Jump to content

Backdoor.Agent.Generic


jdschaefer
 Share

Recommended Posts

I need help as soon as possible.  I have a couple computers on the network that keep getting Backdoor.Agent.Generic.  It creates exe files in the windows directory that is always a series of numbers and it creates services to start the .exe.  Windows Defender will find and remove and so will Malwarebytes Endpoint but within 24 hours the files come back with different file names but always a series of numbers.   I ran various rootkit and antivirus scanners including Kasperky Virus Removal Tool and once the files are removed nothing is found until the next day.

Please help!

Logs are attached.

mbam-log-2017-09-22 (18-53-57).txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello jdschaefer and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Disconnect this PC from the network to stop possible reinfection, then continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

user posted image
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)
 
  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning
    user posted image
     
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    user posted image
     
  • Press start scan
  • The scan will now commence

    user posted image

     
  • Once the scan has finished click open report <<<--- Do not miss this step

    user posted image

     
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive, Please attach it to your next reply…

 

Let me see the produced logs in your reply...

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

We need one more indepth AV scan,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Thank you,

Kevin...

 

Link to post
Share on other sites

Thanks for the update, from your screen shots it does appear there is still malware or remnants of malware on your system.... See if you can do the following:

From the top screen shot BVrKUYozoETLUwdK can be deleted, the other two can be ignored...

Regarding the services screen shot, go back into services, right click on each of those numbered services in turn and select "Properties" A new window will open, (I enclose a screen shot for reference) Change the "Startup Type" to Disabled then select "Stop" to stop that service, also make a note of "Path to Executable" Post those navigational addresses.... When complete select "Apply" then "OK"

services.JPG

Edited by kevinf80
typo
Link to post
Share on other sites

Did you find "Path to Executable" against the suspect services you listed in a screen shot earlier... If this PC is definitely clean we can remove tools etc....

One final scan to be sure....

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.



Do not use the delete option until i`ve had a look at the log..

Regarding other systems, run a threat scan with Malwarebytes, then run scans with DrWeb and Sophos AV. If those system still show issues after those scans we will need to check further, make new threads and mark for my attention, post FRST logs...

Thank you,

Kevin...

 

Link to post
Share on other sites

Can you re-run RogueKiller make sure the following entry is checkmarked, the rest can be ignorere

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\89871187 (%SystemRoot%\12183728.exe) -> Found

Use the delete option to remove that entry, post the log...

Next,

Run a threat scan with malwarebytes, post that log also.....

Next,

Select Windows key and X key from the list select Command Prompt (admin)

copy and paste or type the following

tasklist /svc > 0 & notepad 0

Select enter, Notepad will open, let me see that list.

Thanks,

Kevin

Link to post
Share on other sites

Your logs are looking good, unless you have any remaining issues or concerns continue with the following to clean up:

Delete RogueKiller portable from your Downloads folder, also delete this folder: C:\ProgramData\RogueKiller

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.