Jump to content

trojan.agent infection


Recommended Posts

Hello,

I need help removing a trojan.agent infection from a Windows Vista PC.

I have run malwarebytes several times in SAFE MODE, because I cannot run in normal at this time.

It finds the infection, removes it, and ask to restart PC.

The PC restarts in normal mode, and it still appears to be infected, cannot access wi-fi, etc.

I cannot post .log files at this time, since I cannot get to USB drive while in safe mode to copy log files.

Suggestions on how to proceed?

Thank you.

Link to post
Share on other sites

Hello randomid! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:


    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt

[*]Select Command Prompt

[*]In the command window type in notepad and press Enter.

[*]The notepad opens. Under File menu select Open.

[*]Select "Computer" and find your flash drive letter and close the notepad.

[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run.

[*]When the tool opens click Yes to disclaimer.

[*]Press Scan button.

[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 12-11-2012

Ran by SYSTEM at 15-11-2012 17:13:00

Running from F:\

Windows Vista Home Premium (X86) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [NvSvc] VSVCSTART [x]

HKLM\...\Run: [NvCplDaemon] VSTARTUP [x]

HKLM\...\Run: [NvMediaCenter] IT [x]

HKLM\...\Run: [Apoint] T.EXE [x]

HKLM\...\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" [468264 2007-12-19] (CyberLink Corp.)

HKLM\...\Run: [QlbCtrl] S\QLBCTRL.EXE /START [x]

HKLM\...\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe [554320 2007-09-04] ( Hewlett-Packard Development Company, L.P.)

HKLM\...\Run: [uCam_Menu] K\YOUCAM\1.0" [x]

HKLM\...\Run: [hpqSRMon] [x]

HKLM\...\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [x]

HKLM\...\Run: [hpWirelessAssistant] .EXE [x]

HKLM\...\Run: [WAWifiMessage] T\WIFIMSG.EXE [x]

HKLM\...\Run: [symantec PIF AlertEng] G.DLL" [x]

HKLM\...\Run: [ALUAlert] OTIFY.EXE [x]

HKLM\...\Run: [HotSync] C.EXE" -ALLUSERS [x]

HKLM\...\Run: [blspcloader] ET TOOLS\BLSLOADER.EXE [x]

HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [417792 2009-11-10] (Apple Inc.)

HKLM\...\Run: [mcui_exe] KEY [x]

HKLM\...\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-02-18] (Hewlett-Packard)

HKLM\...\Run: [] [x]

HKLM\...\Run: [APSDaemon] .EXE" [x]

HKLM\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)

HKLM\...\Run: [Adobe ARM] FILES\ADOBE\ARM\1.0\ADOBEARM.EXE" [x]

HKLM\...\Run: [sunJavaUpdateSched] FILES\JAVA\JAVA UPDATE\JUSCHED.EXE" [x]

HKLM\...\Run: [iTunesHelper] ESHELPER.EXE" [x]

HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1783136 2007-10-01] (Hewlett-Packard)

HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1783136 2007-10-01] (Hewlett-Packard)

HKU\Margie\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [455968 2007-08-23] (Hewlett-Packard Company)

HKU\Mcx1\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun [1783136 2007-10-01] (Hewlett-Packard)

HKU\Mcx1\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)

HKU\Mcx1\...\Winlogon: [shell] C:\Windows\eHome\McrMgr.exe [173056 2009-04-10] (Microsoft Corporation)

HKU\Steve\...\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [455968 2007-08-23] (Hewlett-Packard Company)

HKU\Steve\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation)

HKU\Steve\...\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background [x]

HKU\Steve\...\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet [4670704 2007-08-30] (Yahoo! Inc.)

HKU\Steve\...\Run: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-01-22] (Google Inc.)

