Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dropper.agent.dgo


  • Please log in to reply
19 replies to this topic

#1 mobileschu

mobileschu

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 17 January 2008 - 11:55 AM

My first post, I'm really frustrated trying to clean these things off my laptop. My ewido detected some "Dropper.Agent.dgo" files as well as one trace of "Downloader.Agent.eyv". I've searched around trying figure out how to remove them, all that has come up were forums like this and the use of a program called hijackthis that im going to download now.

If you can help me just reply with what info you need from me. I don't know how these forums work. Also I did run a AVG scan that came up with a few other things, I can include those if you'd like too.

{Moved to more appropriate forum~boopme}

Edited by boopme, 17 January 2008 - 12:46 PM.


BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:10:28 AM

Posted 17 January 2008 - 12:12 PM

The virus experts usually hang out in this forum: http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/

Posting a HiJackThis logfile will necessitate that you read the pinned topics in this forum before posting: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 17 January 2008 - 07:51 PM

Hello and welcome
Please Run this Online scan .... Panda ActiveScan?

Now Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program.
DO NOT run yet.

Now reboot into Safe Mode: How to start Windows in Safe Mode
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox or the Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 17 January 2008 - 11:04 PM

When done with the above, please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 19 January 2008 - 11:22 AM

ok wow, my email notifaction didnt work i didnt realize i had replies heh. ok so shortly after i made my first post i found the "preparation guide" link on what to do. i went ahead and followed all those instructions, downloads, installs, and scans. some of the problems seem to be away, but im not too sure if they are actually gone or just laying dormant somewhere on my drive as this seems to keep reappearing. i am getting started on th rest of your instructions as we speak. i want to say thanks to you for helping me fix this.

im not to sure if you need this now since ive still have a few more instructions to follow but here is my hijackthis log from before, "after the scans"... i can always do another later:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:16 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

{Removed HJT Log~~boopme}

Edited by boopme, 19 January 2008 - 11:44 AM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 19 January 2008 - 11:42 AM

No we don't want that yet. We ill wait for the other Scan Logs.

NOTE: I have edited out HJT log to prevent this topic from being moved. As wehave a proceedure to keep all HJT logs in a different forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,912 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:28 AM

Posted 19 January 2008 - 10:49 PM

Please post these back

SUPERAntiSpyware ...
To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

VundoFix....
After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 20 January 2008 - 11:32 AM

im getting these two notifications when i restart as well:

Windows cannot find 'C:\WINDOWS\system32\jkklm.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Could not load or run 'C:\WINDOWS\system32\jkklm.exe' specified in the registry. Make sure the file exists on your computer or remove the reference to it in the registry.

onto the fun stuff, i ran Panda ActiveScan and after a few hours of running i got an error the said something about a buffer overload, i couldnt recordthe message word for word because it also cause my windows explorer to crash hard. i did run the ATF Cleaner, SUPERAntiSpyware, and the VundoFix. heres the logs.

SUPERAntiSpyware

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/20/2008 at 07:39 AM

Application Version : 3.9.1008

Core Rules Database Version : 3384
Trace Rules Database Version: 1378

Scan type : Complete Scan
Total Scan Time : 01:17:02

Memory items scanned : 186
Memory threats detected : 2
Registry items scanned : 5940
Registry threats detected : 21
File items scanned : 28516
File threats detected : 9

Trojan.Mezzia/Resident
C:\WINDOWS\SYSTEM32\WINCCF32.DLL
C:\WINDOWS\SYSTEM32\WINCCF32.DLL

Trojan.Unclassifed/AffiliateBundle
C:\WINDOWS\SYSTEM32\EFCYXXY.DLL
C:\WINDOWS\SYSTEM32\EFCYXXY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91262C60-DD10-46FA-A09B-AE14902ECA11}
HKCR\CLSID\{91262C60-DD10-46FA-A09B-AE14902ECA11}
HKCR\CLSID\{91262C60-DD10-46FA-A09B-AE14902ECA11}\InprocServer32
HKCR\CLSID\{91262C60-DD10-46FA-A09B-AE14902ECA11}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{91262C60-DD10-46FA-A09B-AE14902ECA11}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efcyxxy
C:\WINDOWS\SYSTEM32\JKKIJHG.DLL
C:\WINDOWS\SYSTEM32\JKKJKKK.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{7CF3E9AE-F499-4FF7-9990-F803DC50BCC1}
HKCR\CLSID\{7CF3E9AE-F499-4FF7-9990-F803DC50BCC1}
HKCR\CLSID\{7CF3E9AE-F499-4FF7-9990-F803DC50BCC1}\InprocServer32
HKCR\CLSID\{7CF3E9AE-F499-4FF7-9990-F803DC50BCC1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKLM.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7CF3E9AE-F499-4FF7-9990-F803DC50BCC1}

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST

Trojan.Downloader-Gen/DDC
C:\DOCUMENTS AND SETTINGS\YOURE bleepING STUPID\LOCAL SETTINGS\TEMP\JYOJDOUT.EXE

Adware.OuterInfo-Installer
C:\DOCUMENTS AND SETTINGS\YOURE bleepING STUPID\LOCAL SETTINGS\TEMP\WINDE.EXE

Malware.WinAntiSpyware-Installer
C:\WINDOWS\SYSTEM32\DRVLACR.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\MLKKJ.INI2



VundoFix


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 7:58:58 AM 1/20/2008

Listing files found while scanning....

No infected files were found.

Edited by mobileschu, 20 January 2008 - 11:38 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 20 January 2008 - 11:45 AM

The "Cannot find...", "Could not run..." or "Error loading..." message is usually related to a program (or malware) that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan or the uninstall of a program. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up.

When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
Open Windows Explorer and check the root of Drive C for any temporary files. Also look for any newly created folders. Let me know what you find.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. That's probably how you came to be infected in the first place. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Plattform: "Windows".
  • Select your Language: "English".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 20 January 2008 - 08:24 PM

new java is installed, registeries are deleted. i checked the root and found 2 tmp files and one newly created folder.

temp files are:
CONFIG.tmp - 3KB - 8/10/2004 5:00 AM
mcrh.tmp - 1 KB - 1/17/2008 5:57 AM

created folder:
ActiveScan - 1/19/2008 - 109 MB - 62 files

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 21 January 2008 - 08:02 AM

Submit the temp files for analysis.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

Did you use Panda's online virus scanner? It creates a folder caller ActiveScan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 21 January 2008 - 08:10 AM

i did use panda's scanner but as it finished it caused windows explorer to crash from "buffer overload" so i wasnt able to do anything with the results that it found.

by the way, my computer seems to be running a whole lot better now.

ill submit those files and post my results in a few.

#13 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 21 January 2008 - 08:36 AM

File: CONFIG.TMP
Status: OK
MD5: 01c47c2eced034ef6f8c1552a97cff00
Packers detected: -
Bit9 reports: No threat detected (more info)

File: mcrh.tmp
Status: OK
MD5: c479d66aa1dd8feb786e71d0f0d58ab3
Packers detected: -
Bit9 reports: File not found

the CONFIG file i noticed was created with the computer and hasnt been modified for awhile so i think its safe to assume its ok, but the mcrh.tmp turned up safe but im still a little concerned with it. being that its a temp file anyway is it safe to delete it? i dont want to assume so, but i found this info online while searching for what it might be:

Name: Xyhur.w32.
Action: Opens and listens ports 1251 and 1252. Creates files
mcrh.tmp (deletes them later), in system TEMP directory, creates dll sndw_766362.dat. Registers it as BHO.
Technical details: Does not relocate, stays wherever it has been downloaded to.Registers itself in autostartup key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Window\CurrentVersion\ Runonce] "[*%FileName%]" = "[%original location%\%FileName%] r rerun".


could it just be left overs from a previous malware infection?

other than that my computer state seems to be back to normal now as i previously stated, any other test or scans i need to do? or is it safe to assume that the infections have been resolved?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 21 January 2008 - 09:51 AM

Malware removal can often result in remnants left behind after the cleaning process. Dropper.agent.dgo is one type of malware that can add numerous temp files on your system. mcrh.tmp appears to be one such file so you can get rid of it.

Download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program and reboot normally.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 mobileschu

mobileschu
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 21 January 2008 - 10:21 AM

ok done




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users