Jump to content

Free help from tech experts
Welcome to Geeks to Go forums. Create an account now to gain access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing topics, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. Best of all, registration and all assistance is 100% free! This message, and all ads will be removed once you have signed in.
Sign In Create Account

Backdoor.Agent and Trojan.Downloader


  • This topic is locked This topic is locked

#16
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 18,933 posts
Please try reinstalling an Anti-virus first now.
Only install one as more may cause conflicts and slow down your system drastically.

Good free ones are:


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe File not found
    SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
    DRV - (ssmdrv) -- C:\WINDOWS\System32\DRIVERS\ssmdrv.sys File not found
    DRV - (GGSAFERDriver) -- D:\Garena2\Garena\plugins\UI\safedrv.sys File not found
    DRV - (GarenaPEngine) -- C:\DOCUME~1\Synz\LOCALS~1\Temp\JYF2E9.tmp File not found
    DRV - (EagleNT) -- C:\WINDOWS\System32\drivers\EagleNT.sys File not found
    DRV - (catchme) -- C:\DOCUME~1\Synz\LOCALS~1\Temp\catchme.sys File not found
    DRV - (oreans32) -- C:\WINDOWS\system32\drivers\oreans32.sys ()
    IE - HKCU\..\URLSearchHook: {dd02a4eb-4afd-4d60-99d8-e67f964ca813} - C:\Program Files\PHPNukeEN\tbPHP1.dll File not found
    O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O2 - BHO: (PHPNukeEN Toolbar) - {dd02a4eb-4afd-4d60-99d8-e67f964ca813} - C:\Program Files\PHPNukeEN\tbPHP1.dll File not found
    O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKLM\..\Toolbar: (PHPNukeEN Toolbar) - {dd02a4eb-4afd-4d60-99d8-e67f964ca813} - C:\Program Files\PHPNukeEN\tbPHP1.dll File not found
    O3 - HKCU\..\Toolbar\ShellBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKCU\..\Toolbar\ShellBrowser: (PHPNukeEN Toolbar) - {DD02A4EB-4AFD-4D60-99D8-E67F964CA813} - C:\Program Files\PHPNukeEN\tbPHP1.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
    O3 - HKCU\..\Toolbar\WebBrowser: (PHPNukeEN Toolbar) - {DD02A4EB-4AFD-4D60-99D8-E67F964CA813} - C:\Program Files\PHPNukeEN\tbPHP1.dll File not found
    
    :Commands
    [purity]
    [emptytemp]
    
    [Reboot]
    
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

Similar Topics: Backdoor.Agent and Trojan.Downloader     x


#17
Mudz

Mudz

    Member

  • Member
  • PipPip
  • 31 posts
Installed Avira Free.

1) OTL.Txt:


All processes killed
========== OTL ==========
Service JavaQuickStarterService stopped successfully!
Service JavaQuickStarterService deleted successfully!
File C:\Program Files\Java\jre6\bin\jqs.exe File not found not found.
Service HidServ stopped successfully!
Service HidServ deleted successfully!
File C:\WINDOWS\System32\hidserv.dll File not found not found.
Service ssmdrv stopped successfully!
Service ssmdrv deleted successfully!
C:\WINDOWS\System32\DRIVERS\ssmdrv.sys moved successfully.
Service GGSAFERDriver stopped successfully!
Service GGSAFERDriver deleted successfully!
File D:\Garena2\Garena\plugins\UI\safedrv.sys File not found not found.
Service GarenaPEngine stopped successfully!
Service GarenaPEngine deleted successfully!
File C:\DOCUME~1\Synz\LOCALS~1\Temp\JYF2E9.tmp File not found not found.
Service EagleNT stopped successfully!
Service EagleNT deleted successfully!
File C:\WINDOWS\System32\drivers\EagleNT.sys File not found not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\DOCUME~1\Synz\LOCALS~1\Temp\catchme.sys File not found not found.
Service oreans32 stopped successfully!
Service oreans32 deleted successfully!
C:\WINDOWS\system32\drivers\oreans32.sys moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{dd02a4eb-4afd-4d60-99d8-e67f964ca813} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{dd02a4eb-4afd-4d60-99d8-e67f964ca813} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{dd02a4eb-4afd-4d60-99d8-e67f964ca813}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{DD02A4EB-4AFD-4D60-99D8-E67F964CA813} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{DD02A4EB-4AFD-4D60-99D8-E67F964CA813} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DD02A4EB-4AFD-4D60-99D8-E67F964CA813}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Synz
->Temp folder emptied: 76443 bytes
->Temporary Internet Files folder emptied: 15781012 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 156169528 bytes
->Flash cache emptied: 814 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 8265 bytes

