Results 1 to 3 of 3

Thread: Avira Antivir detected TR\Spy.Agent.azob.2

  1. #1
    Junior Member
    Join Date
    Sep 2009
    Posts
    3

    Default Avira Antivir detected TR\Spy.Agent.azob.2

    Hi all,

    first of all, I'm running a Windows XP Pro SP2 on a Pentium 4 and, as refered, I have Avira's Antivir, the free edition, installed. I don't have any other proteccion (should probably work on that, thinking about getting Comodo's firewall). Yesterday morning an actualization for the Java virtual machine poped up and I accepted and since then Antivir keeps on sending infection message, most of them on start up, saying:

    C:\WINDOWS\system32\ms32clod.exe
    Is the TR/Spy.Agent.azob.2 Trojan

    I have been denying access every time. I've succesfully deleted all the files in the C:\Archivos de Programa\Java (yeah, it's in spanish :S, it just says Program files) folder using Unlocker to get access to them. I tried deleting also the ms32clod.dll file, but when I rebooted it was back. It is just a guess, but i think at least explorer.exe, taskmgr.exe, firefox.exe and Belkinwcui.exe (the process of my WiFi module) have already been infected. I say so because antivir pops up a message everytime I activate any of these porcesses. I tried entering on safe mode but it doesn't seem to be available, i even powered dopwn my computer while running to force the safe mode, but it didn't work.

    Apart from that, I had been having many problem with several messenger programs (Windows live messenger, MSN messenger 7, even Windows Messenger), they would crash directly after loggin, but I don't think that has much to do with this actual problem ...

    Iwas recomended to scan my computer with RootRepeal, but I dont get much of what it says on the report, I can see that there is activity from unknown sources in the register keys, but I don't know what to do about it. I'm posting the report in case it is of any help.

    ROOTREPEAL © AD, 2007-2009
    ==================================================
    Scan Start Time: 2009/08/31 23:56
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP SP2
    ==================================================

    Drivers
    -------------------
    Name: dump_atapi.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
    Address: 0xAAD67000 Size: 98304 File Visible: No Signed: -
    Status: -

    Name: dump_WMILIB.SYS
    Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
    Address: 0xF7D69000 Size: 8192 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0xA846C000 Size: 49152 File Visible: No Signed: -
    Status: -

    SSDT
    -------------------
    #: 041 Function Name: NtCreateKey
    Status: Hooked by "<unknown>" at address 0xf7f5c246

    #: 053 Function Name: NtCreateThread
    Status: Hooked by "<unknown>" at address 0xf7f5c23c

    #: 063 Function Name: NtDeleteKey
    Status: Hooked by "<unknown>" at address 0xf7f5c24b

    #: 065 Function Name: NtDeleteValueKey
    Status: Hooked by "<unknown>" at address 0xf7f5c255

    #: 098 Function Name: NtLoadKey
    Status: Hooked by "<unknown>" at address 0xf7f5c25a

    #: 122 Function Name: NtOpenProcess
    Status: Hooked by "<unknown>" at address 0xf7f5c228

    #: 128 Function Name: NtOpenThread
    Status: Hooked by "<unknown>" at address 0xf7f5c22d

    #: 193 Function Name: NtReplaceKey
    Status: Hooked by "<unknown>" at address 0xf7f5c264

    #: 204 Function Name: NtRestoreKey
    Status: Hooked by "<unknown>" at address 0xf7f5c25f

    #: 247 Function Name: NtSetValueKey
    Status: Hooked by "<unknown>" at address 0xf7f5c250

    #: 257 Function Name: NtTerminateProcess
    Status: Hooked by "<unknown>" at address 0xf7f5c237

    ==EOF==



    Thanks in advance for your attention and I hope I can learn something from this experience.




    EDIT: I downloaded Highjack this and did the scan and saved the report, and here it is:




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:56:15, on 01/09/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
    C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
    C:\Archivos de programa\Unlocker\UnlockerAssistant.exe
    C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Archivos de programa\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\mazawer\Escritorio\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [F5D9050] C:\Archivos de programa\Belkin\F5D9050\Belkinwcui.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Archivos de programa\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Archivos de programa\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1247066789670
    O17 - HKLM\System\CCS\Services\Tcpip\..\{33D5B743-C14B-4512-85EF-268E45F6F797}: NameServer = 62.14.2.1,62.151.2.8
    O20 - AppInit_DLLs: ms32clod.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Archivos de programa\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Archivos de programa\Java\jre6\bin\jqs.exe (file missing)

    --
    End of file - 3392 bytes

  2. #2
    Junior Member
    Join Date
    Sep 2009
    Posts
    3

    Default

    bump ...

  3. #3
    Junior Member
    Join Date
    Sep 2009
    Posts
    3

    Default

    problem solved, thread to be closed

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •