Trojan.Agent

Discussion in 'malware problems & news' started by kelkay, Dec 10, 2008.

Thread Status:
Not open for further replies.
  1. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    Malwarebytes found Trojan.Agent, but has not been able to remove it successfully. I do not understand why ESET NOD32 has not only NOT found it, but has not sent an update to be able to remove or quarantine it. I have also tried SuperAntiSpyware and it did not see it, nor did Spybot S&D.
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,303
    Location:
    England
    Did you do the scans in safe mode?

    If not, give it a try.
     
  3. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    yes I did one in safe mode...it took forever and a day...about 3.5 hours or so I left the house...I came back and it was done, but it never gave a report...I scanned again after rebooting with Malwarbytes, and the trojan is still there.
     
  4. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    What is the full name and path of the original file, and the full name of the MBAM description of same?
    Try uploading the file to http://www.virustotal.com/ for a multi scan.
    There is a chance this is a false positive. If it is, it's possible one of your program or system files might re-create it after MBAM has removed it.Lets try and find out.
    If it's real malware, there are other things that can and should be done, but lets find out what it is, first.
     
  5. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    C:\WINDOWS\system32\sksdrvr2.sys
    Trojan.Agent is the name.
     
  6. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    From what I can deduce, it is the Haxdoor-AL trojan.
    Sophos claim to be able to deal with it. There is some info about it here. Sophos also make available a free antirootkit tool, here, that might just do the job for you. (If it produces results you find difficult to interpret, pleas post back.)
    Have a look at that info at the first link; it may be worthwhile attempting a manual removal if the rootkit scanner doesn't do it. (I think it's unlikely the scanner will do it; I posted the link there just in case.)
    If a manual removal becomes necessary, the order I'd try (and I'm not a malware removal expert, by any means, should let you know that.) would be to locate "System>\sksdll.dll" in your computer (you may need to display hidden and system files) and delete it. Then attempt to delete "<System>\sksdrvr2.sys". Then remove the registry entries, and only those entries referred to in the link.
    Make sense?
    Then run MBAM again.
     
  7. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    BTW, did you upload it to virustotal? Any results from that?
     
  8. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    No results...I sent a couple of things to them lately, but have heard nothing back. Thanks for the ideas. I will see what I can do. I just wish that the av program I pay for could handle these things. Surely they have a team working on fixes. I have switched av programs because I am tired of them missing stuff. I guess they all do. But when a free program notices something a paid for program misses, I have problems with that.
     
  9. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I have Sophos AntiRootkit, but it has false positives lately. It is very good at spotting problems.
     
  10. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    Well Sophos found nothing on this at all...no hidden files.
     
  11. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    You won't "hear anything back" from virustotal, it's an online scanner.
    You browse for the file you want to upload, upload it to the site, and then wait, maybe 2-5 min while it is analyzed and processed, the results then appear in the website.
    Have you attempted to locate this file, or the others mentioned?
    Very few of the AV's will snare all the nasties all the time. In fact, I would have to say none. It just isn't possible with a signature based scanner.
    Once this is fixed, browse around here for ideas, and maybe get yourself a behaviour blocker or similar.
    [edit] I certainly understand that you would be annoyed that something you've paid for won't fix this. A large number of the AV's don't have great trojan removal abilities. Since trojans, by their nature, download a cargo of additional files and place them in different locations, it's quite a different sort of threat (and required treatment) from that posed by viruses.
     
    Last edited: Dec 12, 2008
  12. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    Actually I do not think this statement is true anymore.

    Reason for standalone AT apps being almost extinct is, I believe, the fact that General AV softare has evolved far enough to include these threats too.

    As such, term anti-virus is not entirely accurate anymore :)


    What comes OP's grief, no single application will identify 100% of malware. This is a fact, a limitation in current technology which requires that someone somewhere gets infected, seeks help and manages to send off samples to AV companies. Heuristics and HIPS are attempts to solve this.
     