HKU\Steve\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)

HKU\Steve\...\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart [16052192 2012-10-25] (Google)

HKU\Steve\...\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17418928 2012-07-13] (Skype Technologies S.A.)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [460872 2012-01-13] (Malwarebytes Corporation)

HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1081416 2012-01-13] (Malwarebytes Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.2

AppInit_DLLs: PGPmapih.dll

Lsa: [Notification Packages] scecli PGPpwflt

Startup: C:\Users\All Users\Start Menu\Programs\Startup\DataViz Inc Messenger.lnk

ShortcutTarget: DataViz Inc Messenger.lnk -> C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe (DataViz, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

ShortcutTarget: HotSync Manager.lnk -> C:\Program Files\Palm\Hotsync.exe (PalmSource, Inc)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)

Startup: C:\Users\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk

ShortcutTarget: PGPtray.exe.lnk -> C:\Windows\Installer\{A3CCAB46-A06E-4F47-96FC-886733BE9708}\Icon6560581611.exe ()

Startup: C:\Users\Steve\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)

Startup: C:\Users\Steve\Start Menu\Programs\Startup\PowerReg Scheduler.exe ()

==================== Services (Whitelisted) ===================

3 Com4Qlb; "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe" [110592 2007-03-05] (Hewlett-Packard Development Company, L.P.)

2 LiveUpdate Notice Service; "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll" [537992 2008-04-10] (Symantec Corporation)

2 McAfee SiteAdvisor Service; "C:\Program Files\McAfee\SiteAdvisor\McSACore.exe" [95200 2012-01-13] (McAfee, Inc.)

3 McComponentHostService; "C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe" [227232 2010-01-15] (McAfee, Inc.)

2 McMPFSvc; "C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 mcmscsvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McNaiAnn; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McNASvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

3 McODS; "C:\Program Files\McAfee\VirusScan\mcods.exe" [362008 2012-08-23] (McAfee, Inc.)

2 McProxy; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [214904 2011-01-27] (McAfee, Inc.)

2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166288 2012-03-20] (McAfee, Inc.)

2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [161632 2012-03-20] (McAfee, Inc.)

2 mfevtp; "C:\Windows\system32\mfevtps.exe" [151880 2012-03-20] (McAfee, Inc.)

2 PGPserv; C:\Windows\system32\PGPserv.exe [103992 2008-05-21] (PGP Corporation)

2 QPCapSvc; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [271760 2007-12-19] ()

2 QPSched; "C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [112016 2007-12-19] ()

2 RichVideo; "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" [272024 2007-01-09] ()

2 WebClient; C:\Windows\System32\svchost.exe -k LocalService [21504 2008-01-20] (Microsoft Corporation)

3 WLSetupSvc; "C:\Program Files\Windows Live\installer\WLSetupSvc.exe" [266240 2007-10-25] (Microsoft Corporation)

2 Automatic LiveUpdate Scheduler; "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [x]

2 HP Health Check Service; "c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe" [x]

3 LiveUpdate; "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" [x]

2 LiveUpdate Notice Ex; "C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]

==================== Drivers (Whitelisted) ====================

3 cfwids; C:\Windows\System32\drivers\cfwids.sys [57600 2012-02-22] (McAfee, Inc.)

3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [61704 2011-03-18] (FTDI Ltd.)

3 HdAudAddService; C:\Windows\System32\drivers\CHDART.sys [183352 2007-10-01] (Conexant Systems Inc.)

3 HpqRemHid; C:\Windows\System32\DRIVERS\HpqRemHid.sys [7168 2007-07-11] (Hewlett-Packard Development Company, L.P.)

3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [121544 2012-02-22] (McAfee, Inc.)

3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180848 2012-02-22] (McAfee, Inc.)

3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59456 2012-02-22] (McAfee, Inc.)

3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [340920 2012-02-22] (McAfee, Inc.)

0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [464304 2012-02-22] (McAfee, Inc.)

1 mfenlfk; C:\Windows\System32\DRIVERS\mfenlfk.sys [64912 2012-02-22] (McAfee, Inc.)

3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87656 2012-02-22] (McAfee, Inc.)

1 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [169608 2012-02-22] (McAfee, Inc.)

3 PalmUSBD; C:\Windows\System32\drivers\PalmUSBD.sys [16640 2007-12-04] (PalmSource, Inc.)

1 eabfiltr; [x]

3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]

3 mfeavfk01; [x]

3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]

3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

3 SymIMMP; C:\Windows\System32\DRIVERS\SymIM.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2012-11-15 17:12 - 2012-11-15 17:12 - 00000000 ____D C:\FRST

2012-11-15 03:46 - 2012-11-15 03:46 - 00000000 ____D C:\Windows\ERDNT

2012-11-15 03:44 - 2012-11-15 03:46 - 00000000 ____D C:\Qoobox

2012-11-15 03:44 - 2012-11-15 03:45 - 00000000 ___SD C:\32788R22FWJFW

2012-11-15 03:41 - 2012-11-15 03:41 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 03:41 - 2012-11-15 03:41 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 03:41 - 2011-12-10 13:24 - 00020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-11-14 16:33 - 2012-11-15 03:41 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-11-03 13:48 - 2012-11-03 13:53 - 00000094 ____A C:\Users\Steve\Desktop\Money.txt.txt

2012-10-22 17:30 - 2012-08-21 10:01 - 00026840 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys

2012-10-22 17:25 - 2012-10-22 17:30 - 00000000 ____D C:\Users\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-10-22 17:25 - 2012-10-22 17:30 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-10-22 17:25 - 2012-10-22 17:30 - 00000000 ____D C:\Program Files\iTunes

2012-10-22 17:25 - 2012-10-22 17:25 - 00000000 ____D C:\Program Files\iPod

2012-10-20 06:52 - 2012-10-20 06:53 - 09536008 ____A ( ) C:\Users\Steve\Downloads\YouCam.exe

==================== One Month Modified Files and Folders ========

2012-11-15 17:12 - 2012-11-15 17:12 - 00000000 ____D C:\FRST

2012-11-15 14:58 - 2010-06-19 08:05 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-11-15 14:57 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-15 14:57 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-15 14:57 - 2006-11-02 04:47 - 00003216 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-15 05:25 - 2012-04-25 18:15 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

2012-11-15 05:25 - 2011-08-18 11:33 - 00000000 ____D C:\Users\All Users\McAfee Security Scan

2012-11-15 05:25 - 2011-08-18 11:33 - 00000000 ____D C:\Users\All Users\Application Data\McAfee Security Scan

2012-11-15 05:25 - 2010-06-18 03:36 - 00000000 ____D C:\users\Margie

2012-11-15 05:25 - 2008-08-30 16:15 - 00000000 ____D C:\users\Mcx1

2012-11-15 05:25 - 2008-05-19 18:01 - 00000000 ____D C:\Users\Steve\Local Settings\QuickPlay

2012-11-15 05:25 - 2008-05-19 18:01 - 00000000 ____D C:\Users\Steve\Local Settings\Application Data\QuickPlay

2012-11-15 05:25 - 2008-05-19 18:01 - 00000000 ____D C:\Users\Steve\AppData\Local\QuickPlay

2012-11-15 05:25 - 2008-05-19 17:47 - 00000000 ____D C:\users\Steve

2012-11-15 05:25 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\spool

2012-11-15 05:25 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\System32\Msdtc

2012-11-15 05:25 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\registration

2012-11-15 05:25 - 2006-11-02 02:22 - 50069504 ____A C:\Windows\System32\config\software_previous

2012-11-15 05:25 - 2006-11-02 02:22 - 23592960 ____A C:\Windows\System32\config\system_previous

2012-11-15 05:21 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous

2012-11-15 05:21 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous

2012-11-15 04:44 - 2010-01-22 20:14 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071920978-3488033429-3191911494-1000UA.job

2012-11-15 04:42 - 2006-11-02 02:33 - 00690960 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-15 04:40 - 2008-03-09 06:54 - 00000218 ____A C:\Users\Public\Documents\hpqp.ini

