Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans - Psw.agent.fkd And Dropper.small.29.e


  • Please log in to reply
3 replies to this topic

#1 Azar

Azar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 May 2007 - 12:03 AM

Earlier today I contracted a couple trojans that really debilitated my computer. AVG Free identified them as "Trojan horse PSW.Agent.FKD" (in the file win15.tmp.exe) and "Trojan horse Dropper.Small.29.E" (in the file xc29[1].exe). My first bit of confusion came when AVG detected the viruses and I told it to "Heal," but obviously this didn't work. The files did show up in the virus vault, but not in the locations it said they were supposed to be. Nevertheless, I cleaned out those locations with the command prompt, but the problems still exist.

These trojans are doing two basic things: the first is creating a few pop-up advertisements every so often, warning me about viruses and trying to get me to download antivirus programs. It's even opened up an Adobe Acrobat window a couple times that I've closed. But the much, much bigger problem is that it seems to disable explorer.exe. When I start up Windows, the programs that I originally had running do not run. The taskbar does not show up, and neither do the icons on my desktop. My only temporary solution has been to use the task manager to add the explorer.exe task and quickly use the start menu to open up what program I need before the trojan kills it again. It'll typically stay open from 3-15 seconds.

I've run AVG again, as I said, and that didn't help. I ran Ad-Aware, and that didn't do any good. I ran Panda's Free Online Scan, which identified something like 26 problems. I've done this twice, actually, but have been out of the room both times the scan finished, and when I returned, it and IE have been closed. I don't understand why this happens, but I don't see how the scan can be helpful if the trojan (or something) is able to close it like this.

I'm running Windows XP Home SP2. I first tried system restoring, then safe mode, then finally reinstalling Windows from the CD (I believe I did the "repair" option) and none of these methods seem to have worked.

I'm unfamiliar with HiJackthis, but I can learn--anything that'll fix the problem. If you guys can give me some advice, I'd really, really appreciate it. I checked out this thread (it's how I found the site) and it seemed like a related problem, but not as severe. The thought of trying to back up my files without the use of explorer, and then wiping the Harddrive, is not a nice one.

BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:11:55 AM

Posted 12 May 2007 - 02:07 AM

Posted Image to BC!


Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Download and scan with SUPERAntiSpyware Free for Home Users

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE

After that, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method.

Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

#3 Azar

Azar
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 12 May 2007 - 11:08 PM

Thanks so much, man. That did the trick perfectly. I didn't even have to get to DrWeb-CureIt, but I ran it just to be sure. SuperAntiSpyware was fantastic. Your help was much appreciated. =)

#4 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:11:55 AM

Posted 13 May 2007 - 02:29 AM

My pleasure :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users