  13. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
     
  14. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I am not sure if I did it right because the file was on top when I hit browse and only a readme.txt file was in that folder...at least that is all I saw...if that is the only one...then this would be correct...unless the other isn't showing right...

    rus Total
    Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...

    ~Virus Total results removed per Policy - Ron~
     
    Last edited by a moderator: Dec 12, 2008
  15. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    kelkay It seems to me you need to change your folder options to view anything in the system 32 (or Windows) folder. The default is to not show hidden or system files. (Reason, in part, if you mess with some of those files you can seriously bork your computer.)
    Go to control panel>folder options, view, and tick/untick the boxes as per my screenshot, just above and below the cursor.
    Then you should be able to locate the sksdrvr2.sys and sksdll.dll (if present).
    Do you know how to edit the registry?
     

    Attached Files:

  16. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I did that....hide extensions for known file types was already ticked though. I did put on there to show hidden files. I will have to look at this further.
     
  17. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    "hide extensions for known file types" should be un-ticked.
    "hide protected operating system files" should be un-ticked.
    "Show hidden files and folders" should be selected.
    Click "apply" then "OK".
    Then you will be able to view the contents of the Windows\System\System32 folder, and hopefully locate the files that have been flagged.
    Once you've done that. upload it (or them, one at a time) to virus total, please post back the results.
     
  18. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I did what you said, but nothing else came up when I clicked browse to do the file upload. I think it is the folder, and not the file, and that is why it isn't showing up right.
     
  19. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Need some more info, here, kelkay.
    Can you browse to and locate the file using Windows explorer?
    You are looking for C:\WINDOWS\system32\sksdrvr2.sys
    Do you know how to do that?
    Assuming the answer is yes, when browsing for a file using Virustotal you use the same technique as in using Windows Explorer. You should end up with an explorer window in front of the webpage that looks like the picture.
    (Except that yours should have the file sksdrvr.sys in it.)
    Then you click on that file and select "upload" in the webpage.
     

    Attached Files:

  20. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I looked it up in Windows Explorer. I found that exact folder. In the folder there is only the readme.txt file. I did a right click and allowed Malwarebytes to scan it. It saw no infection. But when you run the quick scan, that file or folder comes up. When you click on it with a browse button to upload it there is only one file in that folder...very strange indeed.
     
  21. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    Once you run the scan, you can right click on the trojan and jump right to the location of the problem. It took me right to that same folder. The file in there must be hidden. When I scan that readme file it says it is clean. So the folder is what is infected? This is really weird, I haven't come across a folder, but no file in it that has infection before.


    Malwarebytes' Anti-Malware 1.31
    Database version: 1495
    Windows 5.1.2600 Service Pack 3

    12/12/2008 11:12:38 PM
    mbam-log-2008-12-12 (23-12-32).txt

    Scan type: Quick Scan
    Objects scanned: 64160
    Time elapsed: 5 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\sksdrvr2.sys (Trojan.Agent) -> No action taken.
     
  22. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    You mean the "system32" folder, right?
    (The more detailed, accurate and complete the info you post, the easier it will be to try and help.)
    The system 32 folder should contain over a Gb of sub folders, and individual files. If it contains only one text file, your computer isn't functional, at all.
    Did you actually set the folder views as instructed?
    Are you running from an admin account?
     
  23. kelkay

    kelkay Registered Member

    Joined:
    Aug 11, 2008
    Posts:
    44
    I meant under the C:\WINDOWS\system32, there was a folder called sksdrv2.sys
    inside of that folder is only one file. That file is Readme.txt
     
  24. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,974
    Location:
    U.S.A.
    Don't know if this is your MBAM forum post but seems to be a false positive.
     
  25. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Kelkay, I didn't realise that the named file was of itself a folder. (Would've saved a bit of time to know that.)
    Have you ever run an application called Malware Immunizer?
    Can you upload the read me .txt here in your next post, please?
     
Thread Status:
Not open for further replies.