running windows vista home edition 64bit comp with amd phenom x4 9150e quad core processor
(if you neeed more info let me know for now on to irritating infection)
currently running Mbam (free as backup not realtime protection)/IMF (free as main with realtime)/ advanced systemcare 5 (paid)/ norton security suite (as AV/FW paid)
when runing quick/full scan of mbam (malwarebytes anti malware) and imf (IObit malware fighter) i get :

imf = Name|Type|Description|ID|
Trojan.Win32/Agent, FILE, C:\Windows\svchost.exe, 1018291

mbam= Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 1560 -> No action taken.
and
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

norton does not detect this says my system is clean.
problems with computer consist of IE not fully working (starts downloading then freezes or crashes wither new file or updates for anti programing), internet conectivity limited errors (occasionaly over the last 72hrs (as of this post) during daytime hours)
i have clicked the quarintine repair/delete actions, and was asked to restart but upon rescan after reboot ir would still be present as if i did nothing. (tried x 5).

please help and thank you in advanced.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 07 January 2012 - 01:19 AM

Welcome aboard Posted Image

Re-run MBAM, FIX all issues and post new log.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#3 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 02:12 AM

sorry for delay i am getting major network limited acess errors = no internet acess at all during those times (sorry for spelling) heres the new log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Amy :: AMYS-PC [administrator]

1/8/2012 2:02:13 AM
mbam-log-2012-01-08 (02-08-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 210347
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 220 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

they say no action taken because i get stuck in a restart loop after cleaning them and lose internet acess. this is the logg post recleaning as you asked me to.

Edited by tumtumm, 08 January 2012 - 02:30 AM.


#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 11:39 AM

I'm not sure what to tell you.
Maybe we can wait until your internet connection is fixed?

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#5 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 08:28 PM

i think the trogan maybe interfering if not that one then maybe there is another one. modem = okay with another comp. router okay with another comp. cables okay with another comp. all network/internet settings are as they should be.

the trogan svchost is :image name: svchost.exe*32 user:system image path name: c:\windows\svchost.exe desciption: winrscmde command line: ~netsvcs
found on task manager: unable to end process when clicked on end process/end process tree

imf and mbam both flagg this as malware.

but i think my machine may have a second one hidden somewhere.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 08:31 PM

First of all you have re-run MBAM and fix all issues so the log doesn't show "No action taken".

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#7 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 10:14 PM

okay ran the scan as requested:
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Amy :: AMYS-PC [administrator]

1/8/2012 9:51:45 PM
mbam-log-2012-01-08 (21-51-45).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 209748
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 864 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

here is the scan results post scan, fix and reboot
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.02

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Amy :: AMYS-PC [administrator]

1/8/2012 10:06:14 PM
mbam-log-2012-01-08 (22-11-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 210541
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 1136 -> No action taken.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> No action taken.

(end)

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 10:31 PM

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#9 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 10:47 PM

do i need to turn my Antivirus/antimalware off to run the scan?

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 10:59 PM

No.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#11 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 11:17 PM

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 22:45:41
-----------------------------
22:45:41.605 OS Version: Windows x64 6.0.6002 Service Pack 2
22:45:41.606 Number of processors: 4 586 0x203
22:45:41.606 ComputerName: AMYS-PC UserName: Amy
22:45:44.430 Initialize success
22:51:50.607 AVAST engine defs: 12010801
23:00:02.248 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005f
23:00:02.254 Disk 0 Vendor: SAMSUNG_ 1AA0 Size: 476940MB BusType: 3
23:00:02.260 Device \Driver\nvstor64 -> MajorFunction fffffa80065d95c4
23:00:02.267 Disk 0 MBR read successfully
23:00:02.273 Disk 0 MBR scan
23:00:02.287 Disk 0 unknown MBR code
23:00:02.294 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 463461 MB offset 63
23:00:02.332 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 13476 MB offset 949168395
23:00:02.348 Service scanning
23:00:09.890 Modules scanning
23:00:09.891 Disk 0 trace - called modules:
23:00:09.893 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa80065d95c4]<<
23:00:09.894 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ee3790]
23:00:09.897 3 CLASSPNP.SYS[fffffa60007bcc33] -> nt!IofCallDriver -> [0xfffffa8004c20bc0]
23:00:09.898 5 acpi.sys[fffffa60008f9fde] -> nt!IofCallDriver -> \Device\0000005f[0xfffffa8003d49060]
23:00:09.899 \Driver\nvstor64[0xfffffa80064ec060] -> IRP_MJ_CREATE -> 0xfffffa80065d95c4
23:00:12.481 AVAST engine scan C:\Windows
23:00:17.531 AVAST engine scan C:\Windows\system32
23:04:22.895 AVAST engine scan C:\Windows\system32\drivers
23:05:00.188 AVAST engine scan C:\Users\Amy
23:13:32.530 AVAST engine scan C:\ProgramData
23:15:08.543 Scan finished successfully
23:16:03.174 Disk 0 MBR has been saved successfully to "C:\Users\Amy\Desktop\MBR.dat"
23:16:03.182 The log file has been saved successfully to "C:\Users\Amy\Desktop\aswMBR.txt"

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 11:21 PM

You may need more advanced help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 


#13 tumtumm

tumtumm
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:52 AM

Posted 08 January 2012 - 11:26 PM

okay will post in the new location can i get this one closed then please, and thank you

#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,738 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:09:52 AM

Posted 08 January 2012 - 11:29 PM

We don't close topics.

My Website

My help doesn't cost a penny, but if you'd like to consider a donation, click DONATE

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users