Jump to content

Recurring Trojan.Agent (Regedit32)


Dave__
 Share

Recommended Posts

After quarantining and deleting the following items (MAM Premium, database v2014.08.27.02 under Win7 x64):

* Backdoor.Agent (C:\Users\[user]\AppData\Roaming\rundll32.exe)
* Trojan.Agent (C:\Users\[user]\AppData\Roaming\svchost.exe)
* Trojan.AGent.VXGen (C:\Users\[user]\AppData\Local\Temp\C91D.tmp.exe)

then rebooting (and quarantine/delete), MAM keeps detecting:

Trojan.Agent (Registry Value) HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Regedit32

Does anyone know how to eliminate this residual trojan item ?   The Farbar Recovery Scan Tool logs have been uploaded - TIA.

Dave.
 

FRST.txt

Addition.txt

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

Please run a Threat Scan with Malwarebytes

Start Malwarebytes 2.0..........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log

Then.......

Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button and post the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Many thanks for the prompt response.   Apologies - the database had been updated since posting and some further MAM scans had been run prior to reading your message:

1) MAM Scan - detected & quarantined 2 items (log attached)
Trojan.Crypt.NKN - C:\Users\David\AppData\Local\Temp\BEDF.tmp.exe & C:\Users\David\AppData\Local\Temp\D32C.tmp.exe

2) Reboot & MAM Scan - 'Scan completed successfully No malicious items were detected'
3) Reboot & MAM Scan - 'Scan completed successfully No malicious items were detected'
4) MAM Delete 2 off Trojan.Crypt.NKN items, MAM scan - 'Scan completed successfully No malicious items were detected'

After reading your message ..

5) Create restore point
6) Run Rogue Killer x64 - scan and report only (report attached)

Regards,

Dave.

2 items quarantined mbam-log-2014-08-27 (17-05-48).xml

RKreport_SCN_08272014_174756.log

Link to post
Share on other sites

Please save and post MB logs as .txt files:
https://www.dhnet.ufl.edu/wp-content/uploads/2014/04/exportmbam.png

===============================

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
 

[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1767895964-3237041072-2646721714-1000\Software\Microsoft\Windows\CurrentVersion\Run | zazuolubiza : C:\Users\David\zazuolubiza.exe -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1767895964-3237041072-2646721714-1000\Software\Microsoft\Windows\CurrentVersion\Run | zazuolubiza : C:\Users\David\zazuolubiza.exe -> FOUND


Now click Delete on the right hand column under Options

 

Delete this file if found:

C:\Users\David\zazuolubiza.exe

Re-scan with FRST and Make sure the Addition Box is checked.
Post or attach the 2 logs FRST(64).txt and Addition.txt

MrC

Link to post
Share on other sites

Thanks, again ...

 

Please save and post MB logs as .txt files
- Uploaded

Run RogueKiller again and click Scan
When the scan completes > click on the Registry tab
Put a check next to all of these and uncheck the rest: (if found)
[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1767895964-3237041072-2646721714-1000\Software\Microsoft\Windows\CurrentVersion\Run | zazuolubiza : C:\Users\David\zazuolubiza.exe -> FOUND
[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1767895964-3237041072-2646721714-1000\Software\Microsoft\Windows\CurrentVersion\Run | zazuolubiza : C:\Users\David\zazuolubiza.exe -> FOUND
Now click Delete on the right hand column under Options

- both ticked for deletion, first entry then showed 'DELETED', second 'ERROR[2]'

Delete this file if found: C:\Users\David\zazuolubiza.exe
- not found

Re-scan with FRST and Make sure the Addition Box is checked.
Post or attach the 2 logs FRST(64).txt and Addition.txt

- Uploaded

2 items quarantined mbam-log-2014-08-27 (17-05-48).txt

FRST#2.txt

Addition#2.txt

Link to post
Share on other sites

Please upload this file to VirusTotal for a free scan.
Let me know the results...just copy back the URL.

C:\Windows\SysWOW64\csrss.exe

============================

Make sure you have created a restore point and.....
bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    =======================

    Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
    Run FRST.exe/FRST64.exe and click Fix only once and wait
    The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

    =======================

    Make sure you have created that system restore point before you continue!

    Please read the directions carefully so you don't end up deleting something that is good!!

    If in doubt about an entry....please ask or choose Skip!!!!

    Don't Delete anything unless instructed to!

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If a suspicious object is detected, the default action will be Skip, click on Continue

    Please note that TDSSKiller can be run in safe mode if needed.

    Please download the latest version of TDSSKiller from HERE and save it to your Desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters. (Leave the KSN box checked)

      tds2.jpg
    • Put a checkmark beside loaded modules.

      13040712472913819.png
    • A reboot will be needed to apply the changes. Do it.
    • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
    • Then click on Change parameters in TDSSKiller.
    • Check all boxes then click OK.

      clip.jpg
    • Click the Start Scan button.

      tds2.jpg
    • The scan should take no longer than 2 minutes.
    • If a suspicious object is detected, the default action will be Skip, click on Continue.

      tdsskiller_guide_5.gif

      Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

      If in doubt about an entry....please ask or choose Skip
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
      Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

      tdsskiller_guide_3.gif

      Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
    • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
    • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    Here's a summary of what to do if you would like to print it out:

    If in doubt about an entry....please ask or choose Skip

    Don't Delete anything unless instructed to!

    If a suspicious object is detected, the default action will be Skip, click on Continue

    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

    ~~~~~~~~~~~~~~~~~~~~

    You can attach the logs if they're too long:

    Bottom right corner of this page.
    reply1.jpg

    New window that comes up.
    replyer1.jpg

    Then...........

    Please download and run ComboFix.

    The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

    Please visit this webpage for download links, and instructions for running ComboFix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    http://www.bleepingcomputer.com/download/combofix/dl/12/ <---ComboFix direct download

    Please make sure you click download buttons that look similar to this, not "sponsored ad links":

    bleep-crop.jpg

    Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Information on disabling your malware programs can be found Here.

    Make sure you run ComboFix from your desktop.

    Give it at least 30-45 minutes to finish if needed.

    Please include the C:\ComboFix.txt in your next reply for further review.

    ---------->NOTE<----------

    If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

    MrC
     
Link to post
Share on other sites

Please upload this file to VirusTotal for a free scan.
Let me know the results...just copy back the URL.
C:\Windows\SysWOW64\csrss.exe

- https://www.virustotal.com/en/file/c5f6626c7dd9f15b64e6634a5e1779fd392e9444b1288d1fd0a29c1e83632b5c/analysis/1409166928/

FYI - 3 copies:
csrss.exe            108,158  27/08/2014    12:25   rhs   C:\Windows\System32\
csrss.exe            108,158  27/08/2014    12:25   rhs   C:\Windows\SysWOW64\
csrss.exe              7,680  14/07/2009    02:39     a   C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\
 

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
Run FRST.exe/FRST64.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

- uploaded
 

QUERY ... TDSSKiller reported 'No threats found', so nothing to remove - do I still need to run ComboFix ?

Regards,

Dave.
 

Fixlog.txt

Link to post
Share on other sites

Infected copy of c:\windows\System32\csrss.exe was found and disinfected

Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe

 

ComboFix replaced the infected csrss.exe in System32, but not in C:\Windows\SysWOW64\csrss.exe

-----------------------------------------------------

Please do this:

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff.247fixes.com/SystemLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefindcsrss.exe 
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Can you rename this file to  csrss.exe.old

 

C:\Windows\SysWOW64\csrss.exe

==================================

Please run a free online scan with the ESET Online Scanner (it may take a while to run)
Note: You will need to use Internet Explorer for this scan.
First please Disable any Antivirus you have active, as shown in This Topic

Note: Don't forget to re-enable it after the scan.
http://www.eset.eu/online-scanner
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is unchecked and the option Scan unwanted applications is checked
Click Advanced settings and select the following:
 

Click Start
Wait for the scan to finish
If threats were found:
Click on "list of threats found"
Click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
Put a checkmark in "Uninstall application on close"
Click on finish
Post back the log.....MrC

Link to post
Share on other sites

Can you rename this file to csrss.exe.old
C:\Windows\SysWOW64\csrss.exe

- Apparently not ? Can't locate SysWOW64\csrss.exe, e.g., in Win Explorer - also, Cmd DIR finds only 2 versions of csrss.exe on system:

C:\>dir csrss.exe /s

Directory of C:\Windows\System32
14/07/2009  02:39             7,680 csrss.exe
               1 File(s)          7,680 bytes

Directory of C:\Windows\winsxs\amd64_microsoft-window.1.7600.16385_none_b4d8d57efdc6b4f3
14/07/2009  02:39             7,680 csrss.exe
               1 File(s)          7,680 bytes

     Total Files Listed:
               2 File(s)         15,360 bytes

But Karen's Directory Printer says:

108,158 csrss.exe C:27/08/2014 12:25 C:\Windows\SysWOW64\ RHSA---X EC354A3477E1543905B0C2B769CDDB66 [MD5#]
108,158 csrss.exe C:27/08/2014 12:25 C:\Windows\System32\ RHSA---X EC354A3477E1543905B0C2B769CDDB66 [MD5#]

Please run a free online scan with the ESET Online Scanner (it may take a while to run)...
If threats were found:...
Click on "export to text file" and save it as ESET SCAN and save to the desktop
Put a checkmark in "Uninstall application on close"
Click on finish

- File uploaded
- No finish option offered: only free trial or purchase = still installed ?
 

Dave.

ESET scan.txt

Link to post
Share on other sites

C:\Windows\System32\csrss.exe a variant of Win32/Injector.BKUC trojan
- https://www.virustotal.com/en/file/c5f6626c7dd9f15b64e6634a5e1779fd392e9444b1288d1fd0a29c1e83632b5c/analysis/1409251028/
- Detection ratio:     28 / 55
- Analysis date:     2014-08-28 18:37:08 UTC

C:\Windows\SysWOW64\csrss.exe a variant of Win32/Injector.BKUC trojan
- https://www.virustotal.com/en/file/c5f6626c7dd9f15b64e6634a5e1779fd392e9444b1288d1fd0a29c1e83632b5c/analysis/1409251028/
- Detection ratio:     28 / 55
- Analysis date:     2014-08-28 18:37:08 UTC ( 2 minutes ago )
 

Dave.

Link to post
Share on other sites

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.

Run FRST.exe/FRST64.exe and click Fix only once and wait

The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Reboot and run another scan with SystemLook for csrss.exe as before.

Post or attach the logs.

MrC

Link to post
Share on other sites

C:\Windows\SysWOW64\csrss.exe
- is now C:\Windows\SysWOW64\csrss.exe.old (Windows automatically renamed its counterpart to C:\Windows\System32\csrss.exe.old)

Also tried: C:\Windows\System32>sfc /scannow
- But "Windows Resource Protection did not find any integrity violations."
 

Dave.

Link to post
Share on other sites

That's no good, because you need that file....rename it back to csrss.exe
Rename: C:\Windows\System32\csrss.exe.old to C:\Windows\System32\csrss.exe

I'm not sure if this file is needed for the operating system to work correctly or else I would delete it.

C:\Windows\SysWOW64\csrss.exe

See if you can end up with:
C:\Windows\System32\csrss.exe
C:\Windows\SysWOW64\csrss.exe.old


If not, we'll try and use ComboFix to do it, MrC

Link to post
Share on other sites

Give this a try:

Download OTL to your desktop.

Run OTL by double clicking on the icon

  • Under the Custom Scans/Fixes box at the bottom, paste in bold:

    :Files

    C:\Windows\SysWOW64\csrss.exe|C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\csrss.exe /replace

  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.