Trojan.Agent/Gen.Siggen.Process-1

arfur
New Helpee

Posts: 22

Trojan.Agent/Gen.Siggen.Process-1 Sept 25, 2015 22:11:43 GMT -8

Quote

Post by arfur on Sept 25, 2015 22:11:43 GMT -8

Trojan.Agent/Gen.Siggen.Process-1 was identified by the free version of SAS, it was not found by NIS or the free MB. After the apparent removal a restart was required and I realized that SAS had been removed in the process. I was able to download a new SAS installation file but it is identified as damaged when trying to install so I can't recheck the system.

Win 8.1 with all essential updates

Thanks

dbrisen Malware Removalists Posts: 3,688	Trojan.Agent/Gen.Siggen.Process-1 Sept 27, 2015 21:59:13 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Sept 27, 2015 21:59:13 GMT -8 Please follow the steps in this thread ( I think I am infected. What do I do? ). Once you have provided the logs required, I will assist you as best we can. Thank you.
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

arfur New Helpee Posts: 22	Trojan.Agent/Gen.Siggen.Process-1 Sept 28, 2015 16:45:50 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by arfur on Sept 28, 2015 16:45:50 GMT -8 Thanks, here they are wikisend.com/download/783338/Addition.txt Attachments: FRST.txt (67.63 KB)

dbrisen
Malware Removalists

Posts: 3,688

Trojan.Agent/Gen.Siggen.Process-1 Sept 29, 2015 22:56:06 GMT -8

Quote

Post by dbrisen on Sept 29, 2015 22:56:06 GMT -8

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1604086180-3738614888-1221955320-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SUPERAntiSpyware
HKU\S-1-5-21-1604086180-3738614888-1221955320-1001\...\MountPoints2: {662f7d00-18d7-11e5-833f-74d435b2e739} - "K:\AutoRun.exe"
HKU\S-1-5-21-1604086180-3738614888-1221955320-1004\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL No File
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
C:\Windows\gdrv.sys
C:\Users\Athol\breezebrowser.dat
C:\Users\Athol\AppData\Local\Temp\vlc-2.2.1-win32.exe
C:\Users\New Admin\AppData\Local\Temp\6e7nzh32.dll
C:\Users\New Admin\AppData\Local\Temp\_is2D52.exe
2014-06-16 15:27 - 2014-06-16 15:27 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm
AlternateDataStreams: C:\ProgramData\TEMP:3EFB0FE0
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

arfur New Helpee Posts: 22	Trojan.Agent/Gen.Siggen.Process-1 Sept 29, 2015 23:54:20 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by arfur on Sept 29, 2015 23:54:20 GMT -8 Ran OK, log attached. Fixlog.txt (6.07 KB)

dbrisen
Malware Removalists

Posts: 3,688

Trojan.Agent/Gen.Siggen.Process-1 Sept 30, 2015 19:26:16 GMT -8

Quote

Post by dbrisen on Sept 30, 2015 19:26:16 GMT -8

Good: looks like a proxy issue was caught and corrected also ....

Read carefully

Download Adwcleaner from here to your desktop and run a scan.

You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning).

It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a LogFile button in the middle of the main window; click that and it will make the log file.

Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions).

ONE SCAN ONLY, PLEASE

Attach or paste the log back here for review and further instructions. Thanks.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

arfur New Helpee Posts: 22	Trojan.Agent/Gen.Siggen.Process-1 Sept 30, 2015 21:37:37 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by arfur on Sept 30, 2015 21:37:37 GMT -8 ADWCleaner log file attached. The install file for SAS is now clean, allowing installation AdwCleanerS1.txt (1.52 KB)

dbrisen
Malware Removalists

Posts: 3,688

Trojan.Agent/Gen.Siggen.Process-1 Oct 2, 2015 21:12:45 GMT -8

Quote

Post by dbrisen on Oct 2, 2015 21:12:45 GMT -8

Sorry for the delay; I lost internet for a few days.

FIRST

Please run AdwCleaner again (if you don't have it running from the last scan) and

a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done).

b) Make sure in your case all the items under each TAB are ticked / checked then.

c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted.

d) It should create a new log afterwards (with S0 in the name).

e) Please attach or copy the log into your reply here.

SECOND

Malwarebytes' Anti-Malware
Please start Malwarebytes Anti-Malware from either the Start Menu shortcut or the desktop shortcut (if you have one).

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link

Once the program has loaded and updated, select "Scan Now >>" to start the scan.

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.

Please click on the Save Results >> button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop).

After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that.

Please attach the report file to a post here; I will review the file and script what needs to be removed.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

arfur
New Helpee

Posts: 22

Trojan.Agent/Gen.Siggen.Process-1 Oct 2, 2015 22:24:53 GMT -8

Quote

Post by arfur on Oct 2, 2015 22:24:53 GMT -8

AdwCleaner run, followed by a restart but I missed creating the log file. MB log is clean and attached. Should I rerun Adwcleaner to check?

MB results.txt (1.01 KB)

Bad luck about the interruption, fibre is on the way some time.

Thanks for the help (again!)

dbrisen Malware Removalists Posts: 3,688	Trojan.Agent/Gen.Siggen.Process-1 Oct 2, 2015 23:03:29 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Oct 2, 2015 23:03:29 GMT -8 You should find the AdwCleaner log in the C:\Adwcleaner directory.
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

Trojan.Agent/Gen.Siggen.Process-1

Post by arfur on Sept 25, 2015 22:11:43 GMT -8

Post by dbrisen on Sept 27, 2015 21:59:13 GMT -8

Post by arfur on Sept 28, 2015 16:45:50 GMT -8

Post by dbrisen on Sept 29, 2015 22:56:06 GMT -8

Post by arfur on Sept 29, 2015 23:54:20 GMT -8

Post by dbrisen on Sept 30, 2015 19:26:16 GMT -8

Post by arfur on Sept 30, 2015 21:37:37 GMT -8

Post by dbrisen on Oct 2, 2015 21:12:45 GMT -8

Post by arfur on Oct 2, 2015 22:24:53 GMT -8

Post by dbrisen on Oct 2, 2015 23:03:29 GMT -8