Tech Support Forum - View Single Post

pt49 · 08-06-2006, 11:20 PM

I ran Gmer, rightclicked on the file mssync2020 highlighted in red and deleted it. Then rebooted and ran Blacklight... the resulting log is below.

When I rebooted AVG told me "Virus detected" ... Trojan Horse PSW.Agent.CCI It could not be moved to the Virus Vault, nor healed or removed.

Blacklight Log:

08/07/06 14:52:05 [Info]: BlackLight Engine 1.0.42 initialized
08/07/06 14:52:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/07/06 14:52:10 [Note]: 7019 4
08/07/06 14:52:10 [Note]: 7005 0
08/07/06 14:52:16 [Note]: 7006 0
08/07/06 14:52:16 [Note]: 7011 2040
08/07/06 14:52:16 [Note]: 7026 0
08/07/06 14:52:17 [Note]: 7026 0
08/07/06 14:52:27 [Note]: FSRAW library version 1.7.1019
08/07/06 15:05:18 [Note]: 7007 0

~~~~~~~~~~~~~~~~~~~~~~~

After running Blacklight, I rebooted again and ran Gmer again. Still got the AVG virus detected alert.

Gmer Log:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-08-07 15:13:51
Windows 5.1.2600 Service Pack 2

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys

---- EOF - GMER 1.0.10 ----

08-06-2006, 11:20 PM	#8 (permalink)
pt49 Registered User Join Date: Aug 2006 Location: Australia Posts: 22 OS: XP My System	BL log I ran Gmer, rightclicked on the file mssync2020 highlighted in red and deleted it. Then rebooted and ran Blacklight... the resulting log is below. When I rebooted AVG told me "Virus detected" ... Trojan Horse PSW.Agent.CCI It could not be moved to the Virus Vault, nor healed or removed. Blacklight Log: 08/07/06 14:52:05 [Info]: BlackLight Engine 1.0.42 initialized 08/07/06 14:52:05 [Info]: OS: 5.1 build 2600 (Service Pack 2) 08/07/06 14:52:10 [Note]: 7019 4 08/07/06 14:52:10 [Note]: 7005 0 08/07/06 14:52:16 [Note]: 7006 0 08/07/06 14:52:16 [Note]: 7011 2040 08/07/06 14:52:16 [Note]: 7026 0 08/07/06 14:52:17 [Note]: 7026 0 08/07/06 14:52:27 [Note]: FSRAW library version 1.7.1019 08/07/06 15:05:18 [Note]: 7007 0 ~~~~~~~~~~~~~~~~~~~~~~~ After running Blacklight, I rebooted again and ran Gmer again. Still got the AVG virus detected alert. Gmer Log: GMER 1.0.10.10122 - http://www.gmer.net Rootkit 2006-08-07 15:13:51 Windows 5.1.2600 Service Pack 2 ---- Devices - GMER 1.0.10 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B2EE8230] vsdatant.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F7DAE85A] avgtdi.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [B2EE8230] vsdatant.sys ---- EOF - GMER 1.0.10 ----