tivia Posted July 29, 2010 ID:292231 Share Posted July 29, 2010 when i start up pc, my antivir guard showing TR/agent2 otor trojan. i deny access, that goes away. then i get rundll error loading c:\windows\dmsimg.dll the specified module could not be found, i have run by antivir guard and malwarebytes. but i know they will not solve this problem, any ideas would be most help full Link to post Share on other sites More sharing options...
tivia Posted August 3, 2010 Author ID:294855 Share Posted August 3, 2010 any ideas guys Link to post Share on other sites More sharing options...
Maniac Posted August 4, 2010 ID:295296 Share Posted August 4, 2010 Hello tivia! Welcome to Malwarebytes' Anti-Malware Forums!My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following: The process of cleaning your system may take some time, so please be patient.Follow my instructions step by step if there is a problem somewhere, stop and tell me.Stay with the thread until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.Instructions that I give are for your system only!If you don't know or can't understand something please ask. Do not install or uninstall any software or hardware, while work on.Keep me informed about any changes.In short, this means that your system is infected.Please follow these instructions and post all logs if you can:http://forums.malwarebytes.org/index.php?showtopic=9573 Link to post Share on other sites More sharing options...
tivia Posted August 6, 2010 Author ID:296617 Share Posted August 6, 2010 thank you, i'll get on it now Link to post Share on other sites More sharing options...
tivia Posted August 6, 2010 Author ID:296655 Share Posted August 6, 2010 www.malwarebytes.orgDatabase version: 4397Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870206/08/2010 11:12:25mbam-log-2010-08-06 (11-12-25).txtScan type: Quick scanObjects scanned: 198065Time elapsed: 31 minute(s), 49 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
tivia Posted August 6, 2010 Author ID:296657 Share Posted August 6, 2010 i will run my avira antivir next Link to post Share on other sites More sharing options...
tivia Posted August 6, 2010 Author ID:296704 Share Posted August 6, 2010 Avira AntiVir PersonalReport file date: 06 August 2010 12:01Scanning for 2682432 virus strains and unwanted programs.Licensee : Avira AntiVir Personal - FREE AntivirusSerial number : 0000149996-ADJIE-0000001Platform : Windows XPWindows version : (Service Pack 3) [5.1.2600]Boot mode : Normally bootedUsername : SYSTEMComputer name : YAROMVersion information:BUILD.DAT : 9.0.0.422 21701 Bytes 3/9/2010 10:29:00AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/20/2009 08:54:45AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 10:58:24LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 11:35:49LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 10:58:52VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 08:54:41VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 08:54:41VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 21:01:47VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 17:41:01VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 22:47:43VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 20:02:58VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 13:26:36VBASE007.VDF : 7.10.9.165 4840960 Bytes 7/23/2010 13:08:03VBASE008.VDF : 7.10.9.166 2048 Bytes 7/23/2010 13:08:03VBASE009.VDF : 7.10.9.167 2048 Bytes 7/23/2010 13:08:03VBASE010.VDF : 7.10.9.168 2048 Bytes 7/23/2010 13:08:03VBASE011.VDF : 7.10.9.169 2048 Bytes 7/23/2010 13:08:03VBASE012.VDF : 7.10.9.170 2048 Bytes 7/23/2010 13:08:03VBASE013.VDF : 7.10.9.198 157696 Bytes 7/26/2010 06:29:04VBASE014.VDF : 7.10.9.255 997888 Bytes 7/29/2010 08:31:21VBASE015.VDF : 7.10.10.28 139264 Bytes 8/2/2010 15:00:31VBASE016.VDF : 7.10.10.52 127488 Bytes 8/3/2010 19:02:49VBASE017.VDF : 7.10.10.84 137728 Bytes 8/6/2010 11:00:20VBASE018.VDF : 7.10.10.85 1536 Bytes 8/6/2010 11:00:21VBASE019.VDF : 7.10.10.86 1536 Bytes 8/6/2010 11:00:21VBASE020.VDF : 7.10.10.87 1536 Bytes 8/6/2010 11:00:21VBASE021.VDF : 7.10.10.88 1536 Bytes 8/6/2010 11:00:21VBASE022.VDF : 7.10.10.89 1536 Bytes 8/6/2010 11:00:21VBASE023.VDF : 7.10.10.90 1536 Bytes 8/6/2010 11:00:21VBASE024.VDF : 7.10.10.91 1536 Bytes 8/6/2010 11:00:21VBASE025.VDF : 7.10.10.92 1536 Bytes 8/6/2010 11:00:21VBASE026.VDF : 7.10.10.93 1536 Bytes 8/6/2010 11:00:21VBASE027.VDF : 7.10.10.94 1536 Bytes 8/6/2010 11:00:22VBASE028.VDF : 7.10.10.95 1536 Bytes 8/6/2010 11:00:22VBASE029.VDF : 7.10.10.96 1536 Bytes 8/6/2010 11:00:22VBASE030.VDF : 7.10.10.97 1536 Bytes 8/6/2010 11:00:22VBASE031.VDF : 7.10.10.99 9728 Bytes 8/6/2010 11:00:22Engineversion : 8.2.4.32 AEVDF.DLL : 8.1.2.1 106868 Bytes 7/30/2010 08:31:37AESCRIPT.DLL : 8.1.3.42 1364347 Bytes 7/30/2010 08:31:36AESCN.DLL : 8.1.6.1 127347 Bytes 5/13/2010 06:22:52AESBX.DLL : 8.1.3.1 254324 Bytes 4/24/2010 09:25:46AERDL.DLL : 8.1.8.2 614772 Bytes 7/20/2010 15:01:47AEPACK.DLL : 8.2.3.3 471414 Bytes 7/30/2010 08:31:34AEOFFICE.DLL : 8.1.1.8 201081 Bytes 7/21/2010 17:09:49AEHEUR.DLL : 8.1.2.10 2830711 Bytes 7/30/2010 08:31:32AEHELP.DLL : 8.1.13.2 242039 Bytes 7/20/2010 15:00:35AEGEN.DLL : 8.1.3.18 393589 Bytes 7/30/2010 08:31:27AEEMU.DLL : 8.1.2.0 393588 Bytes 4/24/2010 09:25:43AECORE.DLL : 8.1.16.2 192887 Bytes 7/20/2010 15:00:23AEBB.DLL : 8.1.1.0 53618 Bytes 4/24/2010 09:25:42AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 08:47:59AVPREF.DLL : 9.0.3.0 44289 Bytes 9/8/2009 20:33:01AVREP.DLL : 8.0.0.7 159784 Bytes 2/17/2010 18:24:30AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 10:32:09AVARKT.DLL : 9.0.0.3 292609 Bytes 4/28/2009 07:39:53AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 10:37:08SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 15:03:49SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 08:21:33NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 10:32:10RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 06:06:59RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/20/2009 08:54:37Configuration settings for the scan:Jobname.............................: Complete system scanConfiguration file..................: c:\program files\avira\antivir desktop\sysscan.avpLogging.............................: lowPrimary action......................: interactiveSecondary action....................: ignoreScan master boot sector.............: onScan boot sector....................: onBoot sectors........................: C:, Process scan........................: onScan registry.......................: onSearch for rootkits.................: onIntegrity checking of system files..: offScan all files......................: All filesScan archives.......................: onRecursion depth.....................: 20Smart extensions....................: onMacro heuristic.....................: onFile heuristic......................: mediumStart of the scan: 06 August 2010 12:01Starting search for hidden objects.'86671' objects were checked, '0' hidden objects were found.The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avcenter.exe' - '1' Module(s) have been scannedScan process 'wltuser.exe' - '1' Module(s) have been scannedScan process 'SCServer.exe' - '1' Module(s) have been scannedScan process 'iexplore.exe' - '1' Module(s) have been scannedScan process 'iexplore.exe' - '1' Module(s) have been scannedScan process 'ycommon.exe' - '1' Module(s) have been scannedScan process 'hposts08.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'hpoevm08.exe' - '1' Module(s) have been scannedScan process 'hpotdd01.exe' - '1' Module(s) have been scannedScan process 'hpohmr08.exe' - '1' Module(s) have been scannedScan process 'ctfmon.exe' - '1' Module(s) have been scannedScan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scannedScan process 'msnmsgr.exe' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'BTHelpNotifier.exe' - '1' Module(s) have been scannedScan process 'rundll32.exe' - '1' Module(s) have been scannedScan process 'PIFSvc.exe' - '1' Module(s) have been scannedScan process 'realplay.exe' - '1' Module(s) have been scannedScan process 'QTTask.exe' - '1' Module(s) have been scannedScan process 'atiptaxx.exe' - '1' Module(s) have been scannedScan process 'Vaderetro_oe.exe' - '1' Module(s) have been scannedScan process 'issch.exe' - '1' Module(s) have been scannedScan process 'DetectorApp.exe' - '1' Module(s) have been scannedScan process 'PCMService.exe' - '1' Module(s) have been scannedScan process 'soundman.exe' - '1' Module(s) have been scannedScan process 'CLSched.exe' - '1' Module(s) have been scannedScan process 'USBDeviceService.exe' - '1' Module(s) have been scannedScan process 'wdfmgr.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'PAStiSvc.exe' - '1' Module(s) have been scannedScan process 'explorer.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'SeaPort.exe' - '1' Module(s) have been scannedScan process 'McciCMService.exe' - '1' Module(s) have been scannedScan process 'PIFSvc.exe' - '1' Module(s) have been scannedScan process 'CLMLServer.exe' - '1' Module(s) have been scannedScan process 'CLCapSvc.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'mDNSResponder.exe' - '1' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scannedScan process 'AOLacsd.exe' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'spoolsv.exe' - '1' Module(s) have been scannedScan process 'aawservice.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'lsass.exe' - '1' Module(s) have been scannedScan process 'services.exe' - '1' Module(s) have been scannedScan process 'winlogon.exe' - '1' Module(s) have been scannedScan process 'csrss.exe' - '1' Module(s) have been scannedScan process 'smss.exe' - '1' Module(s) have been scanned59 processes with 59 modules were scannedStarting master boot sector scan:Master boot sector HD0 [iNFO] No virus was found!Master boot sector HD1 [iNFO] No virus was found!Master boot sector HD2 [iNFO] No virus was found!Master boot sector HD3 [iNFO] No virus was found!Master boot sector HD4 [iNFO] No virus was found!Start scanning boot sectors:Boot sector 'C:\' [iNFO] No virus was found!Starting to scan executable files (registry).The registry was scanned ( '70' files ).Starting the file scan:Begin scan in 'C:\'C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning.C:\Documents and Settings\MORAY\Application Data\Nius\effao.exe [DETECTION] Is the TR/Spy.99840.100 TrojanC:\Documents and Settings\MORAY\Local Settings\Temporary Internet Files\Content.IE5\COUKRY72\107abecb5edfc9ae958277ee420b429028973012711[1].js [DETECTION] Contains recognition pattern of the JS/FakeAlert.B Java script virusC:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP327\A0058883.exe [DETECTION] Is the TR/Agent2.ctqc TrojanC:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP333\A0060593.exe [DETECTION] Is the TR/Agent2.ctor TrojanBeginning disinfection:C:\Documents and Settings\MORAY\Application Data\Nius\effao.exe [DETECTION] Is the TR/Spy.99840.100 Trojan [NOTE] The file was moved to '4cc1fcfb.qua'!C:\Documents and Settings\MORAY\Local Settings\Temporary Internet Files\Content.IE5\COUKRY72\107abecb5edfc9ae958277ee420b429028973012711[1].js [DETECTION] Contains recognition pattern of the JS/FakeAlert.B Java script virus [NOTE] The file was moved to '4c92fcc6.qua'!C:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP327\A0058883.exe [DETECTION] Is the TR/Agent2.ctqc Trojan [NOTE] The file was moved to '4c8bfcc6.qua'!C:\System Volume Information\_restore{1E827FEA-C1CA-4779-8180-5FD4C976D44A}\RP333\A0060593.exe [DETECTION] Is the TR/Agent2.ctor Trojan [NOTE] The file was moved to '4d572c97.qua'!End of the scan: 06 August 2010 13:14Used time: 1:07:49 Hour(s)The scan has been done completely. 11126 Scanned directories 256216 Files were scanned 4 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 4 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 256210 Files not concerned 6923 Archives were scanned 2 Warnings 6 Notes 86671 Objects were scanned with rootkit scan 0 Hidden objects were found Link to post Share on other sites More sharing options...
tivia Posted August 6, 2010 Author ID:296725 Share Posted August 6, 2010 hope this is of use to you, thanks again borislav Link to post Share on other sites More sharing options...
Maniac Posted August 6, 2010 ID:296754 Share Posted August 6, 2010 Did you see my post? I want every single log from here:http://forums.malwarebytes.org/index.php?showtopic=9573 Link to post Share on other sites More sharing options...
tivia Posted August 9, 2010 Author ID:298198 Share Posted August 9, 2010 i will have this all done by 10th thank you Link to post Share on other sites More sharing options...
Staff screen317 Posted August 17, 2010 Staff ID:301304 Share Posted August 17, 2010 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts