Solved

How do I best find all Trojan.Agent/Gen-Nullo[Short]?

Posted on 2010-09-16
31
1,855 Views
Last Modified: 2013-12-06
How do I best find all Trojan.Agent/Gen-Nullo[Short]?

SuperAntiSpyware (free edition) have found 18 pieces of Trojan.Agent/Gen-Nullo[Short],
and Eset Smart Security has found these two:

Win32/PSW.Agent.NISPYNT tr
WIN32/PSW.LdPinch.KNRLSYV trojan

It all started when I purchased The Webmaster's Ultimate Reseller Package 2010 yesterday:

www.webresell.net?hop=idickson

I first found a link to the webresell-site at www.quackit.com (which seemed to be a non-scam site).

Please also see my other related question with ID: 264 769 74.

I have to avoid a reinstall because I have a lot of translation jobs I must finish by tomorrow and the next few days. Is there any, small chance, for instance if I use Combofix after SuperAntiSpyware have deleted the 18 Trojans, that I can avoid a reinstall? And be not 100 % but quite sure no infections are left?

Now, my cursor is very slow when I type so probably there's a keylogger installed on my laptop, and also the whole system is very sluggish.
0
Comment
Question by:hermesalpha
31 Comments
 
LVL 3

Expert Comment

by:EichhornH
ID: 33691039
i always delete trojans / spyware / viruses with Malwarebytes' Anti-Malware. It works together with other anti-malware utilities. Database updates released daily.
To be sure that all trojans etc. are terminated, perform a second scan after you restart your computer after the first scan.
0
 
LVL 2

Expert Comment

by:puevigi
ID: 33691071
I use Malwarebytes then run Superantispyware.com and between the two it seems to get just about everything.
0
 

Author Comment

by:hermesalpha
ID: 33691111
Malwarebytes have worked fine earlier but this time it didn't find anything whereas SuperAntiSpyware found 18 Trojans!  

SuperAntiSpyware has completed the scan now and quarantined the 18 Trojans and asks me to restart the laptop. The problem is if the keylogger is still present on my system, when I reboot I can't enter any site without username and password. As soon as I do that I risk that the keylogger find out my passwords and usernames.

Or should I restart and immediately use other tools after reboot, for example Combofix?
0
 
LVL 8

Assisted Solution

by:moonie42
moonie42 earned 170 total points
ID: 33691219
Malwarebytes is an excellent application that I've had great success with.  Another one to try is Super Anti-Syware, that's done a great job as well.  ComboFix is another great one.  If you are not considering performing a System Restore to a previous date, you should turn off System Restore, then reboot in safe mode to run the tools.  
0
 

Author Comment

by:hermesalpha
ID: 33691315
Earlier when I tried to do a system restore, it has always not been possible for some reason. How can I check now that it's possible to do?

What would I loose if I do a system restore? Favorites in IE8 and Firefox? Or program installations?
0
 

Author Comment

by:hermesalpha
ID: 33691321
If I do a system restore, can I be 100 % sure the Trojans and infections are gone?
0
 

Author Comment

by:hermesalpha
ID: 33691338
I checked now and it was not turned off, it says "monitoring" for all four partitions I have.
Disk space to use: Max (for C: on system restore)
0
 

Author Comment

by:hermesalpha
ID: 33691348
I downloaded the infected software late this night. So if I can do a system restore just one day earlier, wouldn't that be enough? I would loose almost nothing on that.
0
 

Author Comment

by:hermesalpha
ID: 33691386
When doing a system restore, will I loose anything I've saved on my Desktop?
0
 

Author Comment

by:hermesalpha
ID: 33691518
Something positive actually have happened: The cursor is very fast again when I type and the laptop is not sluggish at all. Just like before! Maybe SuperAntiSpyware fixed everything after all.
0
 
LVL 26

Accepted Solution

by:
Thomas Zucker-Scharff earned 200 total points
ID: 33691682
In terms of System Restore you should read the articles below (1 by me another by rpggamergirl).  They describe both SR and how to use it.  Use SR before disabling it (since that erases all SR points) then once your system is stable and you are certain you no longer have an infection, follow the instructions to disable SR then reenable it so it Deletes all restore points that may be infected.  Note that when you do a System Restore you may lose information anything done since the last restore point.  

******** You should use DriveImageXML to create a complete backup which you can access after the restore is done (just in case you need something).*********

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1934-Viruses-in-the-System-Volume-Information-System-Restore.html
0
 
LVL 2

Expert Comment

by:puevigi
ID: 33691969
I have not yet run into a reason to doubt the reliability of running MBAM and SAS after.  I use a System restore in cases where I note functionality issues.
0
 

Expert Comment

by:ybbkrishna
ID: 33695724
restore
http://www.experts-exchange.com/Q_26479054.html

Open in new window

0
 

Author Comment

by:hermesalpha
ID: 33698070
ybbkrishna, what is the meaning with your comment? I don't understand at all what you mean.
0
 

Author Comment

by:hermesalpha
ID: 33698095
tzucker, I have shut down my laptop, is there any risk if I logon now and turn off the SR, then log out again to reboot into safe mode and scan from there?

When I logged out last time the laptop seemed like back in perfect condition again: the cursor was quick and alert, the earlier sluggishness of the system was gone.

Or should I boot now into safe mode and from there turn off SR and then scan with Malwarebytes and SuperantiSpyware and last ComboFix? And finally, can I choose whether to not do a SR or not?

Considering that last time I logged out the laptop seemed to be back in perfect condition again, could it be a good idea to only scan with Malwarebytes, SuperAntiSpyware and ComboFix and then don't do a SR?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:hermesalpha
ID: 33699129
tzucker,

I got it now, I try and follow your advice and remove the infections (except for from restore points), then do a system restore and then turn off system restore and finally turn it on again. Is that the right procedure?

The first step (while still having done nothing with sy
0
 

Author Comment

by:hermesalpha
ID: 33699135
(while still having done nothing with system restore), is that to boot into safe mode (system restore is on) and scan with various tools?: Malwarebytes, Superantispyware, Combofix?
0
 

Author Comment

by:hermesalpha
ID: 33699145
How good are the chances to succeed with using this method with system restore?

I have to take a final decision soon whether to try it, or to reinstall everything (which I really want to avoid as I have a lot of customized settings in Windows XP I would have to redo, and a lot of software to reinstall, licenses to activate for CAT-tools, etc. etc.).

If the chances are high to succeed with system restore I will go for that, if there are often problems with system restore I might go for reinstall after all.

Can I be 100 % sure the virus and Trojans are gone following this method with system restore? And then make an image of the clean system?
0
 

Author Comment

by:hermesalpha
ID: 33700051
If there is a keylogger installed with the virus, does it only register for examle the first 50 inputs I do on a website? Can I avoid the keylogger getting my login details by copying and paste the login details? What about if it's automatically filled in?
0
 
LVL 1

Assisted Solution

by:Joe_Brand
Joe_Brand earned 130 total points
ID: 33703182
I would run the combofix in safemode. also SDfix. Between those two and Mbam you should get clean,
I would also check the msconfig and run HiJackthis to get a better idea where something may be hiding. It would be helpful if you posted the HiJackthis log.
After you run any of these programs and they ask you to reboot, I would shut down and pull the power plug.  Press the power button for about 10 seconds. That will remove all power from the system and erase any uglies that may have remained resident  in memory from returning.
Good luck.
0
 

Author Comment

by:hermesalpha
ID: 33706667
The laptop was like new, back in the same condition as before when I've run these six tools (not in safe mode though, because I don't know how to switch off Eset Smart Security in safe mode: ComboFix keeps telling me Eset is turned on when in safe mode, can I use msconfig and choose Services/Disable all?): Combofix, Malwarebytes, Superantispyware, Rootalyzer, TDDS Killer, Hijackthis (should I post the log file here?).

That is, until just recently, I've begun to translate in my CAT-tool SDL Trados for two hours, then logged in to my e-mail account and that's when things begin to go bad again: now, the cursor is slower than usual again (probably a keylogger) and CPU running to 100 % every 20 second.

However, logged in to my e-mail account a few minutes ago I had received a reply from Chris Scott:

Hello hermesalpha,

I've done Microsoft Forefront scans of those files and found absolutely nothing.

I also checked out seanbluestone.com and found nothing. I don't have Eset. Maybe you can send me the scan logs?

Could it be possible that your malaware is coming from another source? Did you download anything else recently?

Chris
Webresell.net

This is my reply that I just returned to him:

Hi Chris,

I think there has to be one of two things that must have happened:

1. The files were infected (which might not be the case now that you tell me the results of your scans)
2. Something happened during the download at the download location

I am absolutely sure it come from no other location, I was working on a translation at the same time as I downloaded all the zip files from the Thank you page. The first zip files went fine, no problems.

Then, ebooks.zip after 99 % had been downloaded CPU run up to 100 % constantly and after a while Eset Smart Security told me the ebooks.zip contained several threats (which perhaps were being transferred to my computer when I accepted download and maybe are not in the zip files themselves).

Exactly the same thing with scripts.zip as with ebooks.zip.

Stock Photos.zip: Was completely downloaded without Eset stopping it, but CPU run up to 100 % in the middle of the download, and very long time when downloaded 99 % before it actually was completed. I still haven't the scripts.zip and ebooks.zip, impossible for me to download. Wonder if you could e-mail these to me, using VPN? Or upload on a server I have access to? Or use the service www.sendthisfile.com?

Regarding this infection I have now (now, my CPU is going up and down each 20 second and the cursor have started to be slow again so probably there is a keylogger in my computer), what should I do? I am 100 % certain my computer was infected when I downloaded from the Thank you page. Can you give me some ideas about what possibly could have happened?

Regards,

hermesalpha

So my questions now are:

1. How can I scan with all six tools in safe mode? Should I do that and afterwards do a system restore and finally turn off and turn off system restore to delete any infections in system restore?

2. After step 1 above, should I do as Joe Brand suggests (after each scan and reboot)?: pull the power plug and press the power button for 10 seconds. Joe Brand, do you mean I should not answer Yes when asked reboot but instead first pull the power plug and then press power button for 10 seconds?
What about Combofix? Because Combofix automatically reboots and then finished everything with a logfile.

3. In the event that Chris Scott and the people behind Webresell.net are not the ones that has caused this infection, who could it else have been? I was working on a translation job at the same time as I downloaded the many zip files from the Thank you page. Is it possible that the people at the hotel here in China are the ones who have something with this to do? Many people here don't like Westerners (I live in the old area of Guangzhou) and I've experienced many pecularities with my internet connection, when I can't connect for some reason I phone to the reception and within 5-10 minutes (or immediately) I can connect again. The local police here wanted to have better control of which web sites the hotel guests visited so each hotel guests now have a login userid and password (this was not the case earlier when I lived here). For example, what do they do after I've called the reception and tell them I can't connect?

Actually, now when I write this my cursor is back to normal again, not the delayed-mode like a few minutes ago, and CPU has stopped running up to 100 % each 20 second.

I post the Combofix log and Hijackthis log here, but the scans were not made in safe mode.
hijackthis.log
Combofixlog.txt
0
 

Author Comment

by:hermesalpha
ID: 33706711
If I send the scan logs to Chris Scott, is there any risk with doing this?

I mean, if he would be the person behind the infection and already has a degree of control over my computer via the planted virus, would I give him more control if I send him the Combofix and Hijackthis scan logs?
0
 

Author Comment

by:hermesalpha
ID: 33706727
Is this problem related to the infection?:

I logged in to My account at SDL Trados (https://oos.sdl.com/asp/products/ssl/account/default.asp).
That worked fine.

I then chose "Submit your technical query" because I needed support with my CAT-tool. Whereupon I received this error message (I have never received this error message before and I have always been able to submit my technical queries without problems):

"Caught exception: Access denied!".
0
 

Author Comment

by:hermesalpha
ID: 33710595
Can the virus have survived? Still CPU goes up and down each 20 second like before! I used White Canyon's WipeDrive and chose the most secure alternative: wipe with confirmation three times.
Then I reinstalled the whole Windows XP.

Is it really possible the virus still is there?
0
 

Author Comment

by:hermesalpha
ID: 33711066
What is going on!!!? The same thing as before, CPU running up to 100 % each 20 second. How can the virus have survived!? Or is it someone here at the hotel in China who can do something?
0
 

Author Comment

by:hermesalpha
ID: 33711071
What is going on!!!? The same thing as before, CPU running up to 100 % each 20 second. How can the virus have survived!? Or is it someone here at the hotel in China who can do something?
0
 

Author Comment

by:hermesalpha
ID: 33711120
And I can't access this website: http://www.proz.com/
0
 

Author Comment

by:hermesalpha
ID: 33711198
The cursor and the laptop is very quick, but I really wonder when CPU follows exactly the same pattern as when I had virus before the reinstallation this morning: running up to 100 % each 20 second.
0
 

Author Comment

by:hermesalpha
ID: 33711670
Ok, I think it's time to leave China!:

Just reinstalled the whole operative system, then installed new software again. Installed the Chinese IM software QQ (the international version that is in English). And now I got the explanation why the laptop immediately was behaving a bit strange: a Trojan.Dropper in C:\Program Files\Tencent\QQIntl\Bin\Selfupdate.exe (the QQ installation!).
0
 
LVL 23

Expert Comment

by:phototropic
ID: 33796406
@Joe_Brand

SDFix has not been updated for many months - it is no longer a viable antimalware tool.
0
 

Author Closing Comment

by:hermesalpha
ID: 33936898
Thanks, I got detailed suggestions on how to deal with my laptop's infections.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
.XTBL Ramsomware 2 175
GPO for weekly scan with Microsoft Security Essentials 1 38
ransomware virus 21 81
svg file 10 37
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now