Trojan agen/gen-cdesc.(149) & Trojan Win32.Sirefef.a

[ChrisB]

Post an earlier problem with Trojan agen/gen-cdesc.(149) and got AVZ and HijackThis to work after running Kaspersky bootable cd which removed Trojan Win32.Sirefef.a.
These trojans were preventing various programs to work and making them unaccessible. My system is in a mess and I am not quite sure if I am clean of trojans.
I have uploaded the logs.

Thank you

[AndreyKa]

Run AVZ. Choose from the menu "File" => "Custom scripts", copy/paste code below and run it:

Код:

begin
 ExecuteRepair(6);
 RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
 DeleteFile('C:\Documents and Settings\Christine Blackmore\Start Menu\Programs\Startup\is-3CHD0.lnk');
 DeleteFile('C:\Documents and Settings\Christine Blackmore\Start Menu\Programs\Startup\is-UD3NM.lnk');
 DeleteFile('C:\Documents and Settings\Christine Blackmore\Start Menu\Programs\Startup\is-5JADE.lnk');
 DeleteFile('C:\Documents and Settings\Christine Blackmore\Start Menu\Programs\Startup\is-5UT0G.lnk');
 DeleteFile('C:\Documents and Settings\Christine Blackmore\Start Menu\Programs\Startup\is-UMI96.lnk');
 FSResetSecurity('C:\Program Files\hijackThis\HijackThis1991.exe\HijackThis1991.exe..exe');
 FSResetSecurity('C:\Program Files\Internet Explorer\iexplore.exe');
 FSResetSecurity('C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe');
 FSResetSecurity('C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe');
 FSResetSecurity('C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE');
end.

Do you have any problem?

Remove virusinfo_cure.zip file from your #1 message.

[ChrisB]

Run script OK but I think the trojan has made a mess of the operation of windows.
Problems: Tried to check windows firewall but a message "Cannot start the windows firewall/internet connection sharing (ICS) service."
Tried to install Kaspersky internt security but windows just shuts down.
Can any body help.
I have uploaded new log files.

Thank you

[Numb]

Hello.
execute the script:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\Tasks\A78034C191D3AFC1.job','');
QuarantineFile('C:\WINDOWS\Installer\14b01f.msi','');
QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\64559f901c992c7\fssclient_x86.msi','');
QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\4bd9a4dc1c971e0\fssclient_x86.msi','');
 QuarantineFile('c:\docume~1\christ~1\applic~1\slowbe~1\Ooze sect five.exe','');
 DeleteFile('c:\docume~1\christ~1\applic~1\slowbe~1\Ooze sect five.exe');
 BC_DeleteFile('c:\docume~1\christ~1\applic~1\slowbe~1\Ooze sect five.exe');
DeleteFile('C:\WINDOWS\Installer\14b01f.msi');
DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\64559f901c992c7\fssclient_x86.msi');
DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\4bd9a4dc1c971e0\fssclient_x86.msi');
DeleteFile('C:\WINDOWS\Tasks\A78034C191D3AFC1.job');
BC_DeleteFile('C:\WINDOWS\Tasks\A78034C191D3AFC1.job');
BC_DeleteFile('C:\WINDOWS\Installer\14b01f.msi');
BC_DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\64559f901c992c7\fssclient_x86.msi');
BC_DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\4bd9a4dc1c971e0\fssclient_x86.msi');
BC_ImportquarantineList;
BC_Activate;
ExecuteSysClean;
RebootWindows(true);
end.

After restart, upload quarantine via the link http://virusinfo.info/upload_virus_eng.php?tid=56877 as it's described in the app.3 of the rules and make new logs.

[ChrisB]

Run script, uploaded quarentine flie and have made new log files.

[Numb]

I see nothing harmful in your logs. Your system seems to be clean. If you have problems with your system's work, could you describe them here, please?

[ChrisB]

Still have problems: Tried to check windows firewall but a message "Cannot start the windows firewall/internet connection sharing (ICS) service."
Tried to install Kaspersky internt security 2009 on CD but windows just shuts down.
Install Kaspersky internwt security 2010 trialware but did not install properly not all services are working and when I trie to up date I can not get a full update.
When windows starts windows finds new hardware scsi adapter but I can not find the drivers. I intalled new Nvidia graphic drivers to see if that would cure hardware problem but did not solve the problem.

[Numb]

about the first problem: open the command line and execute the command:

Код:

sc query sharedaccess

Copy results here if it's possible. And make also this log.

[ChrisB]

Ran "sc query sharedaccess" but could not see what was in the command window it appeared to quickly.
I have ran GMER and have uploaded log file number 18.

[Numb]

My fault - I should have explained more correctly. What you should do is to run cmd.exe command. The console interface will appear - a black window with the command line. You should type sc query sharedaccess command there and press "enter". Then you will be able to see the results and copy them and insert them in your post here.
As for Gmer log - it adds nothing new - there is nothing harmful or even suspicious there.

[ChrisB]

Here is the results-

SERVICE_NAME: sharedaccess
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1068 (0x42c)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

[Numb]

Ok. It seems that this service is stopped. To start it again and to make it to start automatically, run one by one the follow commands:

Код:

sc start sharedaccess
sc config sharedaccess start= auto

After that try to check windows firewall again.

[ChrisB]

Ran "sc start sharedaccess" result "StartService FAILED 1068:"
Ran "sc config sharedaccess start= auto result "changeServiceConfig SUCCESS"

firewall still has the message "Cannot start the windows firewall/internet connection sharing (ICS) service."

[drongo]

Execute this script in avz or avptool:

Код:

begin
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

Computer will reboot.Then:
Right-click My Computer > Manage > Services and Applications >
Services. In the right-hand pane, scroll down to right-click on the
Internet Connection Firewall and select Properties. Click the
Dependencies Tab. Make sure that all of the listed system
components/services are shown as started in the Services list.
Also, you can try this: http://support.microsoft.com/default...tMeFixItMyself
Personally, i did disable windows firewall, because don't like it

[ChrisB]

Tried the above solutions but did not work.
I have now reinstalled windows and everything is OK and runs faster and better.

Thank you all for your help in removing the trojan and trying to solve windows problems.

ChrisB