[DSTM]

Hi Guys,I have somehow picked up a Trogan,and Windows wont boot.
A Blue screen says, windows shut down, to prevent further damage.
I can get into safe mode.Any advice from this point,helpful.
The Trogan first disabled all security.
Somehow this Trogan got past Antivir Active guard.
Not sure what to do next.Thanks.

EDIT Windows XP Home sp3

This post has been edited by DSTM: 04 Jun 2009 - 09:04 AM

[BSchwarz]

Can you post the exact error message you're getting when you get the blue screen?

If it is gone too fast then while in safe mode in advanced options when right clicking my computer under startup uncheck automatically reboot on stop error. This will allow you to get the complete error code.

It would help to diagnose.

[DSTM]

Thanks for that. I will get what error messages I can find.

[DSTM]

Couldn't run Antivir or SuperAnti Spyware,as it said,these programs have been changed possibly by a Virus.
I managed to run MalwareBytes in safe mode and got a report.
Said something about Data Execution Protection- Application layer Gateway Service. I did see error codes and will try and find them.
This is the report if any help. Thanks.

Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 3

5/06/2009 2:15:40 AM
mbam-log-2009-06-05 (02-15-40).txt

Scan type: Quick Scan
Objects scanned: 77233
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\user\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[DSTM]

Blue Screen Message.

A problem has been detected and Windows has been shut down to prevent more damage to your Computer.
More Paragraphs............

Technical Information,
STOP:0X0000008E,
(0XC0000005, 0X8A6542B6, 0XB3DF81A0,0X00000000)
Physical Memory Dump Complete.

Run another Scan in Safe mode and 8 more Trogan agents found.

Most programs will not run as the should.

"Antivirus shows Error.C:\progra~\Avira\Antivi~\AVCONFIG.EXE
Cannot be found or has been modified or destroyed".
Thanks for any Help.

This post has been edited by DSTM: 04 Jun 2009 - 03:04 PM

[BSchwarz]

You are infected with Win32/Virut Trojan. Here is a link to the tolls you'll need to remove them.

AVG Virus Removal Tools

Scroll a little down the page and you'll see the 2 files you need to download. Instructions are fairly startighgt forward.

What you have is a nasty bugger, but, it's an older virus so the tolls work well to remove them.

One note your virus scanner must not be up to date with latest virus definition updates because this would have been caught.

[BSchwarz]

After reading up on this a bit more it seems the only real way to get rid of this is to format and reinstall Windows. This virus infects all .exe, .scr (screensavers), .htm and .html files. It is badly coded so after it is cleaned some exe files are corrupt and will not work.

If you have any of the above files types on external drives or on another partition then it is recommended you also format those drives or partitions during the OS install.

Do you happen to know how you caught it?

[DSTM]

It's a nasty one,and first I noticed, was Live messenger, started throwing up all different web Pages.I looked down at the Avira guard, and it was disabled.
Great you identified it, and thanks for the links to fix.
Much appreciated, BSchwarz.:)

[DSTM]

I feel as though I should take the Computer, to get it done, at a Computer Shop.
I dont feel confident doing this.
I suppose I can have a crack at it, reading Tutorials,and asking you Guys,if I get lost,wiping the Drives and reinstalling.
Have to do reinstalls sooner or later.
I have a second Drive full of Cdrive Program downloads,pictures and word,as a back up.
What is safe to pull off on a Flash Drive?
Pictures and Word documents,Videos,Music.
What would be safe to keep? Thanks.:)

[BSchwarz]

Any files on any drive with thses extensions would mean they are infected and the drive containing them formated.

Quote

.exe or .scr or .html/.htm

[DSTM]

Had Windows reinstalled,however on loading all the programs,and running a Scan,the Trogan reappeared,so I think the Computer Shop, may have not reinstalled windows on the right partition,or something.
Back to the Computer Shop,it's going.

This post has been edited by DSTM: 06 Jun 2009 - 09:49 PM

[DirtyPolo]

Is this the same computer shop that you had all the other problems with before Dougie?

[DSTM]

The same Shop,DirtyPolo.
I have had enough of their Techies.
I am attempting to do a format, and reinstall Windows,myself.
No other Shops close,that are worth using.
Might take me a while,and will update.:)

[BeeCeeBee]

Just started following this Dougie.

Once you have all of your files saved and excluded the ones that Bob gave you, there really is not much damage that you can do. As long as you still have the ability to communicate we will get you through this.

Just be sure that you have all your drivers. If you are using OEM recovery software that will restore factory settings you will most likely have all the factory installed drivers already on the disk.

[DSTM]

Thanks beeceebee. I have this spare Computer to communicate with.
Just Done a full scan of D Drive and the Trojan is now on that Hard drive.
I click deny access,with Avira,and nothing happens,also with Move to quarantine,nothing happens.The Avira notification is still on the screen.
I need advice urgently if possible on what to do.Thanks.
I cant see it on C Drive,now I have formatted and reinstalled windows.Not finished as yet,with drivers and programs.

[BeeCeeBee]

Have you actually done the reinstall Dougie or are you trying to get rid of the virus first?

[DSTM]

I followed instructions on UTUBE, and have done the basic reinstall.
Not finished all the updates, or new programs,yet.
Couldnt get on the net, at first, as I had to chase a realtek Driver,but thats sorted now.

I dont know if I just did the right thing.I turned the Computer off, and ripped out the D Drive.The IDE cable ,I think thats what it's called fell off the C Drive but can put everything back right I think.
Is there anything I have to change when I boot it up again.?
Will run another Scan on C Drive,when I blow it out and Boot up again.
Thanks again,Guys.:)

[BeeCeeBee]

Quote

Just Done a full scan of D Drive and the Trojan is now on that Hard drive.
I click deny access,with Avira,and nothing happens,also with Move to quarantine,nothing happens.The Avira notification is still on the screen.

Just a little confused as to what seems like some gaps in the process here. I assume you have 2 hard drives. This scan that you did, was this before or after the re installation of XP and did you format the second drive as well.

If you did, where are your backup files being kept?

[DSTM]

I'll try and explain.
Yes I had 2 Hard Drives.D Drive was where I copied files to,that I wished to keep.
But wasnt up to date.
The scan I did was just now after installation of XP.I scanned C Drive and it's clean.
C Drive is the one that had the Trojan to start with.
When I Realized from the Scan I did with the ISO I downloaded and burnt to CD,that so many .exe files were had code added to them,I copied my Movies,Pictures,Word Docs and Music to D Drive.And also Downloads and Installed Downloads folders as well.
I only scanned my picture Files multiple times and copied them back to C Drive documents.
I wouldnt take the risk of trying to save my music or word Documents with all my Tutorials in.So I have lost everything bar my Pictures.
To me thats a big Loss.Will burn everything to CD in future.A Lesson learnt.
Hope you can follow.

PS The cable was pulled so tight between the Hard Drives,the moment I touched the cable it fell off C Drive.
A few other cables are too tight so will see if I can reroute them now.

This post has been edited by DSTM: 07 Jun 2009 - 08:17 AM

[BSchwarz]

That is one nasty virus to get rid of. I have learned a lot about it in the last couple days. It is like the old win95 Chernobyl virus in that it is polymorphic. It copies it's loader to the files I listed before so if you miss one on next boot after install the virus will reactivate.

The shop you brought it too should have known this. They should should have wiped all drives and then done the install.