Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Challenging Issue With A New Virus? Downloader.agent.ggt


  • Please log in to reply
2 replies to this topic

#1 whiteknight247

whiteknight247

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 03 February 2008 - 01:36 AM

Well, to start with I'll let you know about the virus that won't go away... when scanned with AVG it shows a result that never gets deleted called Downloader.Agent.ggt which is located in [1036] VM_13140000 , although when originally scanned the first number [1036] was different I think, but while I've been trying to seed it out through memory dumps and adjusting the paging file size i think it may have moved.

I'm not very smart with computer technical info such as what that location means, but I believe it's in my memory and repopulates when I try deleting it. I tried deleting it with AVG, it repopulated even before I scanned again. I tried the "Delete on Re-boot" but that didn't work. Tried deleting in safe mode, no go.

When I don't go after it such as with scans, safe-mode rebooting, etc., it decides to gather up some friends and I get more viruses/alerts from AVG scans, which are actually deleted with AVG and don't return. At least, not till I ignore the Downloader.Agent.ggt again. I understand that there are false-positives which pretend to be viruses, but this one is causing serious issues...

For one, now when I click & drag files in an explorer window, I get one of those blue-screen crashes in regards to memory, but the computer restarts before I can read the whole thing. I could take a picture with a camera of the screen if you think that info might help. So I can move files around as long as I don't move them from folder-to-folder, and if i use the cut & paste method there are no issues. This leads me to believe that the area this virus is in is the memory part that's allocated for the moving of files function of windows (moving files by clicking and dragging from one folder to another), which is why windows cannot use that part of the memory because the virus is sitting there instead of memory space.

The other issue I'm concerned about is the fact that "iexplore.exe" starts replicating 3-4 times when I connect to the internet (wireless connection to my home's router). I do not use internet explorer EVER anymore, so there are no windows open for these processes, I only use firefox now for a browser. When I CTRL+ALT+DEL and end these tasks, they keep repopulating. If I do it fast enough, then I can get rid of all of them, but in replace I'm getting more svchost.exe processes opening up which I think are just a different name for whatever's opening up. Usually one of the svchost.exe processes starts going up to over 150MB of memory. I can end that task, but then the iexplore.exe issue comes right back. These processes with the name "iexplore.exe" usually take up either around 10MB or around 20MB of memory.

Why am I trying to get rid of those iexplore.exe processes? Because when connected with firefox browser, nothing displays as if I'm not connected. I just get a status of the page as "Done" and a white browser page. But after ending all these iexplore.exe processes, I can hit refresh and boom, I have internet again. So these must be messing up my connection, which is pissing me off.

I noticed that in the intro to this FORUM it said not to post Hijack info, so let me know what you need and I'll post. Thanks for your help guys, this is a new virus, as the only topics I find on the internet are in forign languages and are posted within the last few months, so its relatively new.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:40 PM

Posted 03 February 2008 - 08:29 PM

I get one of those blue-screen crashes in regards to memory, but the computer restarts before I can read the whole thing.

The symptoms you describe could be malware related or they could be due to hardware or overheating problems caused by a failed processor fan, bad memory (RAM), failing power supply, underpowered power supply, CPU overheating, motherboard, video card, faulty drivers, BIOS and firmware problems, dirty hardware, etc. If the computer is overheating, it usually begins to restart on a more regular basis.

However, some rootkits can also trigger BSODs, shutdowns and error messages so download and scan with AVG Anti-Rootkit.

If your not finding any malware then its sounds like the latter problem.

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet". You can then gather more information doing a search of the Event ID number at:
"EventID.Net"
"MonitorWare EventID Database"
"Windows Security Log Events".
"Events and Errors Message Center".

An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).

To change the recovery settings and Disable Automatic Rebooting, go to Start > Run and type: sysdm.cpl
Click Ok or just press WINKEY + Pause/Break keys to bring up System Properties.
  • Go to the Advanced tab and under "Startup and Recovery", click on the "Settings" button and go to "System failure".
  • Make sure "Write an event to the system log" is checked and that "Automatically restart" is UNchecked.
  • Click "OK" and reboot for the changes to take effect.
Doing this won't cure your problem but instead of crashing and restarting you will get a blue diagnostic screen with an error code and other information that will allow you to better trace your problem. You can use Google to search the error code or use the links below to investigate and troubleshoot or post the info back here so someone can helpful figure out whats wrong.

"Extract troubleshooting info from Windows XP BSOD error messages".
"How to Find BSOD Error Messages".
"Events and Errors Message Center".
"Windows XP Professional Error Messages".
"Troubleshooting Windows Stop Messages".

I'm getting more svchost.exe processes opening up which I think are just a different name for whatever's opening up.


Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time. To investigate these processes, see How to determine what services are running under a Svchost.exe process.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file like svchost.exe. However, it then places itself in a different location on your computer. In XP, the legitimate Svchost.exe file is located in your C:\WINDOWS\system32\ folder.

Other legitimate copies can be found in the following folders:
C:\I386
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it is scvhost.exe], then your dealing with a Trojan.

There are several ways to investigate svchost.exe and related processes.

You can download and use Proces Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Note: Process Explorer shows two panes by default: the upper pane is always a process list and the bottom pane either shows the list of DLLs loaded into the process selected in the upper pane, or the list of operating system resource handles (files, Registry keys, synchronization objects) the process has open. In the menu at the top select View > Lower Pane View to change between DLLs and Handles.

If you have XP Pro, you can use Tasklist /SVC to view the list of services processes that are running in Svchost. The /SVC switch shows the list of active services in each process.

Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

For help and syntax information, type the following command, and then press ENTER:
tasklist /?
Also see Syntax options and Tasklist Syntax.

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.

You can also use (type):
WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter.

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 whiteknight247

whiteknight247
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:40 PM

Posted 07 February 2008 - 03:19 AM

Thank you very much for the information on investigating my running processes, I will start doing that very soon although there is a lot to look at including some random processes that open when I connect to the internet (such as files with random numbers with an exe extention. example: 104993.exe, temp.exe, agent.exe or njeigj.tmp ... not actual processes but examples of what they look like).

So what is this Downloader.Agent.ggt? It's worrying me that I cannot remove this apparent infection that keeps coming up with the AVG AntiVirus program. I've scanned with the AVG Anti-Rootkit before and removed some spyware, but recent scans show nothing else, but I think this Downloader.Agent.ggt might be disguised as something else, so that's what I'm trying to find out.

I just realized a NEW problem: :flowers:

Sometimes at startup if I start windows with my wireless internet activated, cmd.exe is active and takes up 100% of my CPU. A few times there were multiple cmd.exe processes running but no windows open for it. I just end the cmd.exe tasks and windows resumed "normal" working status. And now when I type "cmd" in the Run utility under the Start Menu, I recieve an error message:
16 bit MS-DOS Subsystem(Error window title)
(the following was in the error's text box)
C:\WINDOWS\system32\cmd.com
The NTVDM CPU has encountered an illegal instruction.
CS.0de0 IP:00b8 OP:63 69 66 79 20 Choose 'Close' to terminate the application


So I cannot access the cmd prompt now... I'm getting more worried. I will investigate the cause of all my processes and report my findings with these 8+ svchost.exe processes and 2+ iexplore.exe processes. Thanks again for your time, it's very much appreciated.
:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users