Trojan horse Agent_r.BCA

Hello,

I've not been able to find any advice specific to this Trojan (i.e. the BCA part), so forgive me if I start a new thread on the subject.

Does anyone recognise it and can advise me how to get rid of it?

I'm currently working through the READ ME FIRST thread, but not without difficulty as the Trojan has, of course, knocked me off the internet.

The location of the Trojan is: c:windows/system32/drivers/ipsec.sys. Would it be a very bad idea to go into Safe Mode and delete it?

Thanks in advance for all or any help in getting rid of this thing.

 

Hi and welcome to Major Geeks, orloc!

Most likely you are dealing with a ZeroAccess rootkit.
Keep going through the instructions in the Read and Run Me First thread and attach all your logs if you are still having trouble connecting to the internet.

If it really is infected, then no, but that is not going to fix your internet problem so you may as well leave it alone for now.

I will be able to help you further once you have attached logs for me to review

 

Thanks thisisu,

I'm working on generating the logs which I'll do over the weekend, hopefully to post the results early next week.

 

Ok, no problem.

 

Hi,

I've now tried to run the programs but for each one I get the message,

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

Presumably this is the virus stopping me running the programs? I also tried in Safe Mode but to no effect.

Please advise on what I can now do, thank you.

 

Download FixExec.exe to your desktop.
Double click on the downloaded file to run the fix.
When the program has finished, it will generate a log on the desktop called FixExec.txt.
Post the log in your next reply.

NOTE: If for any reason you're not able to execute FixExec.exe rename it to FixExec.com, FixExec.pif or FixExec.scr.

 

Here is the log from FixExec. I hope it helps.

 

Retry opening the specified programs from the Read and Run Me.

Were you able to install SUPERAntiSpyware and MBAM successfully?

Give me an idea of what programs will open, and which ones do not.

 

I've downloaded the programs from the Read and Run Me, but none of them install/run.

Apart from these, I've not found any other programs on the computer which won't work.

 

Hi,

Let me know if this one runs or not:

I want you to read and follow these instructions: TDSSKiller - How to run

 

Hi,

I've managed to run tdsskiller, even though from my desktop it wouldn't let me extract the executable file from the zipped folder. I had to go back to my usb stick and unzip on that, and copy over the executable. Anyway, I ran it and attach the log.

 

Ok that looks good. Now follow these steps:

Download and transfer avg_remover_stf_x86_2012_1796.exe to the computer with the issue.
Now run avg_remover_stf_x86_2012_1796.exe by double-clicking it.

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop.
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  ipsec.sys
  netbt.sys
  svchost.exe
  tcpip.sys
  /md5stop
  %windir%\$ntuninstallkb*. /30
  %windir%\system32\drivers\*.sys /lockedfiles
  %windir%\*.* /mp
  %windir%\*.* /rp
  %windir%\*.* /sl
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ipsec /s
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Hi,

Here are the logs as requested.

Happy Birthday, by the way. I'll understand if I don't get a response today.:-D

 

