Jump to content

fredzio

Members
  • Content Count

    7
  • Joined

  • Last visited

About fredzio

  • Rank
    Newbie
  1. A quick update for everyone who might be following this: experts from SAS responded quickly and prompted me to download a diagnostic tool. While the tool was running Windows downloaded some updates, in the background, and began installing them / restarting the computer. At first notice I see that Norton AV came back alive (yay!), and is working again. The Win updates are still going: downloading / restarting, so I can't post much more on the virus, but am hopeful that things are looking up. Will keep you updated.
  2. Thank you for taking the time to help me I've signed up at the url provided, and included the following decription / recap: Norton AV alerted me to the existence of a virus present on my system. SAS discovered (but could not remove): backdoor.agent.gen in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Tried to remove it several times to no avail - it just reappears. Norton AV got corrupted - real time scan does not work, and virus defs are gone, and cannot be installed. So, in safe mode I went to registry and changed the value of the above Shell string to: No Way Hackers Ran a scan and the above virus did not show again, but two other appeared in System Restore files. So, I stopped the system restore process (which, I assume, cleared restore points), and then restarted it. Ran another scan and found the following virus: Rootkit.0Access in C:\Windows\Assembly\Gac_Msil\Desktop.ini It does not go away using any of the available malware / spyware software. In fact SAS does not detect it anymore, but it is found using another malware prog. Hopefully you can help me remove it! I appreciate your help!
  3. ran the dds again, and the results are below: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20 Run by Spywriter at 13:53:26 on 2011-12-21 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1469 [GMT -5:00] . AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe svchost.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\AutoTask\AutoTask.exe C:\WINDOWS\system32\ctfmon.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - uWinlogon: Shell=c:\documents and settings\spywriter\local settings\application data\1cf6efbe\X BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe mRun: [RecGuard] c:\windows\sminst\RecGuard.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe" mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent mRun: [AutoTask] "c:\program files\autotask\AutoTask.exe" /STARTUP mRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [backupSoft] "\BackupSoft.exe" /STARTUP mRun: [nwiz] nwiz.exe /install StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm IE: Download with IDM - c:\program files\internet download manager\IEExt.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe LSP: mswsock.dll DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311873600413 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - component: c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\imtcp_xpcom.dll FF - component: c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll . ---- FIREFOX POLICIES ---- FF - user.js: capability.policy.policynames - allowclipboard FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.spywriter.com FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess ============= SERVICES / DRIVERS =============== . R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-9-8 101616] R1 SASDIFSV;SASDIFSV;c:\docume~1\spywri~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880] R1 SASKUTIL;SASKUTIL;c:\docume~1\spywri~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664] R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-16 106104] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111216.002\naveng.sys [2011-12-16 86136] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111216.002\navex15.sys [2011-12-16 1576312] S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912] S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-10-1 138112] S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-1 8320] S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2010-8-21 4224] S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-8-22 550272] S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200] . =============== Created Last 30 ================ . 2011-12-21 18:01:32 0 ----a-w- c:\documents and settings\spywriter\ntuser.tmp 2011-12-20 18:12:28 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com 2011-12-20 16:24:41 -------- d-sh--w- c:\documents and settings\spywriter\local settings\application data\1cf6efbe 2011-12-09 00:17:24 -------- d-----w- c:\documents and settings\spywriter\local settings\application data\Thinstall 2011-11-26 00:21:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl . ==================== Find3M ==================== . 2011-12-21 17:18:59 53248 ----a-w- c:\windows\system32\MsPMSPSv.exe 2011-12-21 02:46:56 143427 ----a-w- c:\windows\system32\nvsvc32.exe . ============= FINISH: 13:54:12.98 ===============
  4. Just found that I am no longer able to connect to the internet using the infected computer, and the norton antivirus was corrupted
  5. Hi, I tried removing it several times and this trojan just keeps reappearing, even though SAS says that it was successfully removed: backdoor.agent.gen in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Tried to remove it manually from registry, but it returns immediately. Tried to remove in safe mode, but it just comes back after scan and "removal". I'm using win xp sp2. attached is a log created by dss dds.txt thank you in advance for your assistance.
×
×
  • Create New...