Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent/Gen-Injector, and backing up


  • Please log in to reply
5 replies to this topic

#1 Lishy

Lishy

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 April 2012 - 03:38 PM

Hey guys. I got infected with Trojan.Agent/Gen-Injector and I was told to post the logs. I am planning to format, but I want to port some files onto my USB, and wish to know if it is safe to do so. Namely, RTF, PSD (photoshop), PDN (Paint.net files), image files, text files, .skp (sketchup), and .pk3 (A ZIP format which holds my Doom mod...)

I am in Linux Mint mode right now, running off of a live CD. So is it safe to place the files I want onto my external harddrive?


And BEFORE I format, how do I know this isn't a false alarm? Scanned on my alt comp which also has latest SAS and steam, and nothing detected.

edit: If I take a dll out of quarantine, and then reset, it seems avast's web shield gets turned off. It did not get turned off in resets where I did not take it out of quarantine. Consistently, SAS reports that same file as infected (hence I also put it back into quarantine..)

Sure this is a false alarm?


SUPERAntiSpyware Scan Log

http://www.superantispyware.com



Generated 04/24/2012 at 03:43 PM



Application Version : 5.0.1146



Core Rules Database Version : 8502

Trace Rules Database Version: 6314



Scan type : Complete Scan

Total Scan Time : 01:34:14



Operating System Information

Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)

UAC On - Limited User



Memory items scanned : 594

Memory threats detected : 1

Registry items scanned : 68107

Registry threats detected : 6

File items scanned : 313471

File threats detected : 16



Trojan.Agent/Gen-Injector

C:\PROGRAM FILES (X86)\ASUS\ATK PACKAGE\ATKGFNEX\GFNEXSRV.EXE

C:\PROGRAM FILES (X86)\ASUS\ATK PACKAGE\ATKGFNEX\GFNEXSRV.EXE

(x86) HKLM\System\ControlSet001\Services\ATKGFNEXSRV

(x86) HKLM\System\ControlSet001\Enum\Root\LEGACY_ATKGFNEXSRV

(x86) HKLM\System\ControlSet002\Services\ATKGFNEXSRV

(x86) HKLM\System\ControlSet002\Enum\Root\LEGACY_ATKGFNEXSRV

(x86) HKLM\System\CurrentControlSet\Services\ATKGFNEXSRV

(x86) HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ATKGFNEXSRV

C:\ESUPPORT\EDRIVER\SOFTWARE\CARDREADER\APBIN_32BIT\ADDFILTER.EXE

C:\HIGURASHI 6\DIRECTX\DSETUP.DLL

C:\PROGRAM FILES (X86)\CYBERLINK\LABELPRINT\OLRSUBMISSION\UNICOWS.DLL

C:\PROGRAM FILES (X86)\CYBERLINK\POWER2GO\OLRSUBMISSION\UNICOWS.DLL

C:\PROGRAM FILES (X86)\SYNCABLES\SYNCABLES DESKTOP\JRE\BIN\UNICOWS.DLL

C:\PROGRAM FILES (X86)\MICROSOFT SILVERLIGHT\4.0.50401.0\AGCP.EXE

C:\PROGRAM FILES (X86)\STEAM\GAMEOVERLAYUI.EXE

C:\WINDOWS\INSTALLER\{3C41721F-AF0F-4086-AA1C-4C7F29076228}\EVENTVIEWERSHORTCU_76E67E6157E04378993DB5E66098550F.EXE

C:\WINDOWS\INSTALLER\{3C41721F-AF0F-4086-AA1C-4C7F29076228}\ITADMINISTRATORTOO_76E67E6157E04378993DB5E66098550F.EXE

C:\WINDOWS\INSTALLER\{3C41721F-AF0F-4086-AA1C-4C7F29076228}\MANDGSHORTCUT_1CFB7726D7724CF49484D586CCA6C004.EXE

C:\WINDOWS\INSTALLER\{3C41721F-AF0F-4086-AA1C-4C7F29076228}\NEWSHORTCUT1_76E67E6157E04378993DB5E66098550F.EXE

C:\WINDOWS\INSTALLER\{3C41721F-AF0F-4086-AA1C-4C7F29076228}\NEWSHORTCUT1_EC2A9EA7A46E48B9A0FD04BC5EF9F6A5.EXE

C:\WINDOWS\INSTALLER\{B74D4E10-1033-0000-0000-000000000001}\NEWSHORTCUT2_B74D4E10103300000000000000000001.EXE

C:\Windows\Prefetch\GAMEOVERLAYUI.EXE-86F598D5.pf



Adware.Tracking Cookie

.macromedia.com [ C:\USERS\LISHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\6RTCCHPY.DEFAULT\COOKIES.SQLITE ]

Edited by Lishy, 24 April 2012 - 05:50 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 24 April 2012 - 08:15 PM

What did SAS say it will do with these?

An Infector woll continue to infect .exe files.


Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


You can submit these files for a second opinion.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.




As you are considering backing up data and reformatting,wgich I feel is the correct thing to do with this type of Malware... Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

If you're not sure how to reformat or need help with reformatting, please review:These links include step-by-step instructions with screenshots:Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead..

If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.

Edited by boopme, 24 April 2012 - 08:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 April 2012 - 09:12 PM

I will not back up any compressed files, exes, or inis, and I will be doing everything while in Linux mode (Importing onto my External HDD and Importing). Would you recommend such a procedure? And if there any scanner I can use whilst in Linux Mint 12 mode?

I'm strictly only backing up .Skp, .TXT, PSD, a single .Zip (which contains NO exe files), PDN, and image files. Is that ok?


SAS quarantined the files. I did not delete them yet however. |Though after re-scanning with SAS however, it did not detect anything further. It still detects the files as infected if I restore them however. And the avast business still has me worried.

But I do refuse to connect to the internet anymore on that PC. I don't trust it. Anyways, how do I work that virustotal stuff if I have the files quarantined and do not wish to connect online? Same with ESET.

I COULD in theory download them while running on a Linux Live CD, and do it like that. Could we accommodate for this method please?

Though, I really wish to format ASAP (As in, tonight...) if that's ok?

Edited by Lishy, 24 April 2012 - 09:14 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 24 April 2012 - 09:53 PM

Yes that backup is OK..
Dont fret the scans as you are formatting. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

Thanks for posting.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Lishy

Lishy
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 24 April 2012 - 10:47 PM

I have scanned with aswMBR and I have logs. However, I'm scanning again with SAS on safe mode.

But how do I upload one of the infected files from my quarantine to virustotal from Linux mode?

When I finish the SAS safe mode scan and learn how to scan the file on virustotal, I will post logs.

Edited by Lishy, 24 April 2012 - 10:47 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,914 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:44 AM

Posted 25 April 2012 - 12:58 PM

Ok, It appears you cannot get it out of quarantine.
See if when the SAS completes if you can grab it before you quarantine.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users