Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1072
  • Last Modified:

Infected by "Trojan" (js/agent.ncu)

How do I remove this trojan?
0
ImTenacious
Asked:
ImTenacious
  • 10
  • 3
  • 3
  • +4
2 Solutions
 
athomsfereCommented:
I would start by running Malwarebytes in safe mode:

http://www.malwarebytes.org/

Its free and very good.
0
 
younghvCommented:
To my knowledge, there is only one variant of virus/infection that calls for the use of "Malwarebytes" in "Safe Mode" - and this is not it.

I have not personally repaired this (js/agent.ncu) variant, but I am looking for some reliable information.
0
 
athomsfereCommented:
It is always good practice when dealing with malware to run in safemode.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
younghvCommented:
The only references I can find to this are quite old and this should have been blocked by any reliable AV/Anti-spyware program.

What kind of security programs do you actually have installed?

The suggestion of "Malwarebytes" by athomsfere is a good start, but you should use this link:

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)

When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
younghvCommented:
@athomsfere - that is not correct.
Many variants of malware DO NOT run their processes during a "Safe Mode" boot and the anti-malware applications cannot fix what they can't find.

Please review the information (specifically about Malwarebytes) in that site forum:
http://forums.malwarebytes.org/index.php?showtopic=17334&hl=

Also, if you are going to attempt to answer questions in these Zones, please join the conversation here (http://www.experts-exchange.com/Q_24860646.html) so as not to have 'off-line' conversations in the middle of a question.
0
 
discgmanCommented:
0
 
younghvCommented:
With the caveat of "If all else fails, try combofix....", I will agree.

At this stage, that might be in the category of using a sledgehammer to crack an egg.

Because of the inherent potential for ComboFix to scramble critical OS files, it should never be recommended until we have exhausted the other (less dangerous) tools that are available.

If nothing else works, the risk is worthwhile (since the OS is broken any way).
0
 
Sudeep SharmaTechnical DesignerCommented:
0
 
phototropicCommented:
Presumably you are running NOD32 from ESET.  This virus has different names depending on the av which finds it:

http://www.virustotal.com/file-scan/report.html?id=6f129b428eaa253d13eb8c8fbb5e99bc6b129f44be3464e2d7834a7936b4e28e-1298218267

What happens when you run a full scan with your av software after fully updating?  Eset should be able to remove this.

Can you access the internet? If so, try an online scan from eSet:

http://www.eset.com/online-scanner/run

Please post the scan log for review.
0
 
younghvCommented:
@phototropic -
Over the past couple of days, I'm seeing a lot of questions about some fairly old variants.
Not sure if they have morphed or if the basic updates and AV aren't in place.
Curious situation.
0
 
phototropicCommented:
Just so long as we don't see more recommendations for old anti-malware apps.  In the last few weeks, I've seen experts instructing questioners to run SD Fix, CWS and Smitfraudfix!!!
0
 
Robert SnowCommented:
Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.

I posted the help page instead of the download page because it will teach you how to create/use it, and it also has a download link.

If you do not have an extra flash drive or CD, you can still download this http://www.freedrweb.com/cureit/ and run it from within windows.
0
 
ImTenaciousAuthor Commented:
Please note: The page that you are referring me to is in "Russian", given the face that pirates live in Russia, and I have no recourse with someone located in RUSSIA!  I am not comfortable with loading an exe from someone that I do not know, nor do I have confidence with the someone that refered this RUSSIAN site.  More problems I do not need!  Please reserve your coments to your own close circle of fireinds (if you have any left).  Perhaps you coppied the wrong link, and you would like to revise your comment, but below is the link that you first proposed.

Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.
0
 
younghvCommented:

English ('merican) version here.
http://www.freedrweb.com/cureit/?lng=en


ImTenacious - the Moderators are only a click of the "Request Attention" link (bottom right of your original question) away and can help you with ANY situation that needs extra help.
0
 
younghvCommented:
ImTenacious -
In my comment here (http:#a34980178) I referred you to the Malwarebytes download link.
Have you tried that yet?
It tends to be about the best 'generic' anti-malware tool and there are some truly excellent tutorials for most 'named' malware.

'phototropic' and I have been around this forum for many years and will be glad to help you work through this.

Thanks.
0
 
younghvCommented:
Heh!
OK - I posted that last comment and then saw that you closed the question while I was typing.

I will continue to monitor this question and respond with any further help you need. If my comment does not actually help you solve this, we can ask the Mods to re-open it and start fresh.

I do thank you for the points.
0
 
ImTenaciousAuthor Commented:
Hello,

Yes I did try "Malwarebites" and initially was unsuccessful, however with perseverance and the use of multiple virus scans, Malwarebites, and ESET NOD32.  I seem to have removed the strain, only time will tell.  I thank you for your help, and you are welcome for the points.

Regards

ImTenacious
0
 
younghvCommented:
Thank you for clarifying that.
I am going to ask the Moderators to re-open this question and split the points with 'phototropic' - who did the ESET NOD32 recommendation.
0
 
ImTenaciousAuthor Commented:
I gave the ESET NOD32, recomendation.
0
 
younghvCommented:
ImTenacious,

At the comment http:#a34986735 phototropic suggested updating and running your AV again (ESET).

That comment, plus mine about running Malwarebytes properly seemed to do the trick.

Apparently one of the Moderators agreed with me, since the closing has been changed.

I'm not concerned about splitting points with 'phototropic' - he is one of the very few Experts posting in the Virus & Malware Zones who consistently gets it right.

Thanks.
0
 
phototropicCommented:
Sorry guys, I've been offline for 36 hours because my ISP is not up to the task...

@younghv,
Thanks for generously suggesting the points split.

@ImTenacious,
I'm glad your problem is now resolved.
Thanks for the points and grade.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 10
  • 3
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now