Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan horse Agent3.ATLI?


  • This topic is locked This topic is locked
16 replies to this topic

#1 chrisj1225

chrisj1225

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 February 2012 - 07:17 PM

Hello Bleeping Computer!

For several weeks now my computer has been infested with viruses... I ran several virus scans and attempted to delete them, but they would not go away. My programs were all hidden, but are now visible thanks to the Unhide program.

I was informed by a computer specialist that my father knows to run the combofix program (sorry! I didn't know I wasn't supposed to use it before). After running it, I have saved the log if needed. I also rescanned my computer with AVG after running the combofix and saw that I still had many many Trojan Horse Agent3.ATLI's.

I will post my DDS log so you may take a look.

Thank you so much in advance! I will do anything and install any programs necessary in order to fix my PC :)

Also, from time to time I do get the BSOD

Attached Files


Edited by chrisj1225, 26 February 2012 - 11:35 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 29 February 2012 - 06:46 AM

Hello chrisj1225,

Welcome to the forum and apologies for the delay.

Please update me on the current condition of your computer and the steps you have taken after posting the logs.

#3 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 03 March 2012 - 12:08 PM

Hello sorry I didn't get an email about a reply, so I too am responding very late.
I haven't really done much, I just browse the internet and I have scanned my computer with AVG only to find many trojans.
I did not install or delete any other programs.

The computer seems to be working well, except for a few missing programs such as AIM, skype, etc., and that there are still a few viruses.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 03 March 2012 - 07:04 PM

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  • Download aswMBR.exe ( 511KB ) to your desktop.
    • Double click the aswMBR.exe to run it.
    • If it asks to install Avast click "No".
    • Click the "Scan" button.
    • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Please download TDSSKiller.zip and and extract it.
    • Run TDSSKiller.exe.
    • Click Start scan.
    • When it is finished the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
    • Let reboot if needed and tell me if the tool needed a reboot.
    • Click on Report and post the contents of the text file that will open.

      Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.


#5 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 03 March 2012 - 09:12 PM

Hello farbar :) Thanks for replying to my posts!

As I said before many of my programs are still in my computer, but are inaccessible since they were removed from my programs list and desktop. I had to uninstall and reinstall MBAM. Here is my log
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.04.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
AZ TECH :: CHRISJOO [administrator]

3/3/2012 8:45:33 PM
mbam-log-2012-03-03 (20-45-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207000
Time elapsed: 4 minute(s), 41 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2396 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\AZ TECH\Downloads\DownloadManager_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

I just attached the aweMBR log.

The TDSSKiller asked me to reboot after it was finished.
This is what was showed when I pressed report.

21:07:28.0380 1748 TDSS rootkit removing tool 2.7.18.0 Mar 2 2012 09:40:07
21:07:28.0628 1748 ============================================================
21:07:28.0628 1748 Current date / time: 2012/03/03 21:07:28.0628
21:07:28.0628 1748 SystemInfo:
21:07:28.0628 1748
21:07:28.0628 1748 OS Version: 6.1.7601 ServicePack: 1.0
21:07:28.0628 1748 Product type: Workstation
21:07:28.0628 1748 ComputerName: CHRISJOO
21:07:28.0629 1748 UserName: AZ TECH
21:07:28.0629 1748 Windows directory: C:\Windows
21:07:28.0629 1748 System windows directory: C:\Windows
21:07:28.0629 1748 Running under WOW64
21:07:28.0629 1748 Processor architecture: Intel x64
21:07:28.0629 1748 Number of processors: 2
21:07:28.0629 1748 Page size: 0x1000
21:07:28.0629 1748 Boot type: Normal boot
21:07:28.0629 1748 ============================================================
21:07:31.0314 1748 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:07:31.0324 1748 \Device\Harddisk0\DR0:
21:07:31.0342 1748 MBR used
21:07:31.0342 1748 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
21:07:31.0342 1748 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x129E6800
21:07:31.0384 1748 Initialize success
21:07:31.0384 1748 ============================================================


I also just uploaded my TDSS Killer log

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 04 March 2012 - 06:01 AM

The system was still infected. There was a MBR bootkit TDSSKiller took care of.

