please please help....

Assistance with AVG Anti-Malware, legacy ewido and AVG Anti-Spyware applications

Moderator: Moderators

please please help....

Postby rahul19ie » Sat Jun 27, 2009 3:38 am

hello to all

getting the same Trojan Horse again & again :(
which disconnects online data flow


after cleaned up with AVG and Restart ... it gets ok
but some other day it again gets in...


Result shown as:


"C:\WINDOWS\system\LiveProfile.exe";"Virus identified Worm/Generic.ACNA";"Moved to Virus Vault"
"C:\WINDOWS\system32\windef.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\WINDOWS\system32\windef.exe:\winman.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\WINDOWS\Temp\LiveProfile.exe";"Virus identified Worm/Generic.ACNA";"Moved to Virus Vault"
"C:\WINDOWS\Temp\pagefile2.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\WINDOWS\Temp\pagefile2.exe:\winman.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\WINDOWS\Temp\WindowsLive.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\WINDOWS\Temp\winman.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\Documents and Settings\NetworkService\Application Data\WindowsLive.exe";"Trojan horse Generic_c.ASKI";"Moved to Virus Vault"
"C:\Documents and Settings\kk\Local Settings\Temp\LiveProfile.exe";"Virus identified Worm/Generic.ACNA";"Moved to Virus Vault"


Please please help...
rahul19ie
AVG Wannabee
 
Posts: 8
Joined: Sat Jun 27, 2009 3:20 am

Advertisement

Start Your Own Webstore - Get a FREE 14 Day Trial of Shopify!

Re: please please help....

Postby sc123 » Sun Jun 28, 2009 9:47 am

Try running a full scan in Windows' Safe Mode.

http://www.avg.com/faq.num-1145?srch=safe|mode#faq_1145
Regards,
SC123 - Founder, http://www.AVGForums.com
-------------------------------------------------------
Complete uninstall/reinstall method | Other tools to try | Search the forums!
User avatar
sc123
Forum Administrator
 
Posts: 2095
Joined: Tue Jul 24, 2007 3:50 pm
Location: Virginia, USA

Re: please please help....

Postby rahul19ie » Tue Jun 30, 2009 8:33 am

many many thanks sc123 :)
Thanks for your most valuable reply


As there i didn't have that much time
i had to go for quick scans without safe mode
getting no infection found

but now when....
every time that happened ,disconnecting-blocking online data after
couple of minutes after restart

i went for safe mode as you recommended :)

and found this result:-

(gosh...hoping this time, i'll not be disconnected by those nasty Trojans)









C:\Documents and Settings\kk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\kk\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\kk\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\kk\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\Program Files\GRETECH\GomPlayer\Dodge.dll Runtime packed fsg
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\autorun.inf Virus found Worm/AutoRun Object was moved to Virus Vault.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 121880
Found infections : 1
Found PUPs : 0
Healed infections : 1
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------


AVG IS THE BEST :D
rahul19ie
AVG Wannabee
 
Posts: 8
Joined: Sat Jun 27, 2009 3:20 am

Re: please please help....

Postby rahul19ie » Wed Jul 01, 2009 1:58 am

oh....my...

the problem still exists



so...
what should i do :(

please..
rahul19ie
AVG Wannabee
 
Posts: 8
Joined: Sat Jun 27, 2009 3:20 am

Re: please please help....

Postby sc123 » Thu Jul 02, 2009 9:33 am

Try running a full scan with MBAM: http://www.malwarebytes.org/mbam.php
Regards,
SC123 - Founder, http://www.AVGForums.com
-------------------------------------------------------
Complete uninstall/reinstall method | Other tools to try | Search the forums!
User avatar
sc123
Forum Administrator
 
Posts: 2095
Joined: Tue Jul 24, 2007 3:50 pm
Location: Virginia, USA

Re: please please help....

Postby rahul19ie » Sat Jul 04, 2009 3:29 am

Hi again :)



so after scanning with Mbam

and then selecting "Remove all infections"

& then rebooting

got this Windows Error Message:
titled as "Data Execution Prevention"
To help protect ur pc,
windows has closed this program
Name: "Generic Host For win32 services"

and after the message being closed,
it again popped up & just couldn't be closed...


there i was so scared that i went for
Windows "System Restore" with restore point just a day back
undoing Mbam changes
couldn't able to restore at previous points


Result shown by Mbam was







Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus (Worm.Brontok) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus (Worm.Brontok) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\csrcs (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe csrcs.exe) Good: (Explorer.exe) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
c:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> No action taken.

Files Infected:
c:\RECYCLER\s-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\vcmgcd32.dl_ (Virus.Sality) -> No action taken




Please Please Help
rahul19ie
AVG Wannabee
 
Posts: 8
Joined: Sat Jun 27, 2009 3:20 am

Re: please please help....

Postby sc123 » Mon Jul 06, 2009 2:40 pm

You need to perform a low level scan of your system using a boot CD. I suggest the G DATA Boot CD, found here:

http://www.gdata-software.com/support/d ... tools.html

Download it and burn the image to a CD, then boot from it and allow it to update and run a complete scan. Hopefully that will remove the threats. You can also try the Avira Rescue CD which is a little easier to use:

http://www.free-av.com/en/products/12/a ... ystem.html
Regards,
SC123 - Founder, http://www.AVGForums.com
-------------------------------------------------------
Complete uninstall/reinstall method | Other tools to try | Search the forums!
User avatar
sc123
Forum Administrator
 
Posts: 2095
Joined: Tue Jul 24, 2007 3:50 pm
Location: Virginia, USA

Re: please please help....

Postby rahul19ie » Tue Jul 07, 2009 2:52 am

Thank you Admin :)
i'll certainly give it a try
THANKS FOR THE VALUABLE SUPPORT
rahul19ie
AVG Wannabee
 
Posts: 8
Joined: Sat Jun 27, 2009 3:20 am


Return to AVG Anti-Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron