Solved

Infected by "Trojan" (js/agent.ncu)

Posted on 2011-02-25
23
1,022 Views
Last Modified: 2013-11-22
How do I remove this trojan?
0
Comment
Question by:ImTenacious
  • 10
  • 3
  • 3
  • +4
23 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 34980026
I would start by running Malwarebytes in safe mode:

http://www.malwarebytes.org/

Its free and very good.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34980131
To my knowledge, there is only one variant of virus/infection that calls for the use of "Malwarebytes" in "Safe Mode" - and this is not it.

I have not personally repaired this (js/agent.ncu) variant, but I am looking for some reliable information.
0
 
LVL 14

Expert Comment

by:athomsfere
ID: 34980159
It is always good practice when dealing with malware to run in safemode.
0
 
LVL 38

Accepted Solution

by:
younghv earned 250 total points
ID: 34980178
The only references I can find to this are quite old and this should have been blocked by any reliable AV/Anti-spyware program.

What kind of security programs do you actually have installed?

The suggestion of "Malwarebytes" by athomsfere is a good start, but you should use this link:

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)

When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34980216
@athomsfere - that is not correct.
Many variants of malware DO NOT run their processes during a "Safe Mode" boot and the anti-malware applications cannot fix what they can't find.

Please review the information (specifically about Malwarebytes) in that site forum:
http://forums.malwarebytes.org/index.php?showtopic=17334&hl=

Also, if you are going to attempt to answer questions in these Zones, please join the conversation here (http://www.experts-exchange.com/Q_24860646.html) so as not to have 'off-line' conversations in the middle of a question.
0
 
LVL 9

Expert Comment

by:discgman
ID: 34980464
0
 
LVL 38

Expert Comment

by:younghv
ID: 34983469
With the caveat of "If all else fails, try combofix....", I will agree.

At this stage, that might be in the category of using a sledgehammer to crack an egg.

Because of the inherent potential for ComboFix to scramble critical OS files, it should never be recommended until we have exhausted the other (less dangerous) tools that are available.

If nothing else works, the risk is worthwhile (since the OS is broken any way).
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34984912
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 250 total points
ID: 34986735
Presumably you are running NOD32 from ESET.  This virus has different names depending on the av which finds it:

http://www.virustotal.com/file-scan/report.html?id=6f129b428eaa253d13eb8c8fbb5e99bc6b129f44be3464e2d7834a7936b4e28e-1298218267

What happens when you run a full scan with your av software after fully updating?  Eset should be able to remove this.

Can you access the internet? If so, try an online scan from eSet:

http://www.eset.com/online-scanner/run

Please post the scan log for review.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34986757
@phototropic -
Over the past couple of days, I'm seeing a lot of questions about some fairly old variants.
Not sure if they have morphed or if the basic updates and AV aren't in place.
Curious situation.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Expert Comment

by:phototropic
ID: 34987278
Just so long as we don't see more recommendations for old anti-malware apps.  In the last few weeks, I've seen experts instructing questioners to run SD Fix, CWS and Smitfraudfix!!!
0
 
LVL 2

Expert Comment

by:Robert Snow
ID: 34993960
Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.

I posted the help page instead of the download page because it will teach you how to create/use it, and it also has a download link.

If you do not have an extra flash drive or CD, you can still download this http://www.freedrweb.com/cureit/ and run it from within windows.
0
 

Author Comment

by:ImTenacious
ID: 34998624
Please note: The page that you are referring me to is in "Russian", given the face that pirates live in Russia, and I have no recourse with someone located in RUSSIA!  I am not comfortable with loading an exe from someone that I do not know, nor do I have confidence with the someone that refered this RUSSIAN site.  More problems I do not need!  Please reserve your coments to your own close circle of fireinds (if you have any left).  Perhaps you coppied the wrong link, and you would like to revise your comment, but below is the link that you first proposed.

Well, I see that you have internet, because you are here ;)

If you have an extra blank CD-R, CD-RW, flash drive, etc. you can go here http://www.freedrweb.com/livecd/how_it_works/ and it will show you how to boot from the cd/flash drive and allow you to scan the entire computer without booting windows, allowing you to access files that would be protected/invisible if you let windows load. AVG also has one that is similar.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998703

English ('merican) version here.
http://www.freedrweb.com/cureit/?lng=en


ImTenacious - the Moderators are only a click of the "Request Attention" link (bottom right of your original question) away and can help you with ANY situation that needs extra help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998733
ImTenacious -
In my comment here (http:#a34980178) I referred you to the Malwarebytes download link.
Have you tried that yet?
It tends to be about the best 'generic' anti-malware tool and there are some truly excellent tutorials for most 'named' malware.

'phototropic' and I have been around this forum for many years and will be glad to help you work through this.

Thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34998748
Heh!
OK - I posted that last comment and then saw that you closed the question while I was typing.

I will continue to monitor this question and respond with any further help you need. If my comment does not actually help you solve this, we can ask the Mods to re-open it and start fresh.

I do thank you for the points.
0
 

Author Comment

by:ImTenacious
ID: 34999264
Hello,

Yes I did try "Malwarebites" and initially was unsuccessful, however with perseverance and the use of multiple virus scans, Malwarebites, and ESET NOD32.  I seem to have removed the strain, only time will tell.  I thank you for your help, and you are welcome for the points.

Regards

ImTenacious
0
 
LVL 38

Expert Comment

by:younghv
ID: 34999848
Thank you for clarifying that.
I am going to ask the Moderators to re-open this question and split the points with 'phototropic' - who did the ESET NOD32 recommendation.
0
 

Author Comment

by:ImTenacious
ID: 34999861
I gave the ESET NOD32, recomendation.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35001868
ImTenacious,

At the comment http:#a34986735 phototropic suggested updating and running your AV again (ESET).

That comment, plus mine about running Malwarebytes properly seemed to do the trick.

Apparently one of the Moderators agreed with me, since the closing has been changed.

I'm not concerned about splitting points with 'phototropic' - he is one of the very few Experts posting in the Virus & Malware Zones who consistently gets it right.

Thanks.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35005419
Sorry guys, I've been offline for 36 hours because my ISP is not up to the task...

@younghv,
Thanks for generously suggesting the points split.

@ImTenacious,
I'm glad your problem is now resolved.
Thanks for the points and grade.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

To Remove Security Suite for Windows Malware from a Windows XP Machine:  Restart computer in Safe Mode (to do this see http://tinyurl.com/me78p) Login as Administrator Go to My Computer /Tools/ Folder Options/ View/  check mark the selectio…
Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now