Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Infected by "Trojan" (js/agent.ncu)

Posted on 2011-02-25
23
Medium Priority
?
1,065 Views
Last Modified: 2013-11-22
How do I remove this trojan?
0
Comment
Question by:ImTenacious
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 3
  • 3
  • +4
23 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34980026
I would start by running Malwarebytes in safe mode:

http://www.malwarebytes.org/

Its free and very good.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34980131
To my knowledge, there is only one variant of virus/infection that calls for the use of "Malwarebytes" in "Safe Mode" - and this is not it.

I have not personally repaired this (js/agent.ncu) variant, but I am looking for some reliable information.
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34980159
It is always good practice when dealing with malware to run in safemode.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Accepted Solution

by:
younghv earned 1000 total points
ID: 34980178
The only references I can find to this are quite old and this should have been blocked by any reliable AV/Anti-spyware program.

What kind of security programs do you actually have installed?

The suggestion of "Malwarebytes" by athomsfere is a good start, but you should use this link:

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)

When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34980216
@athomsfere - that is not correct.
Many variants of malware DO NOT run their processes during a "Safe Mode" boot and the anti-malware applications cannot fix what they can't find.

Please review the information (specifically about Malwarebytes) in that site forum:
http://forums.malwarebytes.org/index.php?showtopic=17334&hl=

Also, if you are going to attempt to answer questions in these Zones, please join the conversation here (http://www.experts-exchange.com/Q_24860646.html) so as not to have 'off-line' conversations in the middle of a question.
0
 
LVL 9

Expert Comment

by:discgman
ID: 34980464
0
 
LVL 38

Expert Comment

by:younghv
ID: 34983469
With the caveat of "If all else fails, try combofix....", I will agree.

At this stage, that might be in the category of using a sledgehammer to crack an egg.

Because of the inherent potential for ComboFix to scramble critical OS files, it should never be recommended until we have exhausted the other (less dangerous) tools that are available.

If nothing else works, the risk is worthwhile (since the OS is broken any way).
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 34984912
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 1000 total points
ID: 34986735
Presumably you are running NOD32 from ESET.  This virus has different names depending on the av which finds it:

http://www.virustotal.com/file-scan/report.html?id=6f129b428eaa253d13eb8c8fbb5e99bc6b129f44be3464e2d7834a7936b4e28e-1298218267

What happens when you run a full scan with your av software after fully updating?  Eset should be able to remove this.

Can you access the internet? If so, try an online scan from eSet:

http://www.eset.com/online-scanner/run

Please post the scan log for review.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34986757
@phototropic -
Over the past couple of days, I'm seeing a lot of questions about some fairly old variants.
Not sure if they have morphed or if the basic updates and AV aren't in place.
Curious situation.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34987278
Just so long as we don't see more recommendations for old anti-malware apps.  In the last few weeks, I've seen experts instructing questioners to run SD Fix, CWS and Smitfraudfix!!!
0
 
LVL 2

Expert Comment

by:Robert Snow
ID: 34993960
Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.

I posted the help page instead of the download page because it will teach you how to create/use it, and it also has a download link.

If you do not have an extra flash drive or CD, you can still download this http://www.freedrweb.com/cureit/ and run it from within windows.
0
 

Author Comment

by:ImTenacious
ID: 34998624
Please note: The page that you are referring me to is in "Russian", given the face that pirates live in Russia, and I have no recourse with someone located in RUSSIA!  I am not comfortable with loading an exe from someone that I do not know, nor do I have confidence with the someone that refered this RUSSIAN site.  More problems I do not need!  Please reserve your coments to your own close circle of fireinds (if you have any left).  Perhaps you coppied the wrong link, and you would like to revise your comment, but below is the link that you first proposed.

Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998703

English ('merican) version here.
http://www.freedrweb.com/cureit/?lng=en


ImTenacious - the Moderators are only a click of the "Request Attention" link (bottom right of your original question) away and can help you with ANY situation that needs extra help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998733
ImTenacious -
In my comment here (http:#a34980178) I referred you to the Malwarebytes download link.
Have you tried that yet?
It tends to be about the best 'generic' anti-malware tool and there are some truly excellent tutorials for most 'named' malware.

'phototropic' and I have been around this forum for many years and will be glad to help you work through this.

Thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998748
Heh!
OK - I posted that last comment and then saw that you closed the question while I was typing.

I will continue to monitor this question and respond with any further help you need. If my comment does not actually help you solve this, we can ask the Mods to re-open it and start fresh.

I do thank you for the points.
0
 

Author Comment

by:ImTenacious
ID: 34999264
Hello,

Yes I did try "Malwarebites" and initially was unsuccessful, however with perseverance and the use of multiple virus scans, Malwarebites, and ESET NOD32.  I seem to have removed the strain, only time will tell.  I thank you for your help, and you are welcome for the points.

Regards

ImTenacious
0
 
LVL 38

Expert Comment

by:younghv
ID: 34999848
Thank you for clarifying that.
I am going to ask the Moderators to re-open this question and split the points with 'phototropic' - who did the ESET NOD32 recommendation.
0
 

Author Comment

by:ImTenacious
ID: 34999861
I gave the ESET NOD32, recomendation.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35001868
ImTenacious,

At the comment http:#a34986735 phototropic suggested updating and running your AV again (ESET).

That comment, plus mine about running Malwarebytes properly seemed to do the trick.

Apparently one of the Moderators agreed with me, since the closing has been changed.

I'm not concerned about splitting points with 'phototropic' - he is one of the very few Experts posting in the Virus & Malware Zones who consistently gets it right.

Thanks.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35005419
Sorry guys, I've been offline for 36 hours because my ISP is not up to the task...

@younghv,
Thanks for generously suggesting the points split.

@ImTenacious,
I'm glad your problem is now resolved.
Thanks for the points and grade.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question