Please copy and paste instead of attaching.

  • Please run and post aswMBR.exe once more.
  • Please download unhide.exe to your desktop and run it. No need to post any report.
  • Please go to start => Run => Copy and paste the bold line in the run-box and click OK:

    "C:\Qoobox\Add-Remove Programs.txt"

    A text file opens up, copy and paste the content to your reply.


#7 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 04 March 2012 - 10:57 AM

Ohh okay sorry about that!

Here is my aswMBR log:
aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-04 10:41:46
-----------------------------
10:41:46.323 OS Version: Windows x64 6.1.7601 Service Pack 1
10:41:46.323 Number of processors: 2 586 0x170A
10:41:46.324 ComputerName: CHRISJOO UserName: AZ TECH
10:41:47.828 Initialize success
10:42:14.403 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
10:42:14.406 Disk 0 Vendor: SAMSUNG_HM160HI HH100-08 Size: 152627MB BusType: 11
10:42:14.464 Disk 0 MBR read successfully
10:42:14.469 Disk 0 MBR scan
10:42:14.473 Disk 0 Windows 7 default MBR code
10:42:14.490 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:42:14.504 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 152525 MB offset 206848
10:42:14.533 Disk 0 scanning C:\Windows\system32\drivers
10:42:19.570 Service scanning
10:42:32.067 Modules scanning
10:42:32.080 Disk 0 trace - called modules:
10:42:32.103 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
10:42:32.110 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c37700]
10:42:32.117 3 CLASSPNP.SYS[fffff8800197043f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046d51f0]
10:42:32.460 Scan finished successfully
10:42:45.358 Disk 0 MBR has been saved successfully to "C:\Users\AZ TECH\Desktop\MBR.dat"
10:42:45.367 The log file has been saved successfully to "C:\Users\AZ TECH\Desktop\aswMBR log 2.txt"

I ran unhide.exe and many of my programs were still missing from my programs list in the start menu, but I found all of them in My Computer --> Local Disk --> Program Files (x86) again :)

And finally, this is my list of programs.

2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
AIM 7
Apple Application Support
Apple Software Update
Ashampoo Burning Studio 6 FREE
Citrix Authentication Manager
Citrix Receiver
Citrix Receiver (HDX Flash Redirection)
Citrix Receiver Inside
Citrix Receiver(Aero)
Citrix Receiver(DV)
Citrix Receiver(USB)
Curse Client
Dropbox
Google Chrome
Google Update Helper
GunBound Thor's Hammer version 471
Haansoft Hangul 2007
Java Auto Updater
Java™ 6 Update 27
K-Lite Mega Codec Pack 7.1.0
League of Legends
Malwarebytes Anti-Malware version 1.60.0.1800
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 10.0.2 (x86 en-US)
Nexon Game Manager
Online Plug-in
ooVoo
Pando Media Booster
QuickTime
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.54.02
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Self-service Plug-in
Skype™ 5.5
Steam
SuddenAttack
System Requirements Lab CYRI
The KMPlayer (remove only)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Ventrilo Client
Visual Studio 2008 x64 Redistributables
World of Warcraft
μTorrent

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 04 March 2012 - 11:12 AM

The rootkit infection is definitely taken care off.

Good news you have found your programs. You can make shortcut for the programs on your start menu and/or on the desktop to run them from there.

I would like to have full check up of the system to make sure the system is clean and there is no leftover.

  • Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
    • Look for "Java Platform, Standard Edition".
    • Click the "Download JRE" button to the right.
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • From the list, select your OS and Platform (32-bit or 64-bit).
    • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
    • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    • When the Java Setup - Welcome window opens, click the Install > button.
    • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
    • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
    To disable the JQS service if you don't want to use it:
    • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
    • Click Ok and reboot your computer.
  • To Clear the Java Runtime Environment (JRE) cache, do this:
    • Click Start > Settings > Control Panel.
    • Double-click the Java icon.
      -The Java Control Panel appears.
    • Click "Settings" under Temporary Internet Files.
      -The Temporary Files Settings dialog box appears.
    • Click "Delete Files".
      -The Delete Temporary Files dialog box appears.
      -There are three options on this window to clear the cache.
    • Make sure all the options are checked.
    • Click "OK" on Delete Temporary Files window.
      -Note: This deletes all the Downloaded Applications and Applets from the cache.
    • Click "OK" on Temporary Files Settings window.
    • Close the Java Control Panel.
    You can also view these instructions along with screenshots here.
  • ESET Online Scanner:

    Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

    Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

    • Please go here then click on: Posted Image

      Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
      All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

    • Select the option YES, I accept the Terms of Use then click on: Posted Image
    • When prompted allow the Add-On/Active X to install.
    • Make sure that the option Remove found threats and the option Scan archives are checked.
    • Now click on Advanced Settings and select the following:
    • Enable Anti-Stealth Technology
    • Now click on: Posted Image
    • The virus signature database... will begin to download. Be patient this may take some time depending on the speed of your Internet Connection.
    • When completed the Online Scan will begin automatically.
    • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
    • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
    • Now click on: Posted Image
    • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    • Copy and paste that log as a reply to this topic.
    Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


#9 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 04 March 2012 - 01:37 PM

I did all that you asked and ESET online scanner found and cleaned 7 items.
Here is the ESET log:
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=7ab2bf2130bd2743964d5ebf7e8b84ae
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-04 05:44:57
# local_time=2012-03-04 12:44:57 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 11992464 11992464 0 0
# compatibility_mode=5893 16776574 100 94 14981786 82422596 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=152359
# found=7
# cleaned=7
# scan_time=3951
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.X trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AWO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\TDSSKiller_Quarantine\03.03.2012_20.58.29\mbr0000\tdlfs0000\tsk0008.dta Win64/Olmarik.Z trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M3HEM7R6\nutrition[1].htm JS/Agent.NEG trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 04 March 2012 - 02:16 PM

It looks good now and the system seems clean. :thumbup2:

How is the system running?

#11 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 04 March 2012 - 08:57 PM

Really?!

The system seems to be running smoothly... no BSOD's or anything. No problems yet! So is my system 100% clean? should I run another scan just in case?

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 05 March 2012 - 12:18 PM

To me it looks all good. ESET only found one leftover in the a temporary folder, the rest were already removed by TDSSKiler. They could not harm any more.

After this you may run any scan if you wanted.:)

  • It is important to uninstall ComboFix.

    If you don't have ComboFix you can download a fresh one.

    Disable your antivirus temporarily, rename ComboFix to Uninstall and double-click to run it.

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.
  • You may delete any tool or log we used from your computer.
Recommendations:
  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
  • I recommend installing this small application for safe surfing: Javacools© SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
  • Download and install it.
  • Update it manually by clicking on Updates in the left pane and then Check for Updates.
  • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
  • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.
Happy surfing.:)

#13 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 05 March 2012 - 03:18 PM

Thanks so much farbar!

I installed the two programs that you told me to, but I was not successful in uninstalling my combofix. I renamed it Uninstall and ran it, but it got to a certain stage where it said that my combofix was expired and I would have to run it in reduced functionality mode. Should I continue? or did I do something wrong here

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:07 PM

Posted 05 March 2012 - 03:45 PM

You are most welcome.:)

It doesn't matter, ComboFix doesn't need to be updated when you uninstall it. So let it run until your get notified that it is uninstalled.

#15 chrisj1225

chrisj1225
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 05 March 2012 - 09:28 PM

Hmm I ran combofix again named Uninstall and then I saw it create a new restore point etc, but it still did not uninstall itself. It rebooted my system and produced a log for me




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users