Trojan.Agent, keeps showing up

Below is a copy of my most recent Malwarebytes log showing a Trojan.Agent item.  Norton has not detected this item and Malwarebytes continues to detect this item daily even though the log shows successful quaratine and deletion.  I have Malwarebytes logs back for the past 10 days showing the same information.  Is there something else I need to run to remove this trojan?

 

Malwarebytes' Anti-Malware 1.37
Database version: 2296
Windows 5.1.2600 Service Pack 3

6/22/2009 10:12:13 AM
mbam-log-2009-06-22 (10-12-13).txt

Scan type: Quick Scan
Objects scanned: 92340
Time elapsed: 11 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\winssq32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Yes.

Please download and run both RootRepeal and GMER as per the instructions below. We are only looking for the log files right now so do not do anything else in GMER.

1. Download to your Desktop "RootRepeal.exe" from http://homepages.slingshot.co.nz/~crutches/RootRepel

Start it, Click on the "Report" Tab

Select (tick) in the box that appears "Drivers", "Stealth Objects" and "Hidden Services" and click OK

After it scans click "Save Report" and save the txt file; use notepad to copy the info if needed.



2. Download GMER from http://www.gmer.net and then run the program, click "Scan" and then "Save" the log.


Post the logs over multiple posts on the Norton User Forum here.  It may be later today (time zone difference) but we will have someone with you this evening to help clear this out of your system. Thank you.

Message Edited by dbrisendine on 06-22-2009 01:58 PM

Kwalker:

 

Did you actually go into the Malwarebytes quarantine and delete the threat.  MBAM may still be reporting it.  You probably don't need to redo the Rootrepeal and GMER because Quads was successful in removing the rootkit in your prior post.

 

Let us know what happens after you check the quarantine. If that doesn't solve it, then follow Dbrisendine's instructions and we will start again.

Log from RootRepeal scan below:

 

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time:   2009/06/22 11:09
Program Version:  Version 1.3.0.0
Windows Version:  Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1896000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B7A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE508000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF7375000 Size: 323584 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Module [Name: System.Drawing.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x05200000 Size: 634880

Object: Hidden Module [Name: System.Transactions.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x04260000 Size: 270336

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.BusinessLogic.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03e10000 Size: 143360

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00a00000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateService.PluginContract.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00c40000 Size: 28672

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Application.UpdateServicePlugin.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00e00000 Size: 61440

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.Common.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00e40000 Size: 86016

Object: Hidden Module [Name: Intuit.Spc.Esd.Core.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00ea0000 Size: 258048

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Ipc.Remoting.UpdateServiceWorker.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00ef0000 Size: 36864

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Logging.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00f10000 Size: 53248

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.ExceptionHandling.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x00fd0000 Size: 77824

Object: Hidden Module [Name: Intuit.Spc.Foundations.Portability.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03020000 Size: 471040

Object: Hidden Module [Name: System.configuration.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03240000 Size: 438272

Object: Hidden Module [Name: Intuit.Spc.Foundations.Primary.Config.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x031a0000 Size: 86016

Object: Hidden Module [Name: System.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x034e0000 Size: 3158016

Object: Hidden Module [Name: System.XML.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x032b0000 Size: 2060288

Object: Hidden Module [Name: Intuit.Spc.Esd.WinClient.Api.Net.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03c10000 Size: 421888

Object: Hidden Module [Name: Intuit.Spc.Esd.Client.DataAccess.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03db0000 Size: 135168

Object: Hidden Module [Name: System.Data.SQLite.DLL]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03e70000 Size: 778240

Object: Hidden Module [Name: System.Data.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x03f30000 Size: 2961408

Object: Hidden Module [Name: Intuit.Spc.Map.Reporter.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x04350000 Size: 479232

Object: Hidden Module [Name: System.EnterpriseServices.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x04510000 Size: 266240

Object: Hidden Module [Name: System.Runtime.Remoting.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x04a60000 Size: 307200

