Trojan.Agent

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

It is asking me if I want to download Avast Antivirus to get better detection results. Should I do it? keep in mind that I was not able to disable Norton.

Thanks for your help so far.

It is asking me if I want to download Avast Antivirus to get better detection results. Should I do it?

That is normal.

Yeah I finally got something to work! Here is my log from the scan I ran on aswMBR:

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-03 22:13:37
-----------------------------
22:13:37.613 OS Version: Windows x64 6.1.7601 Service Pack 1
22:13:37.613 Number of processors: 2 586 0x2502
22:13:37.613 ComputerName: MUSICABONITA-PC UserName: musicabonita
22:13:40.716 Initialize success
17:25:08.256 AVAST engine defs: 12020401
17:26:21.946 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:26:21.946 Disk 0 Vendor: WDC_WD25 01.0 Size: 238475MB BusType: 3
17:26:21.946 Device \Driver\iaStor -> MajorFunction fffffa80034a65c4
17:26:21.946 Disk 0 MBR read successfully
17:26:21.956 Disk 0 MBR scan
17:26:21.966 Disk 0 Windows VISTA default MBR code
17:26:21.966 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13000 MB offset 2048
17:26:21.986 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 26626048
17:26:21.996 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 225373 MB offset 26830848
17:26:22.026 Service scanning
17:26:24.066 Modules scanning
17:26:24.066 Disk 0 trace - called modules:
17:26:24.076 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xfffffa80034a65c4]<<
17:26:24.116 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80030b8060]
17:26:24.116 3 CLASSPNP.SYS[fffff88001dc443f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8002ed5050]
17:26:24.146 \Driver\iaStor[0xfffffa80033ed2f0] -> IRP_MJ_CREATE -> 0xfffffa80034a65c4
17:26:24.966 AVAST engine scan C:\Windows
17:26:30.056 AVAST engine scan C:\Windows\system32
17:28:41.657 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
17:28:45.807 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
17:30:16.347 AVAST engine scan C:\Windows\system32\drivers
17:30:31.147 AVAST engine scan C:\Users\musicabonita
17:43:27.268 AVAST engine scan C:\ProgramData
17:46:45.268 Scan finished successfully
17:47:35.108 Disk 0 MBR has been saved successfully to "C:\Users\musicabonita\Desktop\MBR.dat"
17:47:35.118 The log file has been saved successfully to "C:\Users\musicabonita\Desktop\aswMBR.txt"
17:47:44.688 Disk 0 MBR has been saved successfully to "C:\Users\musicabonita\Documents\MBR.dat"
17:47:44.718 The log file has been saved successfully to "C:\Users\musicabonita\Documents\aswMBR.txt"

Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.
*******************************************************
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.

To prevent your anti-virus application interfering with ComboFix we need to disable it. See [URL="http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications.html"]here[/URL] for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click PCHelpForum.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

So keeping in mind that I am not able to disable my antivirus, you still want me to download and run combofix?

musicabonita wrote:

So keeping in mind that I am not able to disable my antivirus, you still want me to download and run combofix?

Yes, please.

Okay this is what I got from Bluescreen view:
020312-45318-01.dmp 2/3/2012 6:15:30 PM IRQL_NOT_LESS_OR_EQUAL 0x0000000a 00000180`00000408 00000000`00000002 00000000`00000001 fffff800`0309ed5b ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\020312-45318-01.dmp 2 15 7601 277,336
020312-45692-01.dmp 2/3/2012 5:52:58 PM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`03065f6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\020312-45692-01.dmp 2 15 7601 277,392
020312-60543-01.dmp 2/3/2012 6:30:41 AM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`030b8f6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\020312-60543-01.dmp 2 15 7601 277,392
020312-91712-01.dmp 2/3/2012 6:05:04 AM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`03064f6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\020312-91712-01.dmp 2 15 7601 277,392
013012-41106-01.dmp 1/30/2012 8:21:55 PM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`03375a9a 00000000`00000001 00000000`00000018 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\013012-41106-01.dmp 2 15 7601 277,392
013012-45521-01.dmp 1/30/2012 7:10:36 PM SYSTEM_THREAD_EXCEPTION_NOT_HANDLED 0x1000007e ffffffff`c000001d fffffa80`06f0b012 fffff880`0858ca68 fffff880`0858c2c0 volsnap.sys volsnap.sys+2df4 x64 C:\Windows\Minidump\013012-45521-01.dmp 2 15 7601 277,392
013012-47783-01.dmp 1/30/2012 6:42:06 PM IRQL_NOT_LESS_OR_EQUAL 0x0000000a fffff8a0`032620e1 00000000`00000002 00000000`00000001 fffff800`030faab5 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\013012-47783-01.dmp 2 15 7601 277,392
013012-48251-01.dmp 1/30/2012 5:01:33 PM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`0305ef6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\013012-48251-01.dmp 2 15 7601 277,392
012912-41231-01.dmp 1/29/2012 11:33:17 PM DRIVER_CORRUPTED_EXPOOL 0x000000c5 00000000`00000008 00000000`00000002 00000000`00000000 fffff800`031c8a9b ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\012912-41231-01.dmp 2 15 7601 277,392
012912-29983-01.dmp 1/29/2012 8:49:42 PM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`03079f6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\012912-29983-01.dmp 2 15 7601 277,336
012912-38235-01.dmp 1/29/2012 8:33:29 PM KMODE_EXCEPTION_NOT_HANDLED 0x0000001e ffffffff`c0000005 fffff800`0307af6b 00000000`00000000 00000000`7efa0000 ntoskrnl.exe ntoskrnl.exe+7cc40 NT Kernel & System Microsoft® Windows® Operating System Microsoft Corporation 6.1.7601.17640 (win7sp1_gdr.110622-1506) x64 ntoskrnl.exe+7cc40 C:\Windows\Minidump\012912-38235-01.dmp 2 15 7601 277,336

I'm about to do combofix again.

