Trojan.Agent

Malwarebytes found Trojan.Agent, but has not been able to remove it successfully. I do not understand why ESET NOD32 has not only NOT found it, but has not sent an update to be able to remove or quarantine it. I have also tried SuperAntiSpyware and it did not see it, nor did Spybot S&D.

 

yes I did one in safe mode...it took forever and a day...about 3.5 hours or so I left the house...I came back and it was done, but it never gave a report...I scanned again after rebooting with Malwarbytes, and the trojan is still there.

 

What is the full name and path of the original file, and the full name of the MBAM description of same?
Try uploading the file to http://www.virustotal.com/ for a multi scan.
There is a chance this is a false positive. If it is, it's possible one of your program or system files might re-create it after MBAM has removed it.Lets try and find out.
If it's real malware, there are other things that can and should be done, but lets find out what it is, first.

 

C:\WINDOWS\system32\sksdrvr2.sys
Trojan.Agent is the name.

 

From what I can deduce, it is the Haxdoor-AL trojan.
Sophos claim to be able to deal with it. There is some info about it here. Sophos also make available a free antirootkit tool, here, that might just do the job for you. (If it produces results you find difficult to interpret, pleas post back.)
Have a look at that info at the first link; it may be worthwhile attempting a manual removal if the rootkit scanner doesn't do it. (I think it's unlikely the scanner will do it; I posted the link there just in case.)
If a manual removal becomes necessary, the order I'd try (and I'm not a malware removal expert, by any means, should let you know that.) would be to locate "System>\sksdll.dll" in your computer (you may need to display hidden and system files) and delete it. Then attempt to delete "<System>\sksdrvr2.sys". Then remove the registry entries, and only those entries referred to in the link.
Make sense?
Then run MBAM again.

 

BTW, did you upload it to virustotal? Any results from that?

 

No results...I sent a couple of things to them lately, but have heard nothing back. Thanks for the ideas. I will see what I can do. I just wish that the av program I pay for could handle these things. Surely they have a team working on fixes. I have switched av programs because I am tired of them missing stuff. I guess they all do. But when a free program notices something a paid for program misses, I have problems with that.

 

I have Sophos AntiRootkit, but it has false positives lately. It is very good at spotting problems.

 

Well Sophos found nothing on this at all...no hidden files.

 

You won't "hear anything back" from virustotal, it's an online scanner.
You browse for the file you want to upload, upload it to the site, and then wait, maybe 2-5 min while it is analyzed and processed, the results then appear in the website.
Have you attempted to locate this file, or the others mentioned?
Very few of the AV's will snare all the nasties all the time. In fact, I would have to say none. It just isn't possible with a signature based scanner.
Once this is fixed, browse around here for ideas, and maybe get yourself a behaviour blocker or similar.
[edit] I certainly understand that you would be annoyed that something you've paid for won't fix this. A large number of the AV's don't have great trojan removal abilities. Since trojans, by their nature, download a cargo of additional files and place them in different locations, it's quite a different sort of threat (and required treatment) from that posed by viruses.

 

Actually I do not think this statement is true anymore.

Reason for standalone AT apps being almost extinct is, I believe, the fact that General AV softare has evolved far enough to include these threats too.

As such, term anti-virus is not entirely accurate anymore


What comes OP's grief, no single application will identify 100% of malware. This is a fact, a limitation in current technology which requires that someone somewhere gets infected, seeks help and manages to send off samples to AV companies. Heuristics and HIPS are attempts to solve this.

 

I am not sure if I did it right because the file was on top when I hit browse and only a readme.txt file was in that folder...at least that is all I saw...if that is the only one...then this would be correct...unless the other isn't showing right...

rus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

~Virus Total results removed per Policy - Ron~

 

kelkay It seems to me you need to change your folder options to view anything in the system 32 (or Windows) folder. The default is to not show hidden or system files. (Reason, in part, if you mess with some of those files you can seriously bork your computer.)
Go to control panel>folder options, view, and tick/untick the boxes as per my screenshot, just above and below the cursor.
Then you should be able to locate the sksdrvr2.sys and sksdll.dll (if present).
Do you know how to edit the registry?

 

I did that....hide extensions for known file types was already ticked though. I did put on there to show hidden files. I will have to look at this further.

 

"hide extensions for known file types" should be un-ticked.
"hide protected operating system files" should be un-ticked.
"Show hidden files and folders" should be selected.
Click "apply" then "OK".
Then you will be able to view the contents of the Windows\System\System32 folder, and hopefully locate the files that have been flagged.
Once you've done that. upload it (or them, one at a time) to virus total, please post back the results.

 

I did what you said, but nothing else came up when I clicked browse to do the file upload. I think it is the folder, and not the file, and that is why it isn't showing up right.

 

Need some more info, here, kelkay.
Can you browse to and locate the file using Windows explorer?
You are looking for C:\WINDOWS\system32\sksdrvr2.sys
Do you know how to do that?
Assuming the answer is yes, when browsing for a file using Virustotal you use the same technique as in using Windows Explorer. You should end up with an explorer window in front of the webpage that looks like the picture.
(Except that yours should have the file sksdrvr.sys in it.)
Then you click on that file and select "upload" in the webpage.

 

I looked it up in Windows Explorer. I found that exact folder. In the folder there is only the readme.txt file. I did a right click and allowed Malwarebytes to scan it. It saw no infection. But when you run the quick scan, that file or folder comes up. When you click on it with a browse button to upload it there is only one file in that folder...very strange indeed.

 

Once you run the scan, you can right click on the trojan and jump right to the location of the problem. It took me right to that same folder. The file in there must be hidden. When I scan that readme file it says it is clean. So the folder is what is infected? This is really weird, I haven't come across a folder, but no file in it that has infection before.


Malwarebytes' Anti-Malware 1.31
Database version: 1495
Windows 5.1.2600 Service Pack 3

12/12/2008 11:12:38 PM
mbam-log-2008-12-12 (23-12-32).txt

Scan type: Quick Scan
Objects scanned: 64160
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sksdrvr2.sys (Trojan.Agent) -> No action taken.

 

You mean the "system32" folder, right?
(The more detailed, accurate and complete the info you post, the easier it will be to try and help.)
The system 32 folder should contain over a Gb of sub folders, and individual files. If it contains only one text file, your computer isn't functional, at all.
Did you actually set the folder views as instructed?
Are you running from an admin account?

 

I meant under the C:\WINDOWS\system32, there was a folder called sksdrv2.sys
inside of that folder is only one file. That file is Readme.txt

 

Kelkay, I didn't realise that the named file was of itself a folder. (Would've saved a bit of time to know that.)
Have you ever run an application called Malware Immunizer?
Can you upload the read me .txt here in your next post, please?