[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1869
  • Last Modified:

How do I best find all Trojan.Agent/Gen-Nullo[Short]?

How do I best find all Trojan.Agent/Gen-Nullo[Short]?

SuperAntiSpyware (free edition) have found 18 pieces of Trojan.Agent/Gen-Nullo[Short],
and Eset Smart Security has found these two:

Win32/PSW.Agent.NISPYNT tr
WIN32/PSW.LdPinch.KNRLSYV trojan

It all started when I purchased The Webmaster's Ultimate Reseller Package 2010 yesterday:

www.webresell.net?hop=idickson

I first found a link to the webresell-site at www.quackit.com (which seemed to be a non-scam site).

Please also see my other related question with ID: 264 769 74.

I have to avoid a reinstall because I have a lot of translation jobs I must finish by tomorrow and the next few days. Is there any, small chance, for instance if I use Combofix after SuperAntiSpyware have deleted the 18 Trojans, that I can avoid a reinstall? And be not 100 % but quite sure no infections are left?

Now, my cursor is very slow when I type so probably there's a keylogger installed on my laptop, and also the whole system is very sluggish.
0
hermesalpha
Asked:
hermesalpha
3 Solutions
 
EichhornHCommented:
i always delete trojans / spyware / viruses with Malwarebytes' Anti-Malware. It works together with other anti-malware utilities. Database updates released daily.
To be sure that all trojans etc. are terminated, perform a second scan after you restart your computer after the first scan.
0
 
puevigiCommented:
I use Malwarebytes then run Superantispyware.com and between the two it seems to get just about everything.
0
 
hermesalphaAuthor Commented:
Malwarebytes have worked fine earlier but this time it didn't find anything whereas SuperAntiSpyware found 18 Trojans!  

SuperAntiSpyware has completed the scan now and quarantined the 18 Trojans and asks me to restart the laptop. The problem is if the keylogger is still present on my system, when I reboot I can't enter any site without username and password. As soon as I do that I risk that the keylogger find out my passwords and usernames.

Or should I restart and immediately use other tools after reboot, for example Combofix?
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
moonie42Commented:
Malwarebytes is an excellent application that I've had great success with.  Another one to try is Super Anti-Syware, that's done a great job as well.  ComboFix is another great one.  If you are not considering performing a System Restore to a previous date, you should turn off System Restore, then reboot in safe mode to run the tools.  
0
 
hermesalphaAuthor Commented:
Earlier when I tried to do a system restore, it has always not been possible for some reason. How can I check now that it's possible to do?

What would I loose if I do a system restore? Favorites in IE8 and Firefox? Or program installations?
0
 
hermesalphaAuthor Commented:
If I do a system restore, can I be 100 % sure the Trojans and infections are gone?
0
 
hermesalphaAuthor Commented:
I checked now and it was not turned off, it says "monitoring" for all four partitions I have.
Disk space to use: Max (for C: on system restore)
0
 
hermesalphaAuthor Commented:
I downloaded the infected software late this night. So if I can do a system restore just one day earlier, wouldn't that be enough? I would loose almost nothing on that.
0
 
hermesalphaAuthor Commented:
When doing a system restore, will I loose anything I've saved on my Desktop?
0
 
hermesalphaAuthor Commented:
Something positive actually have happened: The cursor is very fast again when I type and the laptop is not sluggish at all. Just like before! Maybe SuperAntiSpyware fixed everything after all.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
In terms of System Restore you should read the articles below (1 by me another by rpggamergirl).  They describe both SR and how to use it.  Use SR before disabling it (since that erases all SR points) then once your system is stable and you are certain you no longer have an infection, follow the instructions to disable SR then reenable it so it Deletes all restore points that may be infected.  Note that when you do a System Restore you may lose information anything done since the last restore point.  

******** You should use DriveImageXML to create a complete backup which you can access after the restore is done (just in case you need something).*********

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/A_2209-Removing-protected-System-Restore-files-if-they-have-been-infected.html

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1934-Viruses-in-the-System-Volume-Information-System-Restore.html
0
 
puevigiCommented:
I have not yet run into a reason to doubt the reliability of running MBAM and SAS after.  I use a System restore in cases where I note functionality issues.
0
 
ybbkrishnaCommented:
restore
http://www.experts-exchange.com/Q_26479054.html

Open in new window

0
 
hermesalphaAuthor Commented:
ybbkrishna, what is the meaning with your comment? I don't understand at all what you mean.
0
 
hermesalphaAuthor Commented:
tzucker, I have shut down my laptop, is there any risk if I logon now and turn off the SR, then log out again to reboot into safe mode and scan from there?

When I logged out last time the laptop seemed like back in perfect condition again: the cursor was quick and alert, the earlier sluggishness of the system was gone.

Or should I boot now into safe mode and from there turn off SR and then scan with Malwarebytes and SuperantiSpyware and last ComboFix? And finally, can I choose whether to not do a SR or not?

Considering that last time I logged out the laptop seemed to be back in perfect condition again, could it be a good idea to only scan with Malwarebytes, SuperAntiSpyware and ComboFix and then don't do a SR?
0
 
hermesalphaAuthor Commented:
tzucker,

I got it now, I try and follow your advice and remove the infections (except for from restore points), then do a system restore and then turn off system restore and finally turn it on again. Is that the right procedure?

The first step (while still having done nothing with sy
0
 
hermesalphaAuthor Commented:
(while still having done nothing with system restore), is that to boot into safe mode (system restore is on) and scan with various tools?: Malwarebytes, Superantispyware, Combofix?
0
 
hermesalphaAuthor Commented:
How good are the chances to succeed with using this method with system restore?

I have to take a final decision soon whether to try it, or to reinstall everything (which I really want to avoid as I have a lot of customized settings in Windows XP I would have to redo, and a lot of software to reinstall, licenses to activate for CAT-tools, etc. etc.).

If the chances are high to succeed with system restore I will go for that, if there are often problems with system restore I might go for reinstall after all.

Can I be 100 % sure the virus and Trojans are gone following this method with system restore? And then make an image of the clean system?
0
 
hermesalphaAuthor Commented:
If there is a keylogger installed with the virus, does it only register for examle the first 50 inputs I do on a website? Can I avoid the keylogger getting my login details by copying and paste the login details? What about if it's automatically filled in?
0
 
Joe_BrandCommented:
I would run the combofix in safemode. also SDfix. Between those two and Mbam you should get clean,
I would also check the msconfig and run HiJackthis to get a better idea where something may be hiding. It would be helpful if you posted the HiJackthis log.
After you run any of these programs and they ask you to reboot, I would shut down and pull the power plug.  Press the power button for about 10 seconds. That will remove all power from the system and erase any uglies that may have remained resident  in memory from returning.
Good luck.
0
 
hermesalphaAuthor Commented:
The laptop was like new, back in the same condition as before when I've run these six tools (not in safe mode though, because I don't know how to switch off Eset Smart Security in safe mode: ComboFix keeps telling me Eset is turned on when in safe mode, can I use msconfig and choose Services/Disable all?): Combofix, Malwarebytes, Superantispyware, Rootalyzer, TDDS Killer, Hijackthis (should I post the log file here?).

That is, until just recently, I've begun to translate in my CAT-tool SDL Trados for two hours, then logged in to my e-mail account and that's when things begin to go bad again: now, the cursor is slower than usual again (probably a keylogger) and CPU running to 100 % every 20 second.

However, logged in to my e-mail account a few minutes ago I had received a reply from Chris Scott:

Hello hermesalpha,

I've done Microsoft Forefront scans of those files and found absolutely nothing.

I also checked out seanbluestone.com and found nothing. I don't have Eset. Maybe you can send me the scan logs?

Could it be possible that your malaware is coming from another source? Did you download anything else recently?

Chris
Webresell.net

This is my reply that I just returned to him:

Hi Chris,

I think there has to be one of two things that must have happened:

1. The files were infected (which might not be the case now that you tell me the results of your scans)
2. Something happened during the download at the download location

I am absolutely sure it come from no other location, I was working on a translation at the same time as I downloaded all the zip files from the Thank you page. The first zip files went fine, no problems.

Then, ebooks.zip after 99 % had been downloaded CPU run up to 100 % constantly and after a while Eset Smart Security told me the ebooks.zip contained several threats (which perhaps were being transferred to my computer when I accepted download and maybe are not in the zip files themselves).

Exactly the same thing with scripts.zip as with ebooks.zip.

Stock Photos.zip: Was completely downloaded without Eset stopping it, but CPU run up to 100 % in the middle of the download, and very long time when downloaded 99 % before it actually was completed. I still haven't the scripts.zip and ebooks.zip, impossible for me to download. Wonder if you could e-mail these to me, using VPN? Or upload on a server I have access to? Or use the service www.sendthisfile.com?

Regarding this infection I have now (now, my CPU is going up and down each 20 second and the cursor have started to be slow again so probably there is a keylogger in my computer), what should I do? I am 100 % certain my computer was infected when I downloaded from the Thank you page. Can you give me some ideas about what possibly could have happened?

Regards,

hermesalpha

So my questions now are:

1. How can I scan with all six tools in safe mode? Should I do that and afterwards do a system restore and finally turn off and turn off system restore to delete any infections in system restore?

2. After step 1 above, should I do as Joe Brand suggests (after each scan and reboot)?: pull the power plug and press the power button for 10 seconds. Joe Brand, do you mean I should not answer Yes when asked reboot but instead first pull the power plug and then press power button for 10 seconds?
What about Combofix? Because Combofix automatically reboots and then finished everything with a logfile.

3. In the event that Chris Scott and the people behind Webresell.net are not the ones that has caused this infection, who could it else have been? I was working on a translation job at the same time as I downloaded the many zip files from the Thank you page. Is it possible that the people at the hotel here in China are the ones who have something with this to do? Many people here don't like Westerners (I live in the old area of Guangzhou) and I've experienced many pecularities with my internet connection, when I can't connect for some reason I phone to the reception and within 5-10 minutes (or immediately) I can connect again. The local police here wanted to have better control of which web sites the hotel guests visited so each hotel guests now have a login userid and password (this was not the case earlier when I lived here). For example, what do they do after I've called the reception and tell them I can't connect?

Actually, now when I write this my cursor is back to normal again, not the delayed-mode like a few minutes ago, and CPU has stopped running up to 100 % each 20 second.

I post the Combofix log and Hijackthis log here, but the scans were not made in safe mode.
hijackthis.log
Combofixlog.txt
0
 
hermesalphaAuthor Commented:
If I send the scan logs to Chris Scott, is there any risk with doing this?

I mean, if he would be the person behind the infection and already has a degree of control over my computer via the planted virus, would I give him more control if I send him the Combofix and Hijackthis scan logs?
0
 
hermesalphaAuthor Commented:
Is this problem related to the infection?:

I logged in to My account at SDL Trados (https://oos.sdl.com/asp/products/ssl/account/default.asp).
That worked fine.

I then chose "Submit your technical query" because I needed support with my CAT-tool. Whereupon I received this error message (I have never received this error message before and I have always been able to submit my technical queries without problems):

"Caught exception: Access denied!".
0
 
hermesalphaAuthor Commented:
Can the virus have survived? Still CPU goes up and down each 20 second like before! I used White Canyon's WipeDrive and chose the most secure alternative: wipe with confirmation three times.
Then I reinstalled the whole Windows XP.

Is it really possible the virus still is there?
0
 
hermesalphaAuthor Commented:
What is going on!!!? The same thing as before, CPU running up to 100 % each 20 second. How can the virus have survived!? Or is it someone here at the hotel in China who can do something?
0
 
hermesalphaAuthor Commented:
What is going on!!!? The same thing as before, CPU running up to 100 % each 20 second. How can the virus have survived!? Or is it someone here at the hotel in China who can do something?
0
 
hermesalphaAuthor Commented:
And I can't access this website: http://www.proz.com/
0
 
hermesalphaAuthor Commented:
The cursor and the laptop is very quick, but I really wonder when CPU follows exactly the same pattern as when I had virus before the reinstallation this morning: running up to 100 % each 20 second.
0
 
hermesalphaAuthor Commented:
Ok, I think it's time to leave China!:

Just reinstalled the whole operative system, then installed new software again. Installed the Chinese IM software QQ (the international version that is in English). And now I got the explanation why the laptop immediately was behaving a bit strange: a Trojan.Dropper in C:\Program Files\Tencent\QQIntl\Bin\Selfupdate.exe (the QQ installation!).
0
 
phototropicCommented:
@Joe_Brand

SDFix has not been updated for many months - it is no longer a viable antimalware tool.
0
 
hermesalphaAuthor Commented:
Thanks, I got detailed suggestions on how to deal with my laptop's infections.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now