Help with Trojan:win32/AgentBypass.gen!G

[Jo-Diaz02]

Hello again chemist. The PC is a dell dimension and my dumb sister was using it during a thunder storm on the morning of wednesday. Later that same day I tried to turn it on but the power light just stayed still and orange in color instead of the usually green light. It happened before with the same conditions, I think the greater problem here is leteing her near my PC, LOL! :-) And thanks for the reply, I have read the post you mention but it says that there are no spaces left, or so I understood. Do you know how often are they receiving applications (I hope I'm using the correct word here)?

[chemist]

Sorry, JoDiaz02. Just keep looking in, it will soon change.

[Jo-Diaz02]

Hello chemist, I was wondering, should I remove the ATF cleaner from my dektop as well as the reports from the scanners and combofix?

[chemist]

Hello again, Jo-Diaz02.

Quote:

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

I might keep ATF-Cleaner to periodically clean out temp folders and caches.

[Jo-Diaz02]

Hello and good day, chemist! I have noticed something wierd with my external Hard Drive. It was seemingly clean when we were working with my USB devices and my PC, the external Hard drive was not used since then and today I heard my sister complaining of some slow performance on my PC so I decided to scan it using the Kaspersky On'line scenner link you provided earlier(thanks by the way) and the scan found that my PC is indeed clean but my external HDD is infected somehow!

Here is the log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, August 1, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, August 01, 2009 17:51:24
Records in database: 2570668
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 109963
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:49:26


File name / Threat name / Threats count
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP297\A0072467.inf Infected: P2P-Worm.Win32.Palevo.hns 1
E:\RECYCLER32\dmgr.exe Infected: P2P-Worm.Win32.Palevo.ann 1
E:\autorun.inf Infected: P2P-Worm.Win32.Palevo.hns 1

The selected area was scanned.

Is there anything else we can try to get rid of this infection?

[chemist]

Hello again, Jo-Diaz02. Your external drive, E:, was clean 2 weeks ago when you ran Kaspersky the first time.

Quote:

but my external HDD is infected somehow!

I think you already know how:

Quote:

My older brother says that he downloaded a keygen

Quote:

my dumb sister was using it during a thunder storm

Quote:

I think the greater problem here is leteing her near my PC, LOL! :-)

Quote:

today I heard my sister complaining of some slow performance on my PC

Someone is not practicing safe internet surfing/downloading habits. Notice it is a P2P worm. Has someone installed any P2P software on your machine?

------------------------------------------------------

Ensure your external hard drive is connected for the rest of these fixes.

System Volume Information is your System Restore cache. We need to flush that cache on your external E: drive.

• Go to Start >> Run then copy/paste SYSDM.CPL into the Run box and click 'OK'.
• Select the 'System Restore Tab'.
• Left-click your E: drive then click 'Settings'.
• Tick on the checkbox - 'Turn off System Restore on this drive'
• Click 'Apply'.
• Then untick the same checkbox and click 'OK'.

This will flush out older, possibly infected System Restore Points and create one fresh, clean System Restore Point.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"E:\RECYCLER32\dmgr.exe"
"E:\autorun.inf"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)


if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

Download Flash_Disinfector.exe and Save it to your Desktop.

• Close any open browsers.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up all those drives.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

------------------------------------------------------

If you want, you can run Kaspersky again, but this time configure it to only scan your E: drive, so it won't take so long.

------------------------------------------------------

[Jo-Diaz02]

Hello again, chemist! You might be right about un'safe net surfing... but as far as I know there are no P2P programs installed because I´m the only administrator of this PC and I think any program needs my authorization to install,I think. Can it be possible that the PC catch that kind of malware by opening a link pasted in a forum dedicated to download music? I think my sister did tried to down load a song a few days back.I did paste the comand you supplied on the run box and selected the System Restore.Then I selected the external hard drive and clicked settings. After I check the "Turn off system restore on this drive" box the only buttons present at the window, are OK and Cancel. As you posted that I am to click on apply and it is not present, I want to ask you waht should I do then? Shoul I click on OK and then re-open the settings andun-check the box, click OK again?

[chemist]

Hello again, Jo-Diaz02.

Quote:

Can it be possible that the PC catch that kind of malware by opening a link pasted in a forum dedicated to download music?

Yes, I believe so.

Quote:

Shoul I click on OK and then re-open the settings andun-check the box, click OK again?

Yes, sorry about that. Click on 'OK'.

[Jo-Diaz02]

Hello, chemist. I did it and it says "Succesfully deleted" press any key to cont. Now I will down load the flash disinfector and will reply as soon as I can. Good day!

[Jo-Diaz02]

Hello, Chemist. I ran the flash disinfector and reboot as you said, but I repeated the process with an another Flash Drive inserted. When the PC was re'starting, I saw a light blue colored screen and said the drive G is ¨dirty¨ I ran Kaspersky Online scan again for the G drive(1G flash memory) and another for the external HD. They are posted below.

The new report for the External Hard drive:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, August 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, August 02, 2009 22:11:49
Records in database: 2575765
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
E:\

Scan statistics:
Files scanned: 4918
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:15:04


File name / Threat name / Threats count
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0076606.exe Infected: P2P-Worm.Win32.Palevo.ann 1
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP328\A0076607.inf Infected: P2P-Worm.Win32.Palevo.hns 1

The selected area was scanned.


The report for the 1GB Flash memory is:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, August 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, August 02, 2009 22:11:49
Records in database: 2575765
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
G:\

Scan statistics:
Files scanned: 705
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:02:10


File name / Threat name / Threats count
G:\RECYCLER32\dmgr.exe Infected: P2P-Worm.Win32.Palevo.ann 1

The selected area was scanned.


What should I do?

[chemist]

Hello again, Jo-Diaz02. System Volume Information is really nothing to worry about, like I said it is only System Restore's cache. As long as you don't restore to that point, it can do no harm. However, when you turned System Restore off and on again, it should have removed all previous restore points. I don't know what happened. Let's try it again:

Ensure your E: drive is connected.

• Go to Start >> Run then copy/paste SYSDM.CPL into the Run box and click 'OK'.
• Select the 'System Restore Tab'.
• Left-click your E: drive then click 'Settings'.
• Tick on the checkbox - 'Turn off System Restore on this drive'
• Click 'OK'.
• Then untick the same checkbox and click 'OK'.

This will flush out older, possibly infected System Restore Points and create one fresh, clean System Restore Point.

------------------------------------------------------

Ensure your G: drive is inserted.

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c rd /s/q "G:\RECYCLER32"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Please scan those drives again with Kaspersky.

------------------------------------------------------

[Jo-Diaz02]

Hello chemist, I don´t know exactly what happened either but I an tell you exactly what I did. I deleted the restore cache in the external HD, I ran Flash disinfector with drives E(external HD) and H:,F(the 4GB flash memory), executed the fix.batch and seeing the 4GB flash memory was clean, I unplugged it and plugged the 1 GB one but left the external HD plugged. Then I scanned the two drives (E and G) with the Kasperky On line scanner. Now I unplugged the 1 GB flash memory and plugged the 4 GB one to scan it again with fear that the flash memory(drive H:,F) had been infected and my fears came true! The scan showed a new infection in a previously clean flash memory. I suppose that the USB devices are getting the infections from the usb ports since the PC appears clean in the scan the last time I ran it ( yesterday, in the same scan that detected the infections in my external Hard drive). I beleive that every time I plug a device in the USB ports, it will get infected, I don't know, Am I carrect, chemist? If so, I should run a scan on all devices that had been plugged to the USB ports during the time from the detection of the infction untill now, Right? I will wait for your guidance on this, Thanks in advance!

[chemist]

Run Flash_Disinfector.exe again, and as many times as needed to cover all your drives.

Scan your computer and all drives again with Kaspersky.

------------------------------------------------------

[Jo-Diaz02]

Hello, Chemist! Sorry for my delay, it was due to an accident with my cable connection, the cable got damaged and I had to wait until today for the cable guy to come, sorry. Anyways, I did as you said but when I tried to run an online scan with Kaspersky, I get a message stating that it ¨failed to update, close the Kaspersky on-line scanner window and re-open it. You must be online to use the scan. ERROE: key expired" What can I do? Thanks in advance, have a nice weekend!

[chemist]

Hello again, Jo-Diaz02. Usually, if you try Kaspersky again, it will work. If not, try one of these...

Ensure your external and/or USB drives are inserted during the scan.

Go here to run an online scannner from ESET and Save the file to your Desktop.

• If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it.
• Turn off the real-time scanner of any existing antivirus program while performing the online scan.
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the ActiveX control to install.
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish.
• Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Copy/paste that log as a reply to this topic and also let me know how things are now.

------------------------------------------------------

If you have trouble with your computer blocking the ActiveX, go here and temporarily turn the feature off:

http://www.windowsreference.com/inte...the-publisher/

Remember to turn it back on after the scan!