2012-11-15 04:40 - 2008-03-09 06:54 - 00000218 ____A C:\Users\All Users\Documents\hpqp.ini

2012-11-15 03:46 - 2012-11-15 03:46 - 00000000 ____D C:\Windows\ERDNT

2012-11-15 03:46 - 2012-11-15 03:44 - 00000000 ____D C:\Qoobox

2012-11-15 03:45 - 2012-11-15 03:44 - 00000000 ___SD C:\32788R22FWJFW

2012-11-15 03:42 - 2012-07-24 11:22 - 02136664 ____A (Kaspersky Lab ZAO) C:\Users\Steve\Desktop\k.exe

2012-11-15 03:41 - 2012-11-15 03:41 - 00000906 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 03:41 - 2012-11-15 03:41 - 00000906 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 03:41 - 2012-11-14 16:33 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware

2012-11-15 03:40 - 2012-08-10 20:41 - 00000000 ____D C:\Users\Steve\Downloads\tdsskiller

2012-11-15 03:19 - 2006-11-02 02:22 - 37486592 ____A C:\Windows\System32\config\components_previous

2012-11-15 03:19 - 2006-11-02 02:22 - 00524288 ____A C:\Windows\System32\config\default_previous

2012-11-15 01:55 - 2012-06-27 15:02 - 00000000 ____D C:\Users\Steve\Application Data\Skype

2012-11-15 01:55 - 2012-06-27 15:02 - 00000000 ____D C:\Users\Steve\AppData\Roaming\Skype

2012-11-13 18:49 - 2008-01-20 18:47 - 00272534 ____A C:\Windows\PFRO.log

2012-11-13 14:57 - 2008-03-09 06:37 - 01129639 ____A C:\Windows\WindowsUpdate.log

2012-11-09 21:12 - 2010-06-19 08:05 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-11-09 00:43 - 2010-01-22 20:14 - 00000856 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1071920978-3488033429-3191911494-1000Core.job

2012-11-07 18:03 - 2009-05-03 02:18 - 00000000 ___HD C:\Users\Steve\Downloads\New Folder

2012-11-07 00:47 - 2010-10-29 18:00 - 00002042 ____A C:\Users\Steve\Desktop\Google Chrome.lnk

2012-11-05 06:58 - 2008-08-30 16:18 - 00005632 ____A C:\Users\Steve\Local Settings\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-11-05 06:58 - 2008-08-30 16:18 - 00005632 ____A C:\Users\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-11-05 06:58 - 2008-08-30 16:18 - 00005632 ____A C:\Users\Steve\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

2012-11-03 13:53 - 2012-11-03 13:48 - 00000094 ____A C:\Users\Steve\Desktop\Money.txt.txt

2012-10-31 13:15 - 2012-04-29 14:09 - 00000000 ___SD C:\Users\Steve\Google Drive

2012-10-29 16:01 - 2011-04-04 13:36 - 00000000 ___HD C:\Users\Steve\Application Data\HpUpdate

2012-10-29 16:01 - 2011-04-04 13:36 - 00000000 ___HD C:\Users\Steve\AppData\Roaming\HpUpdate

2012-10-28 18:05 - 2008-05-19 18:16 - 00000000 ____D C:\Program Files\Mozilla Firefox

2012-10-22 17:38 - 2006-11-02 05:01 - 00032650 ____A C:\Windows\Tasks\SCHEDLGU.TXT

2012-10-22 17:30 - 2012-10-22 17:25 - 00000000 ____D C:\Users\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-10-22 17:30 - 2012-10-22 17:25 - 00000000 ____D C:\Users\All Users\188F1432-103A-4ffb-80F1-36B633C5C9E1

2012-10-22 17:30 - 2012-10-22 17:25 - 00000000 ____D C:\Program Files\iTunes

2012-10-22 17:25 - 2012-10-22 17:25 - 00000000 ____D C:\Program Files\iPod

2012-10-22 17:25 - 2010-03-14 04:42 - 00000000 ____D C:\Program Files\Common Files\Apple