Object: Hidden Module [Name: System.Windows.Forms.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x04cc0000 Size: 5033984

Object: Hidden Module [Name: Intuit.Spc.Map.WindowsFirewallUtilities.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x054f0000 Size: 1077248

Object: Hidden Module [Name: System.ServiceProcess.dll]
Process: IntuitUpdateService.exe (PID: 1896) Address: 0x05480000 Size: 126976

==EOF==

Hi Delphinium,

 

Just now seeing your post after rescanning.  I want to be clear on your instructions:  I go to the Quarantine Log in Malwarebytes and actually Remove/Delete the most recent entry in the Quarantine Log, correct?  Or Remove/Delete all of the log files that have the Trojan.Agent identified?  Once done, I should shut down and restart the computer, correct?  My apology for being so literal and your help is much appreciated.

 

kw

Yes that's correct.

 

@ delphi, sorry to interfere ;)

Hi 

 

Can I please have a Hijackthis log.

 

Quads 

Thanks, Stu.  I appreciate it.  Teamwork!

 

Hijackthis from here  http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

 

Stu, Delphinium, thank you.  Quarantine items in MBAM all deleted yesterday; scan from first thing on start up today yields the same Trojan.Agent infection, log shows same results as the MBAM posted yesterday.

 

Quads,  below is the log from Hijackthis:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:42:10 AM, on 6/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\American Airlines DealFinder\American_Airlines_DealFinder.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optionetics.com/myoptionetics/login.asp?redirect=/myoptionetics/Default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: 155.64.4.53 prg.ges.symantec.com
O1 - Hosts: 155.64.226.84 prg.ges.symantec.com
O1 - Hosts: 155.64.1.25 uscu-tpforms.symantec.com
O1 - Hosts: 155.64.94.15 worldview.ges.symantec.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.135\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RECGUARD] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms32 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1244223388843
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - https://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.135\coIEPlg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Routing and Remote Access RemoteAccessSysmonLog (RemoteAccessSysmonLog) - Unknown owner - C:\WINDOWS\system32\appwizr.exe (file missing)

--
End of file - 8783 bytes

Hi Kwalker:

 

Quads will be along later in the day or another analyst might deal with it in the meantime.

Run the Hijackthis Scan, select only the following entries and click Fix. Then run a scan from Norton program in Safe mode once, restart the computer to normal mode and then check whether you still get any prompts.

 

O1 - Hosts: 155.64.4.53 prg.ges.symantec.com
O1 - Hosts: 155.64.226.84 prg.ges.symantec.com
O1 - Hosts: 155.64.1.25 uscu-tpforms.symantec.com
O1 - Hosts: 155.64.94.15 worldview.ges.symantec.com
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O23 - Service: Routing and Remote Access RemoteAccessSysmonLog (RemoteAccessSysmonLog) - Unknown owner - C:\WINDOWS\system32\appwizr.exe (file missing)

Thank you Y_M, I will follow your instructions, one follow up question - For the Norton scan in Safe Mode, should I run full system scan or quick scan?

 

>>  I see that I can only perform a Full System Scan in Safe Mode

 

Also,  the Trojan.Agent virus is being captured by my MBAM scan, my Norton scans are all coming up clean.

kw

Message Edited by kwalker on 06-23-2009 10:35 AM

Hi Kwalker:

 

One more little check if you don't mind.  Please update your Malwarebytes again, go into safe mode, and run a full scan.

When that is completed, go back into normal mode, and scan again.  Please post both logs, and will get Y_M to have a look for comparison.  If the trojan agent keeps coming back, we have a whole other problem to deal with.

Delphinium, dbrisendine, Stu, Quads & Y_M

 

I've solved my problem, the Trojan.Agent was not a virus but rather a file necessary to run an application I have on the desktop.  In the MBAM scan I have it now flagged as Ignore.  All is now working well and MBAM & Norton scans are clean.

 

A thousand thank yous for the help and patience in both cases.  I wish I had known to come here first when needing help. 

 

very grateful,

kw