------------------------------------------------------
------------------------------------------------------

Ensure your external and/or USB drives are inserted during the scan.

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information" (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export to
  
• Export the log and Save it to your Desktop.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Please post the contents of that log in your next reply.

**Note**
To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

------------------------------------------------------

[Jo-Diaz02]

Hello, chemist.I´m taking a little time to post because I´m awaiting the response from the people at sun microsystems about the problem with the Kaspersky online scanner. It´s my concern because I wrote to kaspersky and they told me it could have been a recent Java update that coincides with the first time I experienced the problem. But I will post as soon as I get word from them. Have a nice weekend!

[Jo-Diaz02]

Hello chemist,good day! Sorry for the late post, I was waiting for a response from sun microsystems about the problem with the Kaspersky online scan but even though they are still to respond, I tried it again and it worked but it was in another language. Then I had to wait for a fe days checking many times each day until the window opened in english. Then I scanned my PC, external HDD, Cam and flash drives with both, the kaspersky scanner and Panda active scan. The camera and one flash memory were cleaned using the active scan. But Panda active scan don't detect the virus in my other USB devices. Only the Kaspersky online scan recognize them, and it says there is a worm in the DVDFab program folder. It seems as if their virus database was updated with the definitions for this worm recently since the scan had not found the worm earlier and all of these USB devices had not being in use since they were cleaned until a few days back when I noticed the location of the worm was the same file in all the devices.

The report for the external HDD is below:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 20, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 20, 2009 21:53:08
Records in database: 2667216
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Folder:
E:\

Scan statistics:
Objects scanned: 4914
Threats found: 1
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 00:15:38


File name / Threat / Threats count
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP337\A0077614.exe Infected: Trojan.Win32.Agent.cucn 1
E:\Recycled\De1\DVDFabPlatinum.exe Infected: Trojan.Win32.Agent.cucn 1
E:\Jo'Diaz\DVDFab Platinum 4\DVDFabPlatinum.exe Infected: Trojan.Win32.Agent.cucn 1

Selected area has been scanned.

The report for the PC is :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, August 21, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, August 21, 2009 08:59:45
Records in database: 2669597
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 111264
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:51:59


File name / Threat / Threats count
C:\Documents and Settings\Jorge Díaz\My Documents\DVDFab Platinum 4\DVDFabPlatinum.exe Infected: Trojan.Win32.Agent.cucn 1

Selected area has been scanned.


And the report for the flash memory:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 19, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 19, 2009 23:17:50
Records in database: 2664005
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - Folder:
H:\

Scan statistics:
Objects scanned: 395
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 00:01:16


File name / Threat / Threats count
H:\Documents\DVDFab Platinum 4\DVDFabPlatinum.exe Infected: Trojan.Win32.Agent.cucn 1

Selected area has been scanned.


That DVD fab was copied from a laptop of a neighbor, and he said his copy was legal so I copied the folder to my flash drive, then to my pc and when I needed to back up my files to start the disinfection(remember when we started this thread? that's when I backed it up) it got to my external HDD. Should I delete the DVDFabplatinum? Or is there a way to clean it? Thanks in advance! And I know it's friday and I don't want to be bothersome, ther's no hurry. Enjoy your weekend and then reply when ever you can :-) thanks again!

[chemist]

Hello again, Jo-Diaz02. Those must be deleted. I would just delete all the DVDFab Platinum 4 folders.

If you delete that executable, the rest of the files won't be of any use.

Also delete this file:

E:\Recycled\De1\DVDFabPlatinum.exe

------------------------------------------------------

System Volume Information is where Windows keeps old system restore points. You have System Restore enabled on your E: drive. We need to flush that cache.

• Go to Start >> Run then copy/paste SYSDM.CPL into the Run box and click 'OK'.
• Select the 'System Restore Tab'.
• Left-click your E: drive then click 'Settings'.
• Tick on the checkbox - 'Turn off System Restore on this drive'
• Click 'OK'.
• Then untick the same checkbox and click 'OK'.

This will flush out older, possibly infected System Restore Points and create one fresh, clean System Restore Point.

------------------------------------------------------

[chemist]

Still with us, Jo-Diaz02? Can we mark this thread as resolved?

[Jo-Diaz02]

Hey chemist sorry for my delay:-). I did as you said, thanks. I would like to download some files but I want to know what you think. Should I download the files and then scan them to be sure that they are ok? or should I just keep away from thos downloads?