Trojan Horse Agent_r.ATS

[paulf]

Super Dave:

Sorry for the delay--been out of town and this is my home computer.  Here is the log-----------

MiniToolBox by Farbar  Version: 18-01-2012
Ran by PaulF (administrator) on 18-01-2012 at 20:58:39
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: 127.0.0.1:64929

"Reset IE Proxy Settings": IE Proxy Settings were reset.
Hosts file not detected in the default directory
========================= IP Configuration: ================================

Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0) = Local Area Connection (Connected)
Dell Wireless 1505 Draft 802.11n WLAN Mini-Card = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : FinleyPC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Dell Wireless 1505 Draft 802.11n WLAN Mini-Card
   Physical Address. . . . . . . . . : 00-24-2C-24-69-D2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-24-E8-13-E9-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::c81d:dd17:4644:a2d7%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, January 18, 2012 8:26:30 PM
   Lease Expires . . . . . . . . . . : Thursday, January 19, 2012 8:26:15 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 251667688
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-CC-7B-62-00-24-E8-13-E9-C5
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       71.242.0.12
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : isatap.home
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1401:2f4d:3f57:fefd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1401:2f4d:3f57:fefd%10(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{02E1564F-777F-40F5-809E-D959E16B6318}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    google.com
Addresses:  74.125.115.99
     74.125.115.103
     74.125.115.104
     74.125.115.105
     74.125.115.147
     74.125.115.106



Pinging google.com [74.125.115.103] with 32 bytes of data:

Request timed out.

Reply from 74.125.115.103: bytes=32 time=28ms TTL=252



Ping statistics for 74.125.115.103:

    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),

Approximate round trip times in milli-seconds:

    Minimum = 28ms, Maximum = 28ms, Average = 28ms

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  98.139.180.149
     209.191.122.70
     72.30.2.43
     98.137.149.56



Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=60ms TTL=249

Reply from 209.191.122.70: bytes=32 time=59ms TTL=249



Ping statistics for 209.191.122.70:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 59ms, Maximum = 60ms, Average = 59ms

Server:  Wireless_Broadband_Router.home
Address:  192.168.1.1

Name:    bleepingcomputer.com
Address:  208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:

Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 12 ...00 24 2c 24 69 d2 ...... Dell Wireless 1505 Draft 802.11n WLAN Mini-Card
 11 ...00 24 e8 13 e9 c5 ...... Realtek RTL8168C(P)/8111C(P) Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
  1 ........................... Software Loopback Interface 1
 14 ...00 00 00 00 00 00 00 e0  isatap.home
 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 13 ...00 00 00 00 00 00 00 e0  isatap.{02E1564F-777F-40F5-809E-D959E16B6318}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.2    276
      192.168.1.2  255.255.255.255         On-link       192.168.1.2    276
    192.168.1.255  255.255.255.255         On-link       192.168.1.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.2    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 10     18 ::/0                     On-link
  1    306 ::1/128                  On-link
 10     18 2001::/32                On-link
 10    266 2001:0:4137:9e76:1401:2f4d:3f57:fefd/128
                                    On-link
 11    276 fe80::/64                On-link
 10    266 fe80::/64                On-link
 10    266 fe80::1401:2f4d:3f57:fefd/128
                                    On-link
 11    276 fe80::c81d:dd17:4644:a2d7/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    266 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/18/2012 08:27:51 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/16/2012 00:33:27 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/16/2012 08:29:45 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/15/2012 11:24:15 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (01/15/2012 00:31:22 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/13/2012 10:30:50 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (01/13/2012 10:09:23 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/11/2012 09:28:19 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (01/11/2012 08:22:22 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/09/2012 10:04:47 PM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{AA44355E-6911-4447-BA5D-6720480579AF}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}


System errors:
=============
Error: (01/18/2012 08:27:51 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/16/2012 00:33:28 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/16/2012 08:29:46 AM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/15/2012 00:31:22 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/13/2012 10:09:24 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/11/2012 08:22:22 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/09/2012 08:37:36 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/08/2012 01:58:33 PM) (Source: Service Control Manager) (User: )
Description: SQL Server EXPRESS%%126

Error: (01/08/2012 01:53:18 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (01/08/2012 01:53:17 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068


Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 47%
Total physical RAM: 3036.07 MB
Available physical RAM: 1590.45 MB
Total Pagefile: 6293.17 MB
Available Pagefile: 4812.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1946.21 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:218.14 GB) (Free:152.96 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:10.24 GB) NTFS

========================= Users: ========================================

User accounts for \\FINLEYPC

Administrator            Guest                    PaulF                   


**** End of log ****

[SuperDave]

Is this a laptop computer? If so, are you certain that the internet switch is not turned off. Did you reset the modem? Turn off the power supply to the modem for at least 30 secs. Did you try hardwiring the computer to the modem?

[paulf]

No, it's a desktop and the internet works fine, but you asked me to download something in safe mode.  I couldn't get on the internet in safe mode.  In regular mode I'm connected

[SuperDave]

I couldn't get on the internet in safe mode.  In regular mode I'm connected

Sorry. I misunderstood.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
• Click Next to continue.
• Accept the License agreement and click on next.
• It will, by default, install it to your desktop folder. Click Next.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

[paulf]

Super Dave:

I hope that I did this right---Here are the results:

tatus: Deleted   (events: 1)   
1/30/2012 8:17:44 PM   Deleted   Trojan program Exploit.Java.CVE-2010-4452.a   C:\Documents and Settings\PaulF\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\23e20f57-532988f6   High   
Status: Disinfected   (events: 3)   
1/30/2012 8:15:17 PM   Disinfected   Trojan program Exploit.Java.CVE-2010-0840.en   C:\Documents and Settings\PaulF\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\77d810b7-41f56c4c   High   
1/30/2012 8:15:17 PM   Disinfected   Trojan program Exploit.Java.CVE-2010-0840.en   C:\Documents and Settings\PaulF\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\77d810b7-41f56c4c/json/Parser.class   High   
1/30/2012 10:10:44 PM   Disinfected   virus Virus.Win32.ZAccess.k   C:\Windows\System32\drivers\serial.sys   High   
Status: Quarantined   (events: 1)   
1/30/2012 9:14:09 PM   Quarantined   virus HEUR:Trojan.Script.Iframer   C:\Windows\$NtUninstallKB32527$\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\36JG3ILT\afr[5].php   High   
Status: Absent   (events: 2)   
1/30/2012 10:13:10 PM   Not found   virus HEUR:Trojan.Script.Iframer   C:\Windows\$NtUninstallKB32527$\systemprofile\AppData\Local\Temporary Internet Files\Content.IE5\36JG3ILT\afr[5].php   High   
1/30/2012 10:13:10 PM   Not found   virus HEUR:Trojan.Script.Iframer   C:\Windows\$NtUninstallKB32527$\systemprofile\Local Settings\Microsoft\Windows\Temporary Internet Files\Content.IE5\36JG3ILT\afr[5].php   High   

[SuperDave]

AVENGER

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Click the Execute button.
  
• You will be asked No script has been entered.  Do you want to execute a rootkit scan only?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot.  Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log in your next reply.

[paulf]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Super Dave:
Here is the Avenger result-----


Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished!  Terminate.

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[paulf]

Super Dave:

I'm getting a little confused here.  I really do appreciate your time and effort in helping me, but where are we going?  I keep running all of these scans, but have we learned anything?  Originally, my AVG showed the Trojan Horse Agent_r.ATS that is whitelisted.  That's what I thought we were trying to eliminate.  Are you looking for something else? or are you looking for a method of removing this?  Again, I don't want to seem ungrateful, but can you tell me if we ar making progress?
I' going to run this last scan that you suggested....report to follow.

Thanks,
 Paulf

[paulf]

Results of Esatscan---

C:\Documents and Settings\PaulF\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\35\79b13923-4acf727b   a variant of Java/Exploit.CVE-2011-3544.B trojan   deleted - quarantined
C:\Documents and Settings\PaulF\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\77d810b7-41f56c4c   multiple threats   deleted - quarantined
C:\Documents and Settings\PaulF\AppData\Roaming\Mozilla\Firefox\Profiles\hsm0bft6.default\extensions\{ae3aeb1f-5d7c-43c0-ac66-c6e3b8100bcb}\chrome.manifest   Win32/TrojanDownloader.Tracur.F trojan   cleaned by deleting - quarantined

[SuperDave]

I really do appreciate your time and effort in helping me, but where are we going?  I keep running all of these scans, but have we learned anything?

I'm trying to make sure your computer is clean.

Originally, my AVG showed the Trojan Horse Agent_r.ATS that is whitelisted.  That's what I thought we were trying to eliminate.  Are you looking for something else? or are you looking for a method of removing this?  Again, I don't want to seem ungrateful, but can you tell me if we ar making progress?

In all the scans we've run that Trojan didn't pop up. I'm quite sure it's a false-positive from AVG.
I asked you to run ComboFix from Safe Mode but you replied that you can't connect to the internet when in Safe Mode. ComboFix automatically disconnects your computer from the net when it's running. If you have the program on your desktop you should be able to run it.

[SuperDave]

I just thought of something else we can try. Please download, install and run a full scan with MicroSoft Security Essentials. Please let me know if anything was found.

Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
Microsoft Security Essentials for Windows XP

[paulf]

I tried to install msessentials, but I got this message----


Another windows installer is running

But I have nothing else open

[SuperDave]

Please wait a bit then try it again. One of your other MS programs is using it for updates.

[paulf]

Super Dave:

I tried several more times, but no luck.  However, I did not uninstall my AVG.  If I do that, can I get it back?

Thanks