I did combofix and changed the name and everything. It ran and then all of a sudden I got the BSOD and when i restarted the computer in safe mode I couldn't find the txt file. Now what ?

Please do this even if you don't have your OS disk. Please let me know what happens.

1/ Click the Start button.

2/ From the Start Menu, Click All programs followed by Accessories.

3/ In the Accessories menu, Right Click on the Command Prompt option.

4/ From the drop down menu that appears, Click on the Run as administrator option.

5/ If you have the User Account Control (UAC) enabled you will be asked for authorisation prior to the command prompt opening. You may simply need to press the Continue button if you are the administrator or insert the administrator password etc.

6/ In the Command Prompt window, type: sfc /scannow and then press Enter.

7/ A message will appear stating that the system scan will begin.

8/ Be patient because the scan may take some time.

9/ If any files require replacing SFC will replace them. You may be asked to insert your Vista DVD for this process to continue.

10/ If everything is okay you should, after the scan, see the following message Windows resource protection did not find any integrity violations.

11/ After the scan has completed, Close the command prompt window.

Is there anything that I need to copy and paste back to you...some kind of report or anything or do I just need to tell you what happens with the scan?

Just tell if it asks for the OS disk.

Okay I will try this today. Thanks

It didn't ask for an OS disk and it said nothing had been violated (or something to that effect).

Open the Start Menu.

2. Click on the Computer button.

3. Right click on your hard drive and click on Properties.

4. Click on the Tools tab.

5. Click on Check Now under the Error checking section. (See circled in red below)



. Click on Continue in the UAC prompt.

7. Make sure both options are checked. (See screenshot below)
NOTE: The Automatically fix file system errors box will be checked by default.

8. Click on the Start button.



9. You will get a pop-up window saying, "Windows can't check this disk while it's use". (See screenshot below)

10. Click on the Schedule disk check button for chkdsk to run the next time you restart your computer.



11. Restart your computer.
******************************************************
AVENGER

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Click the Execute button.
  
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log in your next reply.
  

I'll try this tomorrow. Based on what you've seen so far... Do you think there is still a chance that my computer can be saved.

Based on what you've seen so far... Do you think there is still a chance that my computer can be saved. .

It's difficult to say. I'm still trying to determine why you're getting the BSOD's. Most BSOD's are caused by defective software or hardware.

I tried to do the scan and it said it couldn't do it while the disk was in use.

I appreciate all of your help so far but honestly, I just think I need to wipe out my hard drive. Thank you so much for trying to figure out what is wrong but I don't think anything can be done. The cause of the issue still hasn't been determined so I don't think i have any other choice.

In your opinon, will this get rid of any virus, trojan's or issues I may have?

In your opinon, will this get rid of any virus, trojan's or issues I may have?.

If you do a complete reformat it will clean your harddrive. Sorry that it had to come to this. Good luck

Thanks so much for all your help. I have one more question please. I am trying to reformat my drive using the CD-Rom. I put the System CD in and pushed F12 like the instructions said that came with the CD (from Acer). For some reason when I push F12 as the computer is restarting (with the CD in the drive), it just start up as normal.

My cd-rom drive is crappy. Is it possible to reformat my drive using an external cd-rom drive instead of the internal one? will that work the same way or is it a bad idea.

My cd-rom drive is crappy. Is it possible to reformat my drive using an external cd-rom drive instead of the internal one? will that work the same way or is it a bad idea..

That should work but you may have to change your boot order in BIOS to accomodate the external drive.

If you do not know how to set your computer to boot from CD follow the steps here

Hi,
This might be out of the realm of this thread but I will ask anyway. Now I am having a new problem. I finally got the computer to boot to CD and I wen through the entire process of reinstalling windows. Everything went okay until I had to do the restart your computer to begin set up or whatever it says.

When it restarted, everything looked normal and it went to a black screen and it said set up is about to begin (i'm paraphrasing) suddenly I get an error message saying that "to install windows, click ok to restart the computer and then restart the installation". Then the computer restarts but I wind up getting the same error message?

Any ideas on how to fix this? Should I start another thread for this issue? Thanks.

I forgot to say that I used the Acer eRecovery discs to reinstall windows. I was under the impression that doing a reinstall of windows would wipe my hard drive. Am i misinformed on that? Do I have clean the hard drive then reinstall windows? I can't get a clear understanding of that.

Edit: Also based on the research I've done, it seems like there are some changes that can be made in BIOS to help fix the problem. However, any of the changes they suggest, I can't find those settings (voltage, plug and play, etc.). It seems my options in BIOS are very limited.

Do I have clean the hard drive then reinstall windows? I can't get a clear understanding of that

The Recovery disks will take your computer back to the day you purchased it.

Also based on the research I've done, it seems like there are some changes that can be made in BIOS to help fix the problem.

I seriously doubt you can fix that in the BIOS. Your best bet would be to try to get the Recovery to work. Then, if you're still having problems, we can try to fix that.

Dave I appreciate your help and patience so much. After about a month of trying to work on this issue and getting no where, I just decided to get a new computer. I will still try and fix the problem but I have a business and I can't be hindered from it any longer.

Thanks a bunch!

musicabonita wrote:

Dave I appreciate your help and patience so much. After about a month of trying to work on this issue and getting no where, I just decided to get a new computer. I will still try and fix the problem but I have a business and I can't be hindered from it any longer.

Thanks a bunch!

Sorry it had to come to this. Good luck