Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent in hosts file. Keeps returning.


  • This topic is locked This topic is locked
5 replies to this topic

#1 JayBiggS

JayBiggS

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 14 October 2016 - 03:28 PM

My computer has been getting blue screen freezing when watching twitch.tv or youtube livestreams in full screen, and I believe it has happened while playing a game as well. So I ran some tests to see what was the cause. I am still not sure. However MBAR discovered a Trojan.Agent infection of my hosts file. I remove it using MBAR and it doesn't show up again for a while. I also replaced my hosts.txt a number of times.

 

_____________________________________________________________________

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:46 AM

Posted 16 October 2016 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Execute this first.
Hosts: Hosts file not detected in the default directory
 

I am still not sure. However MBAR discovered a Trojan.Agent infection of my hosts file. I remove it using MBAR and it doesn't show up again for a while. I also replaced my hosts.txt a number of times.

Delete the hosts.txt you have modified.

The fix will replace the file. Please not that the default file HOSTS as not extension.

DO NOT restart the computer just now.
===


Run this fix.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
Hosts:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll => No File
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll => No File
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} -  No File
FF Plugin: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\JayBiggS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-13]
CHR Extension: (Chrome Media Router) - C:\Users\JayBiggS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-13]
S4 NvStreamNetworkSvc; "C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe" [X]
S3 clwvd7; \SystemRoot\system32\DRIVERS\clwvd7.sys [X]
C:\Users\JayBiggS\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\JayBiggS\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
AlternateDataStreams: C:\Users\JayBiggS:Heroes & Generals [38]
HKU\S-1-5-21-1227910878-2051567460-1705188098-1001\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know if the problem persists.

Edited by nasdaq, 16 October 2016 - 09:58 AM.


#3 JayBiggS

JayBiggS
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 October 2016 - 02:57 PM

Fixlog.txt:

Spoiler


I ran MBAR and it detected the trojan again. I allowed MBAR to try and remove it again. Here is the scan log from that: 
Spoiler



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:46 AM

Posted 17 October 2016 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CloseProcesses:

C:\Windows\hosts

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the file is not deleted please continue.

Ensure that you can see all the files.
Unhide files/folders Windows.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Check if the file is in the C:\Windows folder.

It it is please Boot in Safe mode and delete it.

Restart the computer normally.

Keep me posted.

#5 JayBiggS

JayBiggS
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 17 October 2016 - 02:29 PM

Fixlog.txt:

Spoiler

 

I enabled show hidden files and could not find the hosts folder in the c:\windows, however I looked before and couldn't find it then either.

MBAR Log:

Spoiler

 

Is there anything else I can do to prevent it from coming back?

 

Thanks Nasdaq



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,576 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:46 AM

Posted 18 October 2016 - 08:28 AM

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users