Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Agent Not Removed using AVG FreeAfter a full scan using AVG 2012.0.2197, virus db ver 5209, I get the following results (AVG will not re


  • This topic is locked This topic is locked
6 replies to this topic

#1 bonzo98

bonzo98

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 20 August 2012 - 05:52 PM

Not getting any help on the AVG forum so I thought I would try here....

After a full scan using AVG Free 2012.0.2197, virus db ver 5209, I get the following results (AVG will not remove them):

"";"C:\Windows\explorer.exe (1932)";"Trojan horse Generic_r.BAT";"Deleted"
"";"C:\Windows\explorer.exe (1932):\memory_03ac0000";"Trojan horse Agent_r.BLB";"Infected"
"";"C:\Windows\explorer.exe (1932):\memory_03ab0000";"Trojan horse Generic_r.BAT";"Infected"


I'm running Windows 7 SP1 and am using no other anti-virus software. I installed and ran Spybot to see if that would help, no luck.

I have run the scan a few times and notice that the first item continually shows up in the scan results, even though it says "deleted". The other two items have consistently indicated "Infected".

As instructed on the AVG forum I ran a scan usign a program called GMER. After the scan was complete a message came up stating "Warning GMER has found system modification caused by ROOTKIT activity".

I have not noticed anything unusual with my computer.............yet. Where do I go from here? Any help would be much appreciated!

BC AdBot (Login to Remove)

 


#2 TechTeen

TechTeen

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:47 PM

Posted 20 August 2012 - 06:28 PM

Turn Off Your PC. Turn it back on. After the BIOS [PC Logo] screen, repeatedly tap F8 until a list of options appear. Select "Safe Mode with Networking." Once loaded, login as usual and open up your prefered Internet browser. Next, download Trojan Remover (it's a free 30 day trial but trust me, it works!) and install it. Start a full scan with this software, it'll detect the Trojan and remove it. Worked for me when every other software wasn't.

If it re appears, just reply here or reasearch how to use HijackThis then apply that method along with Trojan Remover.

Thanks

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:47 PM

Posted 20 August 2012 - 07:19 PM

Hello, if the above Trojan Remover fails then please do this.

Please download TDSSKiller.zip and and extract it.
  • Run TDSSKiller.exe.
  • Click on Change Parameters
  • Put a check in the box of Detect TDLFS file system
  • Click Start scan.
  • When it is finished the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click Continue
  • Let reboot if needed and tell me if the tool needed a reboot.
  • Click on Report and post the contents of the text file that will open.

    Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.


>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.


EDIT: If you are untrained in using HijackThis then you should never run it.
IMPORTANT NOTE[/color][/b]: HijackThis is an advanced enumerator (similar in some respects to a registry editor) that is used to display certain areas of the Windows registry where the majority of malware reside. HijackThis will scan these areas of your system and then create a log to help diagnose the presence of undetected malware in known hiding places. However, since HijackThis only scans certain areas of your system/registry, a log may not always show all the malware on your system and other investigative tools need to be used. Most of the log entries are required to run a computer and removing essential ones can potentially cause serious damage such as loss of Internet connectivity or problems with your operating system which could preventing it from starting. Using HijackThis requires advanced knowledge about the Windows Operating System and relies on trained experts to interpret the log entries and investigate them in order to determine what needs to be fixed.

And just because you "fixed" something with HijackThis, that does not mean you have a clean system. There are specific files and folders which must be deleted afterwards. HijackThis does not delete them. Futher, removing entries in HijackThis before the problem is properly identified can make the malware undetectable to other detection and removal tools. Full system scanning tools like SUPERAntispywre, Malwarebytes' Anti-Malware, Spybot S&D and SpySweeper will remove the registry entries as well as the related files which results in a more complete removal process. HijackThis this should only be used to clean up the entries left behind, after you have properly removed the malware.

Since HijackThis is a powerful tool that requires advanced knowledge about the Operating System and can cause system damage if incorrect instructions are given, only designated trained experts are allowed to help people with using HijackThis. If you do not have advanced knowledge about computers or training in the use of this tool, you should NOT fix anything using HijackThis without consulting a expert as to what to fix.

Edited by boopme, 20 August 2012 - 07:26 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 bonzo98

bonzo98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 21 August 2012 - 06:53 PM

Ran Trojan Remover and TDSSKiller, neither found anything.

Ran ESET OnlineScan with the following results:


C:\Users\pat\AppData\Local\{fe575bb5-89ae-3187-b7c7-f8b4fb537f71}\n Win32/Sirefef.EV trojan cleaned by deleting (after the next restart) - quarantined
C:\Users\pat\AppData\Local\{fe575bb5-89ae-3187-b7c7-f8b4fb537f71}\U\80000000.@ a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\Users\pat\AppData\Local\{fe575bb5-89ae-3187-b7c7-f8b4fb537f71}\U\800000cb.@ probably a variant of Win32/Agent.TEO trojan cleaned by deleting - quarantined
C:\Users\pat\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\5240f7a5-6110c0c1 multiple threats deleted - quarantined
Operating memory multiple threats

It quarantined/deleted 4 of the 5 found threats. The Operating memory line was highlighted in red.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:47 PM

Posted 21 August 2012 - 07:51 PM

You have a Rootkit that we cannot remove here.

We need a deeper look. Please go here....Preparation Guide ,do steps 6-9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.

Include this link back to this topic,thanks.

http://www.bleepingcomputer.com/forums/topic465939.html/page__pid__2814069#entry2814069

Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 bonzo98

bonzo98
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 22 August 2012 - 08:15 AM

I went ahead and posted DDS log and GMER log per your instructions, have not heard anything yet.

However, I went ahead and rescanned using AVG Free on two separate occassions since running the ESET Scan and both times the results came back with no infections. Is AVG missing something?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:47 PM

Posted 22 August 2012 - 09:44 PM

Thank you....

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.

The current wait time is 1 - 3 days and ALL logs are answered.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users