Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I may have MSIL/Spy.Agent.BP trojan help/advice needed.


  • Please log in to reply
17 replies to this topic

#1 netgadget

netgadget

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 10 December 2014 - 06:07 PM

I have ran malwarebytes,Super Anti Spyware and ran EEST online scanner. The only thing to detect any thing is the online scanner, symptoms I have experienced or have noticed is avg search keeps coming up when I open a new tab on firefox,IE. I don't typically run into too many problems but I am worried now since I will be doing online banking. I can't find any infomation how to remove what infections I might have. I do use AVG free I don't have a lot of money so I can't just shell out money for software to remove said infections.

 

MSIL/Spy.Agent.BP trojan is the name of the trojan that was detected.

 

I use windows 7,firefox please let me know any information or guide lines I need to follow to resolve this issue. Just to be clear I have not had any issues besides the web hi-jacking. But I feel if I don't take care of this I will have more issues...

 

Thanks for any response.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 10 December 2014 - 06:43 PM


AVG Security Toolbar and AVG Secure Search (created by the makers of AVG Anti-virus) are optional add-ons when installing their anti-virus product if you choose "Customized" install instead of "Express". Since most folks choose an Express install they usually are not aware these options are also being installed as they are pre-checked by default during installation. Some users have also reported that after AVG auto-updates, it will install the toolbar as a browser add-on without input from the user.

AVG Security Toolbar and AVG Secure Search are also commonly bundled as an option with other free software users may download and install. Many folks overlook that option since it is pre-checked by default and they unknowingly install it. For example, the toolbar is bundled with PDFCreator.

So even if you decline the option to use these add-ons when installing AVG anti-virus, you may still end up finding them on your system some point after an AVG update or by unknowingly downloading and installing another program where they have been bundled. This also explains how those who never used AVG anti-virus also sometimes find AVG Secure Search and the Security Toolbar installed. Be careful what you download and read everything during the installation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 10 December 2014 - 06:46 PM


After doing the above...continue as follows:

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log file will be created and saved to the root directory, C:\RKill.log. Copy and paste the contents of RKill.log in your next reply.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[RX].txt) will open in Notepad (where the largest value of # represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.
.
4. As a final step, rescan again with Malwarebytes Anti-Malware and post the log. Refer to this topic for instructions on how to save/export a Scan log...How do I access and save logs from Malwarebytes Anti-Malware?.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 10 December 2014 - 08:13 PM

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/10/2014 07:48:42 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * C:\Windows\System32\user32.dll : 1,008,640 : 10/03/2012 00:52 AM : 2c353b6ce0c8d03225caa2af33b68d79 [NoSig]
 +-> C:\Windows\SysWOW64\user32.dll : 833,024 : 10/03/2012 00:52 AM : 861c4346f9281dc0380de72c8d55d6be [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll : 1,008,640 : 07/13/2009 08:41 PM : 72d7b3ea16946e8f0cf7458150031cc6 [Pos Repl]
 +-> C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll : 1,008,128 : 11/20/2010 08:27 AM : fe70103391a64039a921dbfff9c7ab1b [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll : 833,024 : 07/13/2009 08:11 PM : e8b0ffc209e504cb7e79fc24e6c085f0 [Pos Repl]
 +-> C:\Windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll : 833,024 : 11/20/2010 07:08 AM : 5e0db2d8b2750543cd2ebb9ea8e6cdd3 [Pos Repl]

Checking HOSTS File:

 * No issues found.

Program finished at: 12/10/2014 07:50:07 PM
Execution time: 0 hours(s), 1 minute(s), and 24 seconds(s)
 

 

 

 

next part adwcleaner

 

# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\danny\AppData\Local\AVG SafeGuard toolbar

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v39.0.2171.95

[C:\Users\danny\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\danny\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

-\\ Chromium v

[C:\Users\danny\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\danny\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1446 octets] - [12/09/2013 17:20:47]
AdwCleaner[R1].txt - [993 octets] - [28/09/2013 13:46:43]
AdwCleaner[R2].txt - [1533 octets] - [16/11/2013 20:05:01]
AdwCleaner[R3].txt - [6609 octets] - [09/12/2014 14:40:55]
AdwCleaner[R4].txt - [1645 octets] - [10/12/2014 19:59:21]
AdwCleaner[S0].txt - [1531 octets] - [12/09/2013 17:22:31]
AdwCleaner[S1].txt - [1058 octets] - [28/09/2013 13:57:23]
AdwCleaner[S2].txt - [1608 octets] - [16/11/2013 20:06:18]
AdwCleaner[S3].txt - [6591 octets] - [09/12/2014 14:44:20]
AdwCleaner[S4].txt - [1866 octets] - [10/12/2014 20:01:50]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1926 octets] ##########

 

I will post the next part after it finishes.
 



#5 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 10 December 2014 - 08:29 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Ultimate x64
Ran by danny on Wed 12/10/2014 at 20:23:38.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-338778397-2151171062-2037590614-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\Windows\prefetch\TOOLBARUPDATER.EXE-DC4D487C.pf
Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 12/10/2014 at 20:27:27.02
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 10 December 2014 - 08:35 PM

After a rescan with Malwarebytes do this.


Please perform a scan with emsisoft_emergency_kit.pnglogo.pngand save the file to your Desktop.
  • Extract the contents to C:\EEK as shown here.
  • Double click the desktop-shortcut (EmsisoftEmergencyKit.exe) icon to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator.
    .
  • When the program opens select Emergency Kit Scanner.
    rxYDlQ1.png
    .
  • If prompted to download the latest definition files, select Yes.
dQaKPnk.png
.
  • Once the update is complete click "Scan".
  • Enable "PUPs" detection (1) and click on "Full Scan" (2).
  • Be patient...this is a comprehensive scan and can take some time to complete.
  • If adware/malware was detected, check all the items and select Quarantine detected objects, then click OK.
    g5ojhHp.png
  • When done, click on View Report (2).
  • Save the report to your Desktop and copy and paste the contents in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 10 December 2014 - 08:47 PM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/10/2014
Scan Time: 8:30:10 PM
Logfile: frfrfrf.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.10.10
Rootkit Database: v2014.12.08.03
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: danny

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 384100
Time Elapsed: 16 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

this is a normal threat scan



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 10 December 2014 - 08:51 PM

this is a normal threat scan

And that is the recommended scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 December 2014 - 07:36 AM

Emsisoft Emergency Kit - Version 9.0
Last update: 12/10/2014 11:42:15 PM
User account: danny-PC\danny

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, E:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    12/10/2014 11:43:22 PM
Value: HKEY_USERS\S-1-5-21-338778397-2151171062-2037590614-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR     detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-338778397-2151171062-2037590614-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS     detected: Setting.DisableRegistryTools (A)
C:\Program Files\OBS\QSVHelper.exe     detected: Trojan.Generic.12236638 (B)

Scanned    514463
Found    3

Scan end:    12/11/2014 2:08:05 AM
Scan time:    2:24:43

C:\Program Files\OBS\QSVHelper.exe    Quarantined Trojan.Generic.12236638 (B)
Value: HKEY_USERS\S-1-5-21-338778397-2151171062-2037590614-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS    Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-338778397-2151171062-2037590614-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR    Quarantined Setting.DisableTaskMgr (A)

Quarantined    3
 



#10 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 December 2014 - 07:37 AM

sorry for the delay I feel asleep, thank you for your time and patience for helping me with this.


Edited by netgadget, 11 December 2014 - 07:38 AM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 11 December 2014 - 11:49 AM

How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 December 2014 - 12:04 PM

Seems ok I was just paranoid cause I was going to start online banking wanted to be sure I didn't catch anything. Anything else I should do? I haven't rebooted since that last program you had me run, but I was also wondering if I should stick with AVG or is there something you prefer with your past experiences?



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:47 PM

Posted 11 December 2014 - 01:49 PM

I have been disappointed with AVG ever since they made a decision in April 2010 to partner with LimeWire and promote the use of peer-to-peer (P2P) file sharing, a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

Since the release of AVG 2011/2012/2013, there have been numerous complaints about issues and conflicts with other security tools like Malwarebytes' Anti-Malware. Read these related discussions:Even MajorGeeks, a popular download hosting site, had issued a Statement on AVG Free 2011 and removed its Editor's Pick listing at that time.

There have been reports of issues with the computer starting properly on 64-bit Windows sytems for which AVG has had to release these fix instructions.

There have also been numerous reported problems with computers after using features like PC Analyzer and PC Tuneup which purport to fix registry errors in order to make the system more stable and various optimizing tools which can make changes to system settings. I do not recommend the routine use of registry cleaners/optimizers as they are extremely powerful applications that can damage the Windows registry by using aggressive cleaning routines. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from booting properly. For routine use, the benefits to your computer are negligible while the potential risks are great.

And finally there have been many user complaints about the lack of adequate AVG Customer Support in addressing issues related to the use of their product.

For these reasons, I no longer recommend AVG as a free alternative anti-virus solution.

My personal choice is ESET NOD32 Anti-Virus if choosing a paid for program as it leaves a small footprint...meaning it is not intrusive and does not utilize a lot of system resources. Emsisoft Anti-Malware is also a good choice if looking for a paid for program and so is Kaspersky Anti-virus. If you don't want to pay then I would recommend avast! Free Antivirus or Bitdefender Anti-virus Free Edition.

Keep in mind that you need both an anti-virus and an anti-malware solution for maximum protection. Anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats.

In simplistic terms, Anti-virus programs generally scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.
Anti-malware programs generally tend to focus more on spyware, adware, pop-up ads, browser hijackers and PUPS (potentially unwanted programs).

You may want to read:
Choosing an Anti-Virus Program
Supplementing your Anti-Virus Program with Anti-Malware Tools
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 netgadget

netgadget
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 December 2014 - 02:42 PM

Thank you for your time you been really great help. Going to try bitdefender, just not too happy with AVG as of late lol. Thanks again for your efforts.


Edited by netgadget, 11 December 2014 - 02:52 PM.


#15 maggot7

maggot7

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:47 PM

Posted 11 December 2014 - 02:47 PM

I agree, quietman7, AVG has gone way down. av-comparatives.org is a great resource for information on antivirus programs.

 

I'm surprised you use NOD32 though, since it has such a high false positive rate.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users