Total Files Cleaned = 164.00 mb


OTL by OldTimer - Version 3.2.15.2 log created on 10262010_201830

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#18
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 18,933 posts
Before we move on to the next stage, how does your system seem now?
Are you still experiencing any problems?
  • 0

#19
Mudz

Mudz

    Member

  • Member
  • PipPip
  • 31 posts
So far so good, thank you very much. Avira did however spot one virus: TR/Rootkit.Gen Trojan. Brief log:

Starting the file scan:

Begin scan in 'D:\System Volume Information\_restore{95724F8A-B5AC-445D-A5D3-1B38DA1009C7}\RP107\A0053689.exe'
D:\System Volume Information\_restore{95724F8A-B5AC-445D-A5D3-1B38DA1009C7}\RP107\A0053689.exe
[0] Archive type: RSRC
[DETECTION] Is the TR/Rootkit.Gen Trojan
--> Object
[DETECTION] Is the TR/Rootkit.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4ebf75a4.qua'.


End of the scan: Tuesday, October 26, 2010 21:16
Used time: 00:00 Minute(s)
  • 0

#20
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 18,933 posts
That's in the system restore and not a problem unless you do a restore. We'll clear those next anyway

Your logs are now clean - you are clear or seem to be. Please advise me if you still have any problems.

We'll move on to the cleanup now. There's quite A bit to do here, just take your time

Follow these steps to uninstall ComboFix and tools used in the removal of malware
  • Click START then RUN
  • Now type ComboFix /Uninstall in the run box and click OK. Note the space between the ComboFix and the /U, it needs to be there.
    Posted Image
OTL Cleanup
Run OTL and click the cleanup button. It will remove all the programmes we have used plus itself.

Create New System Restore Point and Clear Earlier Ones
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point.
Remove any bad ones
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done

Preventing re-infection
Now that your system is clear, there are a number of steps you can take to prevent re-infection

It is critical that you have both a firewall and anti virus to protect your system and to keep them updated.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Winpatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. Help file and tutorial can be found Here
SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
MVPS Hosts File - Blocks known bad sites by adding them to your Hosts file thereby preventing you from accessing them
TFC (Temp File Cleaner)- Cleans an enormous amount of junk held in temporary files and disposes of any malware lurking there.
Anti Spyware Program - We recommend MalwareBytes Anti-Malware and SUPERAntiSpyware

Browsers
Consider using FIREFOX or OPERA, both are free to use and are more secure than IE. If you are using Firefox you can stay more secure by adding NoScript and WOT (Web Of Trust). NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.


Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • Run Internet Explorer
  • Click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Updates
From time to time, software vendors introduce updates for their products. Sometimes these are to enhance the product, but often they are to repair an exploitable vulnerability. You may like to consider installing Secunia PSI. This is a free application (for home users) that sits in the system tray and alerts you when security updates are available, and where from. Secunia PSI can be downloaded from HERE
  • 0

#21
Mudz

Mudz

    Member

  • Member
  • PipPip
  • 31 posts
Thanks for your advices. I have followed almost all of them. Thanks once again.
  • 0

#22
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 18,933 posts
You're welcome
  • 0

#23
azarl

azarl

    GeekU Teacher

  • GeekU Moderator
  • 18,933 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :D

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured