Infected system. ARGH

By w0nd
Aug 31, 2007
  1. Hello

    i just joined because system was badly infected.

    i had my system infected with virus where the symptom was my PF usage, the memory usage kept going up for no reason. i had no process in task manager that actually eating up so much memory, so it must have been a virus.

    at one point it went up to 2GB. but i followed the amazing virus removal instruction and successfully, i believe, removed the virus. since memory usage seems normal under 400mb. but.. i still would like to post my logs just in case there are anything else i'm missing.

    and the avg anti rootkit program detected something but the instruction said to post the result before doing anything with it. the returned result was:


    is this bad?

    avg spyware didn't find any threat.
    combofix and hijack logs i'm not sure how to read.

    i hope i followed the instruction correctly
    would really appreciate help on this :(
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    It appears you`re running more than one antivirus programme, AhnLab and AVG. This is not recommended, will slow your system down and can cause serious conflicts.

    I suggest you uninstall one antivirus programme. Since I know very little about AhnLab, maybe this is the one you should uninstall.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).


    Close control panel.

    Have AVG Antirrotkit fix the
    c:\windows\system32\drivers\aggsu995.sys entry.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT and Combofix log.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of w0nd only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. w0nd

    w0nd TS Rookie Topic Starter

    thank you for replying Howard!

    oh, and the Naver toolbar is something i use so didn't remove it
    and got rid ahnlab anti virus. would you recommend using AVG anti virus with zonealarm for firewall?

    and avenger log might look weird because zip file didn't work for several times, so deleted the files in the script myself. then tried downloading the avenger again for last time and it worked.. so log says file not found.

    the fresh logs are attached.

    i tried removing the c:\windows\system32\drivers\aggsu995.sys by anti-rootkit, but after reboot, i ran anti-rootkit again and there was another in same folder with different name. so i did entire step again but another one is stilll there. different name of course. is this serious?

    thanks for your assisstance!
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, I think this may well be serious.

    Can you give details of the file found by AVG Antirootkit?

    Have HJT fix all 016 DPF: entries apart from the Microsoft entry.

    Are you aboslutely sure the Naver toolbar is absolutely safe?

    Yes, I would recommend AVG and Zonealarm.

    Go HERE and follow the instructions for removing Symantec/Norton.

    Post a fresh HJT log as well as the AVG Antirootkit results.

    Regards Howard :)

    This thread is for the use of w0nd only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. w0nd

    w0nd TS Rookie Topic Starter

    thank you for so much help

    yup. Naver toolbar is safe.

    i ran Anti RootKit, and result was:


    i think it changes to different name every time computer boots.

    and hijackthis got bunch of O18's which i didn't have in previous logs.

    oh and i always have constant intrusion attempts. luckily zonealarm is blocking all of them but in about an hour
    i had almost 4000 access attempts all of them on port 59783. is this normal? does rootkit got anything to do with this?

    thank you!
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I seriously suggest you get rid of that navatoolbar or whatever its called. I have my doubts as to it`s safety, though I can`t find any real or conclusive info on it.

    Fix all 018 Protocol: Entries.

    I can find no info on the files that AVG Antirootkit is finding. This worries me greatly.

    If AVG Antirootkit continues to find randomly named files, I`d seriously consider doing a reformat and reinstall.

    Legit processes don`t normally generate random file names.

    Regards Howard :)
  7. w0nd

    w0nd TS Rookie Topic Starter

    hmm.. ok. formatting it is then. argh

    thanks for all the help howard! really appreciate it
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...