| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 71988 | 2006-08-24 20:40:00 | New computer is infected | anderson3250 (11038) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 480562 | 2006-08-24 20:40:00 | I just got a new laptop, and now it is infected with a trojan downloader, Agent.FBG . I tried looking online for a fix, but nothing has helped. AVG Free will delete the viruses, but on reboot they are back. I have tried Norton, AVG, Avast, A Squared, Adaware, and others. Anyone ever seen this before? And were you able to fix it? Thanks. | anderson3250 (11038) | ||
| 480563 | 2006-08-24 21:59:00 | Turn off system restore and run the antivirus program offline in safe mode. | EX-WESTY (221) | ||
| 480564 | 2006-08-24 23:45:00 | I tried doing that. I have been able to delete the detectable viruses, but there is one that is making them that doesnt show up with anything. The System restore didnt even have time to make a second screenshot of the system anyway. Thanks for the reply though. | anderson3250 (11038) | ||
| 480565 | 2006-08-25 00:29:00 | Hello anderson3250 Welcome to PressF1 :) What OS do you have?, I guess its Win XP home correct? Have you got a firewall installed? Do you know if the laptop has SP2 installed? |
stu161204 (123) | ||
| 480566 | 2006-08-25 01:09:00 | It has Win XP Media Center Edition with SP2 and I have been updating as well. I am using Norton, but I may change soon if its the weak link. | anderson3250 (11038) | ||
| 480567 | 2006-08-25 02:36:00 | I'd suggest you download and run Hijackthis (www.merijn.org), this program lists all visible startup processes so it should allow identification of how reinfection is taking place. There are a lot of resources available to help you understand the output, but if you want assistance going through it you can post or PM it. Malware naming is not consistent among AV vendors, so your problem probably has another name but we don't know what it is yet. |
silvero (11011) | ||
| 480568 | 2006-08-25 03:15:00 | I use Firefox and I started blocking Internet Explorer from connecting online when I noticed the infection. Here is the log: Logfile of HijackThis v1.99.1 Scan saved at 9:07:58 PM, on 8/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE C:\Program Files\Mozilla Firefox\firefox.exe c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Josh\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ie.redirect.hp.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ie.redirect.hp.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ie.redirect.hp.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://support.cox.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe |
anderson3250 (11038) | ||
| 480569 | 2006-08-25 04:18:00 | OK your hijackthis log appears clean, the only issues being both NAV and AVG running at the same time, not advisable but probably nothing to do with this problem, you should also check that you are running the latest version of java runtime. Next: Could you look at the AVG log and find the full path and filename of the infected file(s) and advise? This may lead to the problem. Also, did NAV pick up on this problem at all? If so, please advise virus name and filename/path. |
silvero (11011) | ||
| 480570 | 2006-08-25 12:59:00 | Both of my scanners picked it up as Agent.FBG, but whatever is making the files reproduce is not being detected. The path is ~~~ C:\Documents and Settings\Josh\Local Settings\Temp ~~~ I tried manual deletion of the files. |
anderson3250 (11038) | ||
| 480571 | 2006-08-25 15:28:00 | OK you can try using a specialist file deletion program to kill your temp directories and see if this helps . Download Killbox ( . bleepingcomputer . com/spyware/KillBox . zip" target="_blank">download . bleepingcomputer . com), close all applications and run the program . Click on tools->delete temp files, you will get a dialog box with temp file locations and a drop-down box where you can select a user . For each user, make sure Temporary Internet Files, Temp Files and XP Prefetch are checked, if you want to clean the other stuff you can check the boxes also & press delete selected temp files . The All Users profile will only allow you to check XP prefetch, that's OK . After you are finished, you can have a look if you like to check that the nasties have in fact been deleted . Reboot and check with your AV program to see if you have a recurrence . If there is a recurrence exactly the same, I would next make sure there isn't a hidden registry entry or file causing the recurrence . Download Rootkit Revealer ( . sysinternals . com/Files/RootkitRevealer . zip" target="_blank">download . sysinternals . com), close all programs and run it . It is important to not use your computer while RR is running, otherwise there will be spurious entries . When it's finished press file->save to get a . txt of the log file . The log is not a list of nasties, but a list of discrepancies between what is visible and what is actually in your registry and on your hard drive, exposing anything hidden . If you post the log I'll help you to find out if there is anything in it that is causing this . |
silvero (11011) | ||
| 1 2 3 | |||||