Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request for Assistance removing Trojan.Agent and Hacktool.GCM


  • This topic is locked This topic is locked
3 replies to this topic

#1 Khrystalar

Khrystalar

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 06 July 2009 - 04:37 AM

Hi there. :thumbsup:

Hoping somebody can help - I've been working for about two weeks, now, trying to clear some particularly nasty Malware from my father's PC. I'm guessing that somehow, he managed to get himself a virus which has been secretly downloading and setting off other viruses, because the system was absolutely riddled with them - far too many to have all come from a single e-mail or suspicious program had my father clicked on something he shouldn't. Probably 30-40 individual, named viruses and hundreds of their associated components.

Having worked on this on-and-off for the past two weeks, I think I've managed to get rid of most of the threats. However, there's still two which keep coming back and I can't seem to get rid of; The file C:\Windows\System32\TCPCON.dll (identified by MalwareBytes as "Trojan.Agent") and also the file C:\Windows\System32\ADVOCR.dll (identified by AVG 8.5 as "Trojan - Hacktool.GCM"). The latter is, according to AVG, being called by the executable C:\Windows\System32\winlogon.exe - this tends to happen about 5 - 10 minutes after I log in. TCPCON.dll, on the other hand, seems to re-appear the moment I restart my system.

So far, in my efforts to clean this system, I've performed full scans with the following tools;

AVG Free Edition v8.5
MalwareBytes Anti-Malware v1.38
SuperAntiSpyware Free Edition v4.26.1006
ATF-Cleaner v3.0.0.2
Rootkit Revealer v1.7
HijackThis v2.0.2
RootRepeal (beta version)

As I said, these have allowed me to remove a huge amount of Malware, but these two Trojans still continue to elude me. Although both of their DLLs show up on the various scans, none of the above tools give me any clue as to why they keep coming back after I delete them. I'm far from being an expert (although my technical knowledge is reasonable) but there's nothing, now, in the logs from any of the tools that would suggest anything suspicious left on the system - except for the two DLLs themselves.

The one (possible) exception to this is the RootKit Revealer log; this shows only two "problem" entries - a couple of registry paths (which show up on the scan because they "contain null characters") which don't seem to actually be there when I look using RegEdit. Rootkit Revealer is merely a scanner, though - there's no way (that I can find) of using it to FIX problems once you've discovered them.

Having used all of the above apps, I'm wondering whether this ComboFix tool I've heard so much about might be the next thing to try. However, mindful of the warnings here (and on just about every other site out there that recommends ComboFix to anyone) I'm unwilling to use it without having somebody to talk me through what to do.

If anybody is willing to help, I'd be most grateful. I can re-run scans from any of the above tools and post logs, or I can download others if there's something I should be using here and haven't thought to try, yet. FYI, this system is running Windows XP Home Edition.

Grateful thanks, in advance, for any assistance.

Best wishes,

--
Khrys.

BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 10 July 2009 - 07:36 AM

Hi Khrystalar,

Sorry it's taken us so long to respond. You've done almost everything you can do for this forum. You need to run through the Preparation Guide and start a new thread in HijackThis. In your first post there, make a reference to this thread. In that forum they will be able to help you track down the file that's causing this. It's probably a driver and it's most likely hidden, so using the tools in the HJT forum will allow them to help you find it. Before you start with the preparation guide, I'd like to ask you to install and run ATF Cleaner. Once you've gotten most of the malware out of your computer, it will help to keep it from spreading again if you can keep your temp and temporary internet files clean out. Run this now just before you start on the Preparation Guide and then run it regularly after you've been on the internet until someone in the other forum can help you. Once you start the Preparation Guide, please don't make any further changes to your computer, like adding and removing programs. Here are the instructions for ATF:

If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".[/b]

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

#3 Khrystalar

Khrystalar
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:27 AM

Posted 13 July 2009 - 06:15 AM

Hi Zllio,

Just a note to say; I've taken all your advice, and started a new thread in the HijackThis forum with my DDS logs in it (http://www.bleepingcomputer.com/forums/topic241115.html, for information). Thanks very much for getting back to me. :thumbsup:

No need to apologise for the delay. I didn't realise that this forum moved so fast when I made my initial post; when I checked back and realise that I was now buried on page four barely an hour after creating the topic, I figured I'd probably have to wait a while for somebody to notice my cry for help. Keep up the good work! :flowers:

Please feel free to close this topic, then, at your convenience.

Thanks again! Best wishes,

--
Khrys.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:27 PM

Posted 14 July 2009 - 10:10 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/241115/request-for-assistance-removing-trojanagent-and-hacktoolgcm/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users