2012-10-20 06:53 - 2012-10-20 06:52 - 09536008 ____A ( ) C:\Users\Steve\Downloads\YouCam.exe

2012-10-20 06:51 - 2008-05-25 05:20 - 00000000 ____D C:\Users\Steve\My Documents\Youcam

2012-10-20 06:51 - 2008-05-25 05:20 - 00000000 ____D C:\Users\Steve\Documents\Youcam

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\L

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888\U

ZeroAccess:

C:\$Recycle.Bin\S-1-5-21-1071920978-3488033429-3191911494-1000\$ff24043d55f85ce9a20a8337d9b4b888

C:\$Recycle.Bin\S-1-5-21-1071920978-3488033429-3191911494-1000\$ff24043d55f85ce9a20a8337d9b4b888\L

C:\$Recycle.Bin\S-1-5-21-1071920978-3488033429-3191911494-1000\$ff24043d55f85ce9a20a8337d9b4b888\U

ZeroAccess:

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888

ZeroAccess:

C:\Users\Steve\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}

C:\Users\Steve\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L

C:\Users\Steve\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-25 21:00:29

Restore point made on: 2012-10-26 21:01:54

Restore point made on: 2012-10-27 21:00:23

Restore point made on: 2012-10-28 19:17:54

Restore point made on: 2012-10-29 21:00:26

Restore point made on: 2012-10-30 21:00:38

Restore point made on: 2012-10-31 21:00:41

Restore point made on: 2012-11-01 21:00:35

Restore point made on: 2012-11-02 21:00:26

Restore point made on: 2012-11-03 21:00:26

Restore point made on: 2012-11-04 22:00:32

Restore point made on: 2012-11-05 22:00:22

Restore point made on: 2012-11-06 22:00:21

Restore point made on: 2012-11-07 22:00:23

Restore point made on: 2012-11-08 22:00:22

Restore point made on: 2012-11-09 22:00:27

Restore point made on: 2012-11-10 22:09:16

Restore point made on: 2012-11-11 22:00:23

Restore point made on: 2012-11-12 22:00:22

==================== Memory info ===========================

Percentage of memory in use: 17%

Total physical RAM: 3006.31 MB

Available physical RAM: 2471.71 MB

Total Pagefile: 2727.81 MB

Available Pagefile: 2540.05 MB

Total Virtual: 2047.88 MB

Available Virtual: 1975.51 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:221.12 GB) (Free:108.66 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

2 Drive d: (HP_RECOVERY) (Fixed) (Total:11.77 GB) (Free:1.98 GB) NTFS ==>[system with boot components (obtained from reading drive)]

4 Drive f: (SBUCHHOLZ) (Removable) (Total:3.81 GB) (Free:1.04 GB) FAT32

5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt

-------- ---------- ------- ------- --- ---

Disk 0 Online 233 GB 1528 KB

Disk 1 Online 3908 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 221 GB 32 KB

Partition 2 Primary 12 GB 221 GB

=========================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C NTFS Partition 221 GB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D HP_RECOVERY NTFS Partition 12 GB Healthy

=========================================================

Partitions of Disk 1:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 3907 MB 32 KB

=========================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 F SBUCHHOLZ FAT32 Removable 3907 MB Healthy

=========================================================

Last Boot: 2012-11-15 04:45

==================== End Of Log ============================

Link to post
Share on other sites

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888

C:\Users\Steve\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}

C:\$Recycle.Bin\S-1-5-21-1071920978-3488033429-3191911494-1000\$ff24043d55f85ce9a20a8337d9b4b888

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Here the results from running farbar FRST:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 12-11-2012

Ran by SYSTEM at 2012-11-16 17:07:11 Run:1

Running from F:\

==============================================

C:\$Recycle.Bin\S-1-5-18\$ff24043d55f85ce9a20a8337d9b4b888 moved successfully.

C:\Users\Steve\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.

