Trojan-Keylogger.Win32.Agent- I can't remove

dzdc2001 · Jun 15, 2009

I was searching online some answer to fix a pb that I have with my camera, when I became infected with Trojan-Keylogger.Win32.Agent. Unfortunately, I was tricked and I click the “Enable Protection” button on the pop-up windows. After that my computer becomes to be frizzed.

The original message was:
Windows Security Alert
Name: Trojan-Keylogger.Win32.Agent.
Risk Level: High
Description: Agent.arpt is a Spyware program that records keystrokes takes screen shot of the computer.

My computer is a Compaq Desktop with windows XP. Running Avg 8.5 and SuperAntispyware.

Efforts: I started it in a safe mode and do all the following actions:
1) I have turned off System Restore
2) Avg Scan ran – Nothing found.
3) SuperAntiSpyware, First scan found 1 item “Rogue.XP AntiSpyware 2009”. Second scan, 29 items were found, including “Rogue.XPDeluxeProtector and Rogue.SystemSecurity”. All were quarantined and deleted by me. Third scan ran which came back clean.
First Log:
UPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 06/13/2009 at 00:00 AM
Application Version : 4.26.1002
Core Rules Database Version : 3927
Trace Rules Database Version: 1871

Scan type : Complete Scan
Total Scan Time : 01:35:36

Memory items scanned : 228
Memory threats detected : 0
Registry items scanned : 5487
Registry threats detected : 1
File items scanned : 23790
File threats detected : 0

Rogue.XP AntiSpyware 2009 HKU\S-1-5-21-3352189345-227156992-886978096-500\Control Panel\don't load#wscui.cpl [ No ]

Second Scan:
UPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Generated 06/13/2009 at 04:27 PM
Application Version : 4.26.1004
Core Rules Database Version : 3938
Trace Rules Database Version: 1881

Scan type : Complete Scan
Total Scan Time : 00:37:02

Memory items scanned : 261
Memory threats detected : 0
Registry items scanned : 5459
Registry threats detected : 0
File items scanned : 23872
File threats detected : 29

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@media6degrees[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@toseeka[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@shopica[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@kaspersky.122.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.toseeka[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@msnservices.112.2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@208.122.40[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.shopica[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@couponmountain[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@adultfriendfinder[2].txt

Rogue.XPDeluxeProtector
C:\Documents and Settings\Administrator\XP DELUXE PROTECTOR\xpdeluxe.exe
C:\Documents and Settings\Administrator\XP DELUXE PROTECTOR

Rogue.SystemSecurity
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\13360464\13360464.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\93370456\93370456.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VLPPC7HX\shopica_logo_bott[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RQUA53SP\footer_dots[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NELX527G\shopica_logo_top[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VLPPC7HX\style[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VLPPC7HX\search[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZKYGN584\async_ads_rs[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZKYGN584\js[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\VLPPC7HX\favicon[2].ico
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZKYGN584\async_ads_rs[2].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RQUA53SP\sp[1].gif

4) Installed and run CClean. I run both clean and registry options.
5) Installed and Malware Bytes, I couldn’t run full scan, ever I tried it, after run more than 1 hour it finished abruptly. I run a quick scan and it found 14 items. All were quarantined and deleted (by me).
Second quick scan came back clean (I continue unable to run a full scan).

First Log:
Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 2
6/13/2009 8:56:19 PM
mbam-log-2009-06-13 (20-55-49).txt

Scan type: Quick Scan
Objects scanned: 84768
Time elapsed: 16 minute(s), 44 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> No action taken.

Files Infected:
c:\windows\system32\lowsec\local.ds (Stolen.Data) -> No action taken.
c:\windows\system32\lowsec\user.ds (Stolen.Data) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.

After previos steps, I reboot in normal mode in order to see if malware has gone, but the pop up is still showing when I logged on.
Then:
5) Installed and run spyBot S&D. It found 2 items:
Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin

6) Installed spyware blaster 4.1.

After steps 5 and 6, I reboot again but nothing continues Windows Security Alert is still popping up as described with the Trojan-keylogger agen.arpt warning. But also my computer started to restarted alone after 1 or 2 minutes. I can not do anything more in normal mode.

7) In safe mode I downloaded and ran Malicious Software Removal Tool from MS however; but again I am unable to run a full scan (it finished after 1 and a half hour and said it has found a serious error and abort). I run a quick scan and it did not detect anything.

My situation now is Windows Security Alert is still popping up as described. Computer restarts 1 minute after I logged on it. I do not what more can I do. Please help me, any suggestions other than formatting the HD and reloading the OS would be greatly appreciated. OS comes pre-installed with the computer that means I do not have disk to reloading the system.

Thanks a lot, really i need help with this.
dzdc2001

Crush · Jun 15, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

dzdc,

Firstly, welcome to PCHF! I'm Crush and I will be helping you through this. I'm going to move your thread into the New Hijackthis Logs forum. Don't worry, it will leave a redirect so you don't lose the thread.

It looks like we are well on our way to complete disinfection. Running all those programs was great but, let's give the "Big Guns" a go

Please be sure you refer back to the Prework and disable System Restore and set hidden files and folders to show. Running the below program will just re-enable it and create a new restore point but, it is an easy way to clear out the System Restore cache and prevent reinfection.

