Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan-keylogger.win32.agent


  • Please log in to reply
5 replies to this topic

#1 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:50 PM

Posted 18 June 2009 - 06:47 AM

Hello,

I have a friend who was getting a (false) alert on her XP computer, saying she is infected with trojan-keylogger.win32.agent and should send them money for software to remove. Obviously we know this is a scam, but I cannot figure out how to remove. So, I killed the hard drive with Killdisk and performed a clean install. Well, here it is two weeks later and she is getting the the bogus notice again. Does anyone know how to remove this specific infection?

The only thing I can find on the web is advice to reformat. I don't wish to do that again if I can help it. Plus I don't like to think I am being defeated!

Any specific knowledge out there?

Thanks!

PS: I do have access to HJT school forums here at bleeping computer, even though I have been inactive in my studies lately. Just thought I would mention it in case there were removal instructions in those hidden forums.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2009 - 07:28 AM

Hi Albert Frankenstein,

You can try MBAM first. Instructions:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA

Posted 18 June 2009 - 07:33 AM

Thanks. I considered running MBAM, but I saw in some threads that this had been tried and did not remove the infection. None the less, I will pass this info along to her and have her download and run it. I will give an update when I know more. Thanks again.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 June 2009 - 07:34 AM

I don't know if it can. With the log from MBAM I can tell you more what's needed. Now I don't have that info, so that's why I give you the instructions for MBAM. :thumbsup:

Ok, I'll look forward to your reply.

#5 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:08:50 PM

Posted 07 July 2009 - 08:40 AM

I am still waiting for a reply from her. Please hang in there with me! Thanks.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#6 Albert Frankenstein

Albert Frankenstein
  • Topic Starter

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA

Posted 08 July 2009 - 04:36 AM

She ran the program, said she told it to remove what it found, and she thinks the malware is gone. At least for the time being. I will certainly keep you posted on that. But here are the two reports she said it generated:

action taken.
Registry Data Items Infected:
HKEY LOCAL _MACHINE\SOFTWARE\Microsoit\Secutity Cen#er\AntiVii sfl bleNoti y (Disable .Sec rityCenter) -> Bad: (1) Good: (0) -> No action taken. HKEY LOCAL MACHINE\SOFTWARE\Micr'osoffttSecutity Center\FirewallDisabteNotifl (Disabled.Securityc er) -> Bad: (1) Good: O) -> No action taken. HKEY LOCAL ACHI:N SOFTWARE\Miaosoft\SecUtiЂy Center\Updat sOi bleNotify (Disatled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
c:\documents and settingskSandra\XP Deluxe Protector (Rogue.DeluxeProtector) -> No action taken.
Files Infected:
C:\Doeuments and SeЂtings\Sandra\XP Deluxe Protector\xpdeiuxe.exe (Rogue.lnstatie `) -> No action taken.
C:\WlNDOWS\system32MObostex32.d4( (Tr en.FakeAiert) -> No action taken, c:Jowments and settings SendraM 1 sett \temporary Internet files\Content.IE58LYZCPZ\x eiuxe[f }.exe (Rogue.instaiier) -> No action taken. c: 1ocuments and settings\Sandra1ooaI tinglemporalyly Internet
fiieslContent.IE5 9123Di 7iehostcx32 fl.dUt (Trojan.FakeAlert) -> No action taken.
c: docu nts and :settl t ndra\Stert Menu\XP DeluxeProtector.LNK (R e.DeiuxePrrotector) -> No action taken.
c:\c#ocurnents and set1Jngs\SandraiDesktop XP Deluxe Protector.LNK (Rogue.CeluxeProtecto) - > No action taken.
c:1ocurnents and settingslSendraLocal Settings\Temp'defender32.exe (Trojan.DowtIoader) -> No action taken.

&AkbcV- ji0 cbt<<:et>~PStC> Ci1fletr-k-^4t 1
Matwarebyfes' Anti-Malware 1.38 Database version: 2386
Windows 5.7.2600. Service Pack
7/7/20Ђ)911:21:10 AM
tam-log- 9-0 7-07 (11-1 8-14) .txt
Scan type: Full Scan (C:'4)
Objects scanned: 109865
Time elapsed: 18 minute(s), 29 second(s)
Memory Processes Infected: I Memory Modules Infected: 0 Registry Keys Infected: 9
Registry Values Infected: 3 Registry Data items Infected: 3 Folders infected: I
Files infected, 7
Memory Processes Infected:
C:\Documents and Settings\Sandra\XP Deluxe Protectonxpdetuxe.exe (Rogue.instailer) -> No action taken.
Memory Modules Infected: (N malicious item detected)
Registry Keys Infested:
HKEYE,CLASSES_ROOT\ ninetapp.wininet (Trojan.FakeAler#) -> No action taken. HIES CLASSES_ROOTTypei..ib!{b330243e-09e$-402f 8721-00067 'gad}
(Trojan..FakeAle t) -> No action taken.
HKEY Cf..ASSES_ROONterface (4b86e9-df-4de3-4cda-83b5-116l3e bob}
(Tr'oja .FakeAler't) .> No action taken.
HKEY CLASSES_ROOT\lnterface\{9B92be2f eb8f-49ct9-a 11 c-c24c1 ef734d5} (Troja n.FakeAlei't). - > No action taken.
HKEY CLASSES ROOT\CLSifl\{a4dea7 8-4bea-9463-7ff2864 3b1} (Tr n.FakeAiert) - > No action taken.
HKEY CURRENT USER\SOFTWARE\Microsoft\WndowslCurrentVersion t\Stats { ca795b$88-4beO-9463-7ff2i 543bI} (Trojan.FakeA#ert). -> No action taken.
HKEY LOCAL _MACHlNEiSOFTWAREMMit oMWintit~vvs\CurrentVersion\Exptoret~Srowser Helper 4th a4dca795-b588-4beO-9483-7ff21 543b1} (Trojan.FakeAlert) -> No action taken.
HKEY CLASSES_ROOT\wininetapp.wininet,1 {rr .FakeAlert) -> No action taken. HKEY CU i NT_USER\SOFTWAREWP Deluxe Protector (Trojen.FakeAte 1) -> No action taken.
Registry Values infected:.
HKEY_CURRENT + SER\SOFTWARE icro ilkvv nd ~Cu :ntve on\Run~tect
(Rogue.instai1er) -> No action taken.
HKEY CURRENT USER\Control Pane Vdon't ioad\scui. (Hijack.Secu yCenter) -> No action taken.
HKEY OURREN _USER\COntrni PaneM 't Ioac \wscuL.cpl (Hijack.Secur yCenter) -> No
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users