Agent3.BEFN virus removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by passito, Feb 3, 2012.

  1. passito

    passito Private E-2

    Hello,

    My mother's got her PC infected with a virus detected with AVG Free as "Agent3.BEFN", apparently located in the C:/windows...system32/netbt.sys file.

    It seems to block the internet connexion (DHCP not activated or something ?), either in wifi or with the LAN cable.

    So i've followed the procedure described in the "read & run me first", and scanned the computer with "SuperAntiSpyware". It detected something and I removed it, but it didn't fix the internet problem, and after the reboot i remarked that running programs like "cmd.exe" pops an error window "Windows cannot open this file : cmd.exe. Choose a program to open the file..."

    I joined the log of superantispyware, and I beg for your help to know what do to next and how to fix the .exe not running problem.
     

    Attached Files:

    passito, Feb 3, 2012
    #1
  2. passito

    passito Private E-2

    Oh and, sorry for the double post, but you may want to know that i didnt update the database of superantispyware, because it requires internet ... which i dont have :)
     
    passito, Feb 3, 2012
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Feb 3, 2012
    #3
  4. passito

    passito Private E-2

    Hi again,

    I cannot follow the procedure after what i described in first post, because as I said, .exe files wont run and a "choose how to open this file" box pop when I try to launch them.
     
    passito, Feb 3, 2012
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    To repair broken EXE file associations, download the correct registry fix to match the verson of Windows you are running by click the appropriate blue link below.




    1. You can use Right-click and Save as ( or Save Target As ) option in your browser to download the patch.
    2. Save the patch file directly to your Desktop folder.
    3. Right-click the REG file and choose Merge. Alternately, you can open the Registry Editor and then using the Import option from the File menu, to merge the REG file contents.
    4. Note that you need to be an administrator to apply these fixes.
     
    Last edited: Feb 4, 2012
    TimW, Feb 4, 2012
    #5
  6. passito

    passito Private E-2

    Hello,

    So i've done all the tests and attached the log files to this post. It seems that a hidden sys file is still located in C:
     

    Attached Files:

    passito, Feb 7, 2012
    #6
  7. passito

    passito Private E-2

    last log file here :)

    Oh and I tried to repair the broken EXE file association with your .reg file TimW, it works but everytime I restart the computer i need to use the .reg file again, how to fix the problem ?
     

    Attached Files:

    passito, Feb 7, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please put ComboFix directly on your desktop, not here:
    Lancé depuis: E:\ComboFix.exe

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
File::
c:\windows\system32\rydcs.dll
C:\Documents and Settings\ed\Application Data\gkkg83a2dk3a5h0f.dat
C:\Documents and Settings\ed\Local Settings\Application Data\546o4j6k6254
C:\Documents and Settings\All Users\Application Data\546o4j6k625

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ywzhftsjv]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 7, 2012
    #8
  9. passito

    passito Private E-2

    Hello,

    i've done the combofix scan, but when it said "outdated version" I had only two choices "Run with limited functionnality" or "no (?)"

    In any case, here are the logs :)

    Thanks for your help
     

    Attached Files:

    passito, Feb 10, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member


    Please attach the new MGLogs so I can see if we still need to remove things.
     
    TimW, Feb 10, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    FYI to TimW: New ComboFix needs to be dowloaded. You need to fix all of the Conficker infection as shown in the logs

     
    chaslang, Feb 10, 2012
    #11
  12. passito

    passito Private E-2

    Hello,
    I took long time, but I did run the last ComboFix version and scanned the PC with MGTools.

    Logs attached

    Thank you again for your helpful help :-D
     

    Attached Files:

    passito, Feb 16, 2012
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download a fresh copy of ComboFix to your desktop.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
NetSvc::
ywzhftsjv
 
Driver::
ywzhftsjv
 
File::
C:\Documents and Settings\All Users\Application Data\546o4j6k6254
c:\windows\system32\rydcs.dll
 
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ywzhftsjv]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Feb 16, 2012
    TimW, Feb 16, 2012
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    @TimW,

    I added the NetSvc entry to your fix.
     
    chaslang, Feb 16, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds