Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Detected Need Removal Assistance


  • Please log in to reply
12 replies to this topic

#1 Timewellwasted

Timewellwasted

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 July 2009 - 05:27 PM

Hello, I hope this is the correct way to post.
I ran a scan for viruses/spyware today with Spyware Terminator a program I have used for many years now. The results this time were different! It states Agent 119428 Trojan Detected by ClamAV. The path it gives is C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe and when I told it to remove it, it suggested I use the software's uninstall instead! Well to my knowledge Trojans don't come with uninstall programs!! Besides being a bit amusing, I thought that it was a poorly designed software if that is what it has to say for removing a trojan.
So I am here to ask for some help with this. Is it truly a Trojan? The file says it was installed over a year ago.. 05/15/2008 to be exact. But I'm no expert so I'll look forward to a reply.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 18 July 2009 - 05:34 PM

Hello and welcome to Bleeping Computer

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 18 July 2009 - 09:04 PM

Hello again, thank you for the assistance but we have a problem. I downloaded the Malwarebyte's software renamed the file, updated etc. I then ran it, twice. Both times I ran it it froze at the same file named, c:\windows\installer\15f3f74.msi the first time it had scanned for 44minutes 22seconds and the second time it had scanned 45minutes 22seconds both times it had "frozen" on the same file. The first time I waited probably 20 minutes to see if it would restart or what would happen. When I finally decided it wasn't going to do anything I tried to click pause scan thinking maybe when I un-paused it the program may restart where it left off. It never responded to the pause scan. I then had a heck of a time getting the program to close in any manner I finally was able to close it on the third attempt of an end it now when that option popped up during an attempt to shutdown the computer. The second time, it is still in the Not Responding frozen state.
I do have Spybot SD installed but I disabled the Tea Timer, and shut down the Spybot S&D completely on both attempts.
Is there another program you want me to try or some other action?
P.S.
I still have not received an e-mail notice from the first reply you sent, I had turned it on before you had sent the reply. Sometimes my e-mail is extremely delayed so I will just recheck here for any reply. Thanks.

EDIT: I GOT IT TO WORK!!
It took over an hour and a half on this try but it finished!
Here is the log:
arebytes' Anti-Malware 1.39
Database version: 2461
Windows 5.1.2600 Service Pack 2

7/18/2009 11:12:09 PM
mbam-log-2009-07-18 (23-12-09).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166750
Time elapsed: 1 hour(s), 40 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Appears it found nothing? I'll await your opinion thank you.

Edited by Timewellwasted, 18 July 2009 - 11:15 PM.


#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 19 July 2009 - 09:16 AM

Ok,

Please run ATF and SAS:
Credits to Boopme

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Edition

Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
Computer Pro

#5 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 July 2009 - 12:06 PM

Ok I have a question, on the SuperAntispyware, the options you want me to make sure are checked? When I get to the page with all of those options, there are already nine things with checks on them, the three things you mentioned are all un-checked (by default) so do you wish for me to un-check everything and then add the Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
I know this creates a delay by asking but I'd rather be certain of your intent than to do it incorrectly.
Thanks.

Edited by Timewellwasted, 19 July 2009 - 12:07 PM.


#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 19 July 2009 - 09:03 PM

Yes, that is correct. Uncheck everything else except the three.
Computer Pro

#7 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 July 2009 - 09:45 PM

Ok, did both and the Super log is:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2009 at 09:28 PM

Application Version : 4.26.1006

Core Rules Database Version : 4004
Trace Rules Database Version: 1944

Scan type : Complete Scan
Total Scan Time : 03:25:33

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 4713
Registry threats detected : 0
File items scanned : 66941
File threats detected : 0

Let me know what you think about the likelyhood this may have been a False Positive on the part of the Spyware Terminator? Or what the next step would be.
Thanks.

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 19 July 2009 - 10:43 PM

Yes, from the second scan it is looking to be a False Positive. And I did a little research and some people have had the same question over the past few weeks from different sites. They have run virus total scans on the file, and yes it appears to be a false positive. But, just to be sure:

Let's submit the file to Virus Total so that it will scan it with multiple scanners to see if it is a False Positive.

To submit a file to Virus Total:

-Go to Virus Total
-Click the Browse button and then browse to the file's location. Once there, click the file and then press open.
-Then click Send File
-Please wait for the scanner to finish processing the file.
-Once done, please copy and paste the results on this page into your next post.
Computer Pro

#9 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 July 2009 - 11:10 PM

Ok Thank you.
File has already been analysed:
MD5: a93aee1928a9d7ce3e16d24ec7380f89
First received: 2009.02.12 02:28:35 UTC
Date: 2009.07.19 23:54:55 UTC [<1D]
Results: 1/41
Permalink: analisis/944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f-1248047695
It looks like the only software to say it is a problem is the same one I used...

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.19 -
AhnLab-V3 5.0.0.2 2009.07.19 -
AntiVir 7.9.0.222 2009.07.20 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.20 -
Avast 4.8.1335.0 2009.07.19 -
AVG 8.5.0.387 2009.07.19 -
BitDefender 7.2 2009.07.20 -
CAT-QuickHeal 10.00 2009.07.17 -
ClamAV 0.94.1 2009.07.19 Trojan.Agent-119428
Comodo 1707 2009.07.20 -
DrWeb 5.0.0.12182 2009.07.19 -
eSafe 7.0.17.0 2009.07.19 -
eTrust-Vet 31.6.6623 2009.07.18 -
F-Prot 4.4.4.56 2009.07.20 -
F-Secure 8.0.14470.0 2009.07.19 -
Fortinet 3.120.0.0 2009.07.19 -
GData 19 2009.07.20 -
Ikarus T3.1.1.64.0 2009.07.19 -
Jiangmin 11.0.800 2009.07.19 -
K7AntiVirus 7.10.796 2009.07.18 -
Kaspersky 7.0.0.125 2009.07.20 -
McAfee 5681 2009.07.19 -
McAfee+

#10 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 July 2009 - 11:10 PM

So, is the verdict in? A False Positive?
Bt the way thanks for the help! Even if it is a False Positive, I had no luck finding any info on it myself and knowing it is false for certain, is just as important to me!

Edited by Timewellwasted, 19 July 2009 - 11:14 PM.


#11 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 19 July 2009 - 11:28 PM

Yes, since ClamAV is the only one that detects it as a trojan, and being that ClamAV was the one that found it as the False Positive, then I can say yes it is a false positive, and that from the scanners that we have ran which finds just about anything if you would have had an infection, your machine is good to go for now.
Computer Pro

#12 Timewellwasted

Timewellwasted
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 19 July 2009 - 11:49 PM

Sounds great for now! Thank you for the help!

#13 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:34 AM

Posted 20 July 2009 - 12:03 AM

Your welcome
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users