Thank you

Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:processes[/COLOR]
killallprocesses
[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\winss.dll -- (zumbus)
NetSvcs: zumbus - %systemroot%\system32\winss.dll File not found
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\buslogic.dll -- (WmHidLo)
NetSvcs: WmHidLo - %systemroot%\system32\buslogic.dll File not found
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\UWProSys.dll -- (Spsmqvsm)
NetSvcs: Spsmqvsm - %systemroot%\system32\UWProSys.dll File not found
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\LHidKe.dll -- (RAPIProtocol)
NetSvcs: RAPIProtocol - %systemroot%\system32\LHidKe.dll File not found
SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [Auto | Stopped] -- %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dlles\pchsvc.dll -- (helpsvc)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\zBackupAssistService.dll -- (dpc_srv_webcast)
NetSvcs: dpc_srv_webcast - %systemroot%\system32\zBackupAssistService.dll File not found
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ultra)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (TosIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc8xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (symc810)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_u3)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (sym_hi)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Sparrow)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Simbad)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1280)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1240)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql12160)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Ql10wnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ql1080)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2hib)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (perc2)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (mraid35x)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (IntelIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (ini910u)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (i2omp)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (hpn)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\fetnd5.sys -- (FETNDIS)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dpti2o)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (dac960nt)
DRV - File not found [Kernel | Disabled | Unknown] --  -- (dac2w2k)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Cpqarray)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (CmdIde)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (cd20xrnt)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Atdisk)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3550)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc3350p)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (asc)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (amsint)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (AliIde)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78xx)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (aic78u2)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Aha154x)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (adpu160m)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (abp480n5)
DRV - File not found [Kernel | Disabled | Stopped] --  -- (Abiosdsk)
[2012/03/02 17:01:42 | 000,000,000 | -HS- | M] () -- C:\WINDOWS\System32\dds_trash_log.cmd
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Darryl\My Documents\cc_20091102_131859_backuptoregistry.reg:SummaryInformation
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
[COLOR="DarkRed"]:files[/COLOR]
rd /s/q C:\WINDOWS\$NtUninstallKB31743$ /c
xcacls.exe C:\WINDOWS\$NtUninstallKB31743$ /p Administrators:f SYSTEM:f /y /c
fsutil reparsepoint delete C:\WINDOWS\$NtUninstallKB31743$ /c
rd /s/q C:\WINDOWS\$NtUninstallKB31743$ /c
c:\windows\system32\drivers\ipsec.sys|C:\WINDOWS\system32\dllcache\ipsec.sys /replace
ipconfig /flushdns /c
netsh int ip reset resetlog.txt /c
netsh winsock reset /c
[COLOR="DarkRed"]:reg[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,69,00,70,00,73,00,65,00,63,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="IPSEC driver"
"Group"="PNP_TDI"
"Description"="IPSEC driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec\Enum]
"0"="Root\\LEGACY_IPSEC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
[COLOR="DarkRed"]:commands[/COLOR]
[emptyjava]
[emptyflash]
[resethosts]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Here are the OTL and MGTools logs.

 

Plug in your ethernet cable to test the internet.
Let me know if it works.

I will review the rest of your logs later today.

 

Hi,

I'm pleased to say the internet does now work.

Is it secure? Is the computer now free of viruses and malware?

Thanks very much for your help.

 

You're welcome and yes the malware is gone.

Here are the last steps

From Add/Remove Programs (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 10
• J2SE Runtime Environment 5.0 Update 11
• J2SE Runtime Environment 5.0 Update 6
• J2SE Runtime Environment 5.0 Update 7
• Java(TM) 6 Update 29
• Java(TM) SE Runtime Environment 6 Update 1

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

Now install the current version of Sun Java from: jre-7u3-windows-i586.exe

_____

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

I've downloaded Disable/Remove Windows Messenger, but am denied access. The message reads,

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

I hope this doesn't mean there's still a problem??

 

Not a malware related problem. There is something goofy with your Windows where it doesn't think you are an administrator.
Try running that DisableMessenger.exe directly from the root of C:\.
You are double-clicking it to open correct?

 

I've managed to run it from the root of C:\ as you suggested. It seemed to work ok, and I've restarted the computer.

But now the Sun Java link only produces "Unauthorized Request" which says I must have cookies and javascript enabled. I've checked and I do have these enabled.

Any suggestions?

 

Read this and perform these steps: Reset All Internet Explorer 8 Settings to Fix Stability Problems

 

Sorry, but I still can't get the Sun Java link to work. I tried resetting IE8.

 

No need to apologize.

Try this link instead: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u3-download-1501631.html

Then find:

Code:

 Windows x86 (32-bit) Offline	19.38 MB  	[URL="http://download.oracle.com/otn-pub/java/jdk/7u3-b05/jre-7u3-windows-i586.exe"][COLOR="Blue"]jre-7u3-windows-i586.exe[/COLOR][/URL]

You will have to "Accept" the license agreement in order to download it so make sure you bubble in Accept.

 

Thanks, that worked.

I'm just going through the last steps now. Everything seems ok. I assume I can now trust my computer again for passwords, online shopping etc?

It just remains for me to say again a big thank you. Without your help I think I'd have been buying a new computer!

 

You're welcome. Yes, the computer is safe to use again.