C:\$Recycle.Bin\S-1-5-21-1071920978-3488033429-3191911494-1000\$ff24043d55f85ce9a20a8337d9b4b888 moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Okay, please boot in Normal mode instead of Safe mode. Then:

Please download Malwarebytes Anti-Rootkit from here.

  1. Unzip the contents to a folder in a convenient location.
  2. Open the folder where the contents were unzipped and run mbar.exe ( right click and select Run as adminsistrator for Vista and Windows 7)
  3. Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  4. Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  5. Wait while the system shuts down and the cleanup process is performed.
  6. Please post the two logs produced.

Link to post
Share on other sites

I attempted to run the mbar.exe from Normal mode as the instructions indicated.

I could not because it was "not an installed service."

I ran it in Safe Mode, and it did not find anything and returned the message "No cleanup is required."

Normal mode now hangs after a re-start.

I still cannot access the internet/wi-fi from that PC.

Any suggestions on a next step?

Link to post
Share on other sites

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    2012081514h0118.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    2012081517h0349.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

Before I read your last reply/post, I tried a System Restore point, because I figured I had nothing to lose at that point.

It restored back Normal Mode, and Wi-fi/internet is back!

I re-installed MalwareBytes in Normal mode, and ran updates.

I ran MalwareBytes and here is the log from the first run:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.17.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Steve :: HP-DV2815NR [administrator]

11/17/2012 7:06:59 AM

mbam-log-2012-11-17 (07-06-59).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 259838

Time elapsed: 41 minute(s), 4 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 3

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|rundll32 (Trojan.Agent) -> Data: C:\Users\Steve\userinit.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|svchost (Trojan.Agent) -> Data: C:\Users\Steve\AppData\Roaming\Microsoft\svchost.exe -> Quarantined and deleted successfully.

HKCU\Software\Microsoft|adver_id (Malware.Trace) -> Data: 0 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

c:\users\steve\appdata\local\temp\msimg32.dll (Trojan.Ransom) -> Quarantined and deleted successfully.

(end)

Restarted per instructions to clear threats and here is the result from the second run:

Malwarebytes Anti-Malware 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.17.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Steve :: HP-DV2815NR [administrator]

11/17/2012 7:57:49 AM

mbam-log-2012-11-17 (07-57-49).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 259585

Time elapsed: 37 minute(s), 27 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

So do I need to do anything else, or am I all clear now?

Link to post
Share on other sites

Yes, everything appears to be fine, and back to normal.

Thank you for your help.

I scanned multiple times with Malwarebytes Anti-Malware, and the reports are all clear:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000

www.malwarebytes.org

Database version: v2012.11.18.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Steve :: HP-DV2815NR [administrator]

Protection: Enabled

11/18/2012 11:14:07 PM

mbam-log-2012-11-18 (23-14-07).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 254494

Time elapsed: 13 minute(s), 21 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Is there anything else I need to check/scan?

Link to post
Share on other sites

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

I attempted to follow the instructions in the previous post, but I was not able to complete the steps and post a log.

I started Internet Explorer, and followed the instructions, but it did get to the "allow ActiveX control to install" step.

It stopped after I clicked "Start" in the window at this site.

Any more suggestions?

Link to post
Share on other sites

I attempted to follow the instructions in the previous post, but I was not able to complete the steps and post a log.

I started Internet Explorer, and followed the instructions, but it did NOT get to the "allow ActiveX control to install" step.

It stopped after I clicked "Start" in the window at this site.

Any more suggestions?

Link to post
Share on other sites

I rebooted into Safe Mode, and went to the link for ESET online scanner, and same result as before.

It did NOT get to the "allow ActiveX control to install" step.

It stopped after I clicked "Start" in the window at this site.

The pc is running Windows Vista, if that makes a difference.

Any other scan methods to try?

Thanks.

Link to post
Share on other sites

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named)

Click the cog in the upper right

AVPfront.gif

Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan

avpsettings.gif

Allow AVP to delete all infections found

Once it has finished select report tab (last tab)

Select Detected threads report from the left and press Save button

Save it to your desktop and post it in your next reply.

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Hi,

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.