Locked files believed due to virus

View previous topic View next topic Go down

Locked files believed due to virus

Post by Lynangeel on 9th May 2009, 12:56 am

Hi, I am not sure now what is really on my computer but ones that were detected when noticed that virus scan showed locked files that are not able to scan was Win 32\Agent.ODG and Trojan Win 32.Vundo.Gen!G After running countless scans all my scans are saying there is no infections but I have 8 locked files and things still keep getting on. How can I get these unlocked to scan. It appears that they are also hidden for I can not find them to unlock manually.
Thanks

Lynangeel
Intermediate
Intermediate

Posts Posts : 91
Joined Joined : 2009-05-07
OS OS : XP
Points Points : 28533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Locked files believed due to virus

Post by Belahzur on 9th May 2009, 1:00 am

Hello.
The agent.ODG comes with a rootkit, which might be responsible for locking the files (until the main driver is killed).
Then again, I know that Vundo.Gen comes with a rootkit too, also locks files.

We have to use this tool to find the driver because it's a random name and hard to track down without a scan.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

dds.txt

Post by Lynangeel on 20th May 2009, 11:53 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by user at 18:02:47.81 on Wed 05/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.439 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {2ed15f84-b61a-4836-8e59-a58a80fa79ee} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: 796525 Class: {e7f15ac4-e0a9-43f0-921b-70dfea621220} - c:\windows\system32\796525\796525.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [autochk] rundll32.exe c:\windows\system32\config\system~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\user\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\limewi~1.lnk - e:\limewire\LimeWire.exe
IE: &Search - [You must be registered and logged in to see this link.]
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - [You must be registered and logged in to see this link.]
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - [You must be registered and logged in to see this link.]
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} - [You must be registered and logged in to see this link.]
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\jolosemu.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-24 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-24 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-24 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-24 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-24 298776]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-07 09:34 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-07 09:34 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-07 09:33 --d----- c:\windows\system32\796525
2009-05-07 08:39 66,048 a------- c:\windows\system32\lds.exe
2009-05-06 21:54 24,064 a--sh--- c:\documents and settings\user\protect.dll
2009-05-06 21:54 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-06 18:57 --dsh--- c:\documents and settings\user\IECompatCache
2009-05-05 22:23 --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-05-04 23:23 --dsh--- c:\documents and settings\user\PrivacIE
2009-05-04 23:16 --dsh--- c:\documents and settings\user\IETldCache
2009-05-04 22:43 --d----- c:\windows\ie8updates
2009-05-04 22:43 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-04 22:40 -cd-h--- c:\windows\ie8
2009-05-04 21:51 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-04 21:51 --d----- c:\program files\SUPERAntiSpyware
2009-05-04 21:51 --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-05-04 21:44 --d----- c:\program files\common files\Wise Installation Wizard
2009-05-04 21:33 --d----- c:\docume~1\user\applic~1\DriverCure
2009-05-04 21:33 --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-05-04 21:33 --d----- c:\docume~1\alluse~1\applic~1\DriverCure
2009-05-04 21:21 --d----- c:\docume~1\user\applic~1\Desktopicon
2009-05-04 21:21 --d----- c:\program files\Unlocker
2009-05-04 17:30 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-04 17:30 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-04 17:30 --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-04 17:29 --d----- c:\program files\common files\Symantec Shared
2009-05-04 17:29 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-05-04 17:29 --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-05-04 17:23 --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-05-04 17:09 --d----- c:\docume~1\user\applic~1\GetRightToGo
2009-05-01 10:30 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-26 23:37 383 ---sh--- c:\windows\system32\royalogo.exe
2009-04-26 23:36 1,406,518 ---sh--- c:\windows\system32\iguwudil.ini
2009-04-26 23:31 --d----- c:\docume~1\user\applic~1\pidle

==================== Find3M ====================

2009-05-04 14:49 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-04 14:49 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 14:49 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2008-05-12 10:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 18:05:10.18 ===============

Lynangeel
Intermediate
Intermediate

Posts Posts : 91
Joined Joined : 2009-05-07
OS OS : XP
Points Points : 28533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Locked files believed due to virus

Post by Belahzur on 21st May 2009, 12:05 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum