Jump to content

Trojan.Agent.ENM


Recommended Posts

Malware Bytes is reporting some files appearing in a backup programs folder as Trojan.Agent.ENM.

The backup program vendor says its not them, so I'm curious as to what it is ?

 

The files are not plain text. The backup program uses encryption so I'd expect tmp file to be encrypted.

The files are about 5000KB +/- 500KB.

The tmp files appears to have a creation & modification datetime soon after a windows restart,

but not immediately nor after every restart, and so far only at times I’m not active,

and only in the backup programs folder.

There’s no associated events in the windows event logs.

I’ve not been able to correlate it to anything else.

 

What is ENM ?

Where is the related CERT report ?

How can I verify whether it is really a trojan, or just a false positive ?

 

 

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Next,

 

Can you post the log from Malwarebytes showing the entries you mention....

 

Next

 

Download and Save McAfee Stinger to your Desktop from here:

http://downloadcenter.mcafee.com/products/mcafee-avert/Stinger/stinger32.exe

Read the Terms and Conditions, the download tab is at the bottom of the page.
Close all browsers before starting. Disable your antivirus program and anti-malware, if any.
To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs read here:

http://www.bleepingcomputer.com/forums/topic114351.html

On Windows 7, 8, 10 & Vista systems, Right Click on Stinger stinger.jpg and select Run as Administrator.
On XP, double-click to start it.
Click on “I Accept” tab at McAfee end user licence agreement.

Stinger%20a.png

In the new Window select “Advanced” then “Settings”

Stinger%20b.png

The settings window will open, make sure the settings are exactly as shown in the following image, then select “Save” <<------Very Important

Stinger%20c.png

In the new window Click the “Customize my Scan” under the “Scan” button.

Stinger%20f.png

In the new Window select C:\ drive and any other listed Hard Drive, then select “Scan”

Stinger%20g.png

When the scan completes select the “View log” to do that, select “Notepad” if offered in list of choices.

If the log opens in your browser, copy and save to  a file....

I will need a copy of that log.
 

Thank you,

 

Kevin...

Link to post
Share on other sites

I've just run stinger. Local timezone  is UTC+0.

 

McAfee® Labs Stinger™ Version 12.1.0.1877 built on Jan 28 2016 at 13:08:37
Copyright© 2015, McAfee, Inc. All Rights Reserved.

AV Engine version v5800.7501 for Windows.
Virus data file v1000.0 created on Jan 28, 2016
Ready to scan for 9717 viruses, trojans and variants.

Scan initiated on Thursday, January 28, 2016 17:13:26


Summary Report on Smart Scan
File(s)
    TotalFiles:............    4098
    Clean:.................    4095
    Not Scanned:........... 3
    Possibly Infected:.....    0

Time: 00:02:43

Scan completed on Thursday, January 28, 2016 17:16:09

Link to post
Share on other sites

 

Malware Bytes is reporting some files appearing in a backup programs folder as Trojan.Agent.ENM.

The backup program vendor says its not them, so I'm curious as to what it is ?

 

Can you let me see the log from Malwarebytes that confirms the issue that you mention as per the quote above....

 

Open Malwarebytes > Click on the History tab > Application Logs.

 

You will see a list that shows "Protection logs" and "Scan logs"   If the issue was found during a scan, use that log or if it was an alert from Malwarebytes use Protection log. The date and time should indicate the log needed...

 

To get the log:

 

  • Double click on the Scan log or Protection log which shows the Date and time of the scan just performed or the alert.
  • Click Export > From export you have three options:
      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Thank you,

 

Kevin

 

Link to post
Share on other sites

McAfee® Labs Stinger™ Version 12.1.0.1877 built on Jan 28 2016 at 13:08:37
Copyright© 2015, McAfee, Inc. All Rights Reserved.

AV Engine version v5800.7501 for Windows.
Virus data file v1000.0 created on Jan 28, 2016
Ready to scan for 9717 viruses, trojans and variants.

Custom scan initiated on Thursday, January 28, 2016 17:36:07


Rootkit scan result : Not Scanned.


C:\Documents and Settings\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\Documents and Settings\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected
C:\Documents and Settings\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\Documents and Settings\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected
C:\ProgramData\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\ProgramData\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected
C:\ProgramData\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\ProgramData\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected
C:\Users\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\Users\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected
C:\Users\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe\12.nsis is infected with Artemis!30A290BC2F10
C:\Users\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe is infected

Summary Report on C:
D:
E:
F:
File(s)
    TotalFiles:............    4395148
    Clean:.................    702770
    Not Scanned:........... 3692366
    Possibly Infected:.....    12

Time: 07:26:39

Scan completed on Friday, January 29, 2016 01:02:46

Link to post
Share on other sites

Malwarebytes Anti-Malware

www.malwarebytes.org

 

...

Update, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Scheduler, Domain Database, 2016.1.28.2, 2016.1.28.3, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Refresh, Starting, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Malicious Website Protection, Stopping, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Malicious Website Protection, Stopped, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Refresh, Success, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Malicious Website Protection, Starting, 

Protection, 2016-01-28 16:20, SYSTEM, {MyComputerName}, Protection, Malicious Website Protection, Started, 

Detection, 2016-01-28 16:40, {MyUserName}, {MyComputerName}, Protection, Malware Protection, File, Trojan.Agent.ENM, C:\Program Files (x86)\{MyBackupProgramName}\00019650.tmp, Quarantine, [e123fb449009f0461cb1785305fcdd23]

Detection, 2016-01-28 16:40, SYSTEM, {MyComputerName}, Protection, Malware Protection, File, Trojan.Agent.ENM, C:\Program Files (x86)\{MyBackupProgramName}\00022142.tmp, Quarantine, [8480d56a9ffa89ad8c4105c625dcb24e]

Update, 2016-01-28 18:28, SYSTEM, {MyComputerName}, Scheduler, Domain Database, 2016.1.28.3, 2016.1.28.4, 

Update, 2016-01-28 18:28, SYSTEM, {MyComputerName}, Scheduler, Malware Database, 2016.1.28.4, 2016.1.28.5, 

...

 

(end)

Link to post
Share on other sites

Thanks for those logs, continue as follows please:

 


Open Notepad, select "Format" from the menu bar, make sure "Word Wrap" is not checked. Copy the text from the code box below to Notepad.

@echo offdel /f /s /q "C:\Documents and Settings\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del /f /s /q "C:\Documents and Settings\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del /f /s /q "C:\ProgramData\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del /f /s /q "C:\ProgramData\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del /f /s /q "C:\Users\All Users\Application Data\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del /f /s /q "C:\Users\All Users\WildTangent\6E7DD52D-205E-4D6D-AF6A-0C34703DFA61-extr.exe"del %0

Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"

It should look like this: batfileicon.gif<--XP vista_bat_icon.png <--vista or windows 7/8/10

Double click on delfile.bat to execute it.

A black CMD window will flash, then disappear...this is normal.

The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

 

Next,

 

grayhitmanpro_16px.png Scan with HitmanPro

In any case don't remove on your own anything that Hitman Pro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead of curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!

Please download HitmanPro by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here. <<<--- 32 bit version

Please download HitmanPro by SurfRight and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.<<<--- 64 bit version


  • Right-click on grayhitmanpro_16px.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • If the program won't run please run it while holding down the left CTRL key until it's loaded!
  • Click on the Next button. You must agree with the terms of EULA (if asked).
  • Check the box beside No, I only want to perform a one-time scan to check this computer.
  • Click on the Next button.
  • The program will start to scan the computer. It would only take several minutes.
  • When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore.
  • If there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro!
    Navigate to C:\ProgramData\HitmanPro\Logs, open the report and include it it your next reply.
  • Click on the Next button.
  • Click on the Save Log button.
  • Save that file to your desktop.



Please include that logfile in your next reply.

Don't forget to re-enable your security!
 

Thank you,

 

Kevin......

Link to post
Share on other sites

MalwareBytes detected the symptoms of a problem 

(an old trojan from 2013, #.tmp file in a program folder ending with DUMPTHIN SPCK!...), 

which should have been picked up and prevented by Norton 360.

 

It was only when a #.tmp was written yesterday to the Norton program folder 

that I found Norton Power Eraser, which I ran and claims to have fixed it,

but without providing a diagnosis of what it was nor where it was found.

 

Since Norton 360 doesn't detect it and can't configure power eraser to run on mapped drives,

I'm now unsure as to whether the threat has been eliminated, or whether it may persist in files on the mapped drives.

Link to post
Share on other sites

Run a custom scan with Malwarebytes: 

 

Open Malwarebytes > Select "Scan" from the top menu bar > Then select "Custom scan" > then "Configure Scan" In the next window make sure the following are selected (check marked)

 

  • Scan memory objects
  • Scan startup and registry settings
  • Scan archives
  • Scan for rootkits

 

Under "Potentially Unwanted Programs" (PUP) select "Treat detections as malware"

 

Under "Potentially Unwanted Modifications" (PUM) select "Treat detections as malware"

 

In the Right Hand pane check mark all registered hard drives. Select "Scan" Post that log when complete....

 

Let me see that log, also give an update on any remaining issues or concerns...

 

Thank you,

 

Kevin

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.