Agent-JDF, AgentICP, Crypt-XF ruining my PC pls hlp!

Hello all

I can normally fix these sorts of problems using info already available on the net, but this time I’m completely at a loss. I am getting repeat infections that avast seems to pick up on but not before it gets chance to do nasty things, there’s something malicious going on without doubt.

My system: Ageing but normally very reliable Win2k SP4, Avast, Kerio firewall, spybot, brother scanner/printer, IIS5.0, Mysql, Thomson USB modem (Tiscali)

What’s happening: various things - seemingly no problems when i’m not online, but when i connect it can take hours or just seconds before avast will inform me of an infection in a file, normally in the system32 folder, so i move it to chest. Sometimes before this, sometimes after, svchost.exe will crash with a 'memory at 0xffffffff could not be “read” ’ error, then the pc is unusable till a reboot, as drag and drop, cut and paste stop working, and I cannot disconnect the modem without pulling the plug out. Sometimes other things happen too, the Mysql service will be set to ‘disabled’ without me knowing, and whenever I launch an app, windows installer will pop up saying it has to “configure Office 2003”. If I cancel this window, it will respond by saying MAPI32.DLL is missing or corrupted and I should reinstall Office.

What I’ve done so far: I searched the HD for rogue files, and deleted some suspiciously named and dated dll’s the most difficult being tuvvtrr.dll which would only delete in safe mode cmd prompt. I ran Vundofix and it removed some files from system32: gftjol.exe, nfenka.exe, wapa.exe, wfzc.exe. I checked IIS was locked down okay so ran IISLockdown (twice - off then on again) and some dll’s had given themselves file permissions. OSE.EXE, gmer.exe, aof.exe also deleted. I checked JRE was up to date and reinstalled it.

I’ve run hijackthis, deleted some entries and now cannot find anything wrong in there, apart from “O23 Service:MySql… …c:/program.exe” which I have removed once but is now back again.

I’ve attached my hijack log. I’m out of ideas now. It’s like the firewall and antivirus software aren’t even there. I can’t stay offline all the time and I’ve some important stuff to finish for a deadline, this is driving me up the proverbial wall. There’s a huge hole in my defences but it’s so big I cannot find it. Up until the 22nd I have NEVER had so serious a problem as this. I guess I could re-install from scratch but cannot afford the downtime.

Any ideas anyone? ???

J

Hello again

Okay, sorry I think i panicked a bit unneccesarily over this one…

Forgot to mention I did a boot time scan which removed some stuff but I think it was all just a problem with my firewall. My recommendation to all is, especially if other people use your pc, they may have set up filter rules that shouldn’t have been allowed, so ALL firewall rules should be periodically reset.

I have never heard this advice before but what I did is completely reset the firewall. Disconnect the modem, uninstalled firewall, reset the machine, searched the registry for any occurrence of ‘Kerio’, deleted them, moved the Kerio config file to another location just in case i need it later, then deleted Kerio program folders manually. I was amazed how much litter was left on my machine after a supposed ‘uninstall’. Of course if i hadn’t deleted or moved the kpf.cfg config file before reinstall it would have led to the same filter rules being re-instated and we’d have got nowhere.

After re-installing Kerio KPF 4 everything seems okay now and I’ve been able to block suspicious things from getting in (the attack i think came from 24.64.200.109 in Canada).

Fingers crossed all is well, It’s certainly been quiet for a good while now. If anything else happens I’ll post again.

Sorry for panicking and wasting yr time, it’s all a learning curve you know


Welcome to the forums, dietstripes. :slight_smile:

I am glad to know you seem to have solved your problem. If you have other problems, please come back and let us know.