After that is done, please download ComboFix.exe. This will give me a better view to the files running, those that are hidden, and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. I will need that log in your reply

dzdc2001 · Jun 15, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Hi Crush .. thanks a lot for you help.

But i have a pb, as I reported previously... when I logged on in normal mode, computer immediately restarts alone (it is like a loop, restart and restart over and over) i can't do anything to download programs that you indicated me. In safe network mode, IE opened but aborts as soon as i try to access some page.

What can i do? It is same option if I download the program in other computer and install it in a safe mode?
Thks.

Crush · Jun 15, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Yes, please download it on another computer to a USB drive and run it on the infected PC

dzdc2001 · Jun 15, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Hi Crush:
Thanks a lot. Finally I could download combofix. Just to let you know, in order to have access to my computer without it restarted, as soon as I logged on and the trojan pop-up windows appeared, using task manager I finished in Applications tabs "Windows security alert" and in Process I finished "defender.exe" and "searchprotection.exe". I'm not pretty sure if that help, but I was able to download the combofix and run it. Attached to this msg is the log. Combofix found some rootkit activity on several files SKYNETxxxxx. Now, trojan-pop up has finished and my computer is not restarting alone. Do I have to do something else?

Thks, Dzdc2001.

Crush · Jun 16, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Thanks for that dz. I'll give this a look over and get back to you

Crush · Jun 16, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

dz,

Let's just be sure everything is gone now.

Please go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

The scan may take some time. When it is completed, please hit the notepad icon next to the text Export to:

Save it to a convenient location such as your Desktop

Post the contents of the ActiveScan.txt in your next reply

=========================================

Then, follow up with this:

Run CCleaner

Please download and install CCleaner Slim.

Once installed, double click on the desktop shortcut created.

On the Windows tab, leave the default options alone.

On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.

Click on the Run Cleaner button at the bottom right hand corner.

Close CCleaner.

Note: You can use CCleaner on a regular basis, to keep your hard drive clean of temporary files and clutter. I recommend running it once a month.

dzdc2001 · Jun 17, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Hi Crush:
Thank you again for all your help and time, really I appreciated it. The work that all of you do with people like me is terrific.

I run Panda active scan. I had to run twice. First was quick, second was full (it took a lot of time), attached are both logs. It found some issues with NirCmd.A, but I think it is a false positive, because issues are related to flash disinfector. Should I do something with this files?.
Can I delete the files reported as suspicious?.

Also, I run CClener as you indicated me.

Could you advised me what I have to let running in my computer?. I feel unsecured about AVG, I did not detect nothing about this pb. (I use free version, Is it a better free anti-virus?)

Thanks. I’ll be waiting your final advice and I think this issue is fixed.

Crush · Jun 17, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Dz,

Congratulations!! You are all clean

Please download and run OTC (formerly OTCleanIt) from here:
http://www.pchelpforum.com/redirect-to/?redirect=http://oldtimer.geekstogo.com/OTC.exe

Click the Clean Up! button
This will remove any files and folders associated with some of the more destructive programs I have had you run
A reboot will be required to complete the removal.
=======================================

Next, This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

ComboFix /u

When ComboFix receives such an instruction, it will do the following:

a) Deletes the following files/folders:
* ComboFix.exe
* %system%\swxcacls.exe
* %system%\swsc.exe
* %system%\VFind.exe
* %system%\moveex.exe
* %system%\swreg.exe
* %systemroot%\catchme.exe
* \ComboFix
* \Qoobox
* \VundoFix Backups
* \Deckard
* \_OTMoveIt
* %systemroot%\erdnt\subs
b) Resets the clock settings.
c) Hides file extensions
d) Hides System/Hidden files
e) Clears System Restore cache and create new Restore point
=========================================

You may wish to review the Afterwork link in my signature for some helpful tips on how to keep this from happening again.

If you have no more questions, or issues I will move this over to the Fixed logs forum

dzdc2001 · Jun 17, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

Hi, Crush:
Just a small issue. I run OTC, I do not why, but combofix icon disappear from my desktop, when I run combofix / u, it says there is no application. Is that fine?

I do not have more doubts; I think this can be moved to fixed threads. Thanks again.
DZ

Crush · Jun 17, 2009

Re: Trojan-Keylogger.Win32.Agent- I can't rem

OTC most likely removed it before you performed the /u switch. Perfect. I'll move this off to the Fixed Logs forum

Log in or Join Us

Trojan-Keylogger.Win32.Agent- I can't remove

dzdc2001 Bronze Member

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Attached Files:

log_combofix_06 14 2009.txt

Crush Administrator & Security Team Leader

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Attached Files:

log_ActiveScan_panda.txt

log_ActiveScan_panda_1.txt

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Crush Administrator & Security Team Leader

Trojan-Keylogger.Win32.Agent- I can't remove

Log in or Join Us

Trojan-Keylogger.Win32.Agent- I can't remove

dzdc2001 Bronze Member

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Google Advertisement

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Attached Files:

log_combofix_06 14 2009.txt

Crush Administrator & Security Team Leader

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Attached Files:

log_ActiveScan_panda.txt

log_ActiveScan_panda_1.txt

Crush Administrator & Security Team Leader

dzdc2001 Bronze Member

Crush Administrator & Security Team Leader

Trojan-Keylogger.Win32.Agent- I can't remove

Useful Searches