TechSpot

I need help with Trojan Dropper.Agent.GIT

By buljo
Jan 18, 2008
Topic Status:
Not open for further replies.
  1. Can someone pleas help me with Trojan horse called Dropper.Agent.GIT?

    I step trough all 15 steps described in topic58138

    In my attachments I am sending 3 files you asked.

    Thank you in advance,

    Mario

    P.S. No rootkits have been found (deep scan)
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    The AVG report says it has been cleaned and/or quarantined (ie gone)

    To be sure, you should Disable System Restore (removing all restore points)
    And then re-enable system restore (and then creating a new restore point


    You can Disble system restore, by
    right clicking on My Computer
    Select Properties
    Select System Restore
  3. buljo

    buljo TS Rookie Topic Starter

    Dropper.Agent.dgo is stil there

    I desabled system restore as you sad to me, after that turned back on.

    I restarted windows and after restart received massage:
    _____________________________________________
    RUN DLL
    ERROR LOADING C:windows\system32\cehvhfcw.dll
    The specified module could not be found
    _____________________________________________

    After that I couldn't update AVG antivirus, AVG antisyware, AD-Aware, Zone alarm...
    My Internet conection is working fine but I can't update.
    After all of this my AVG anti-Spyware alert me that he found Dropper.Agent again in Grisoft\AVG7\avgcc.exe

    What should I do?
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    C:\WINDOWS\system32\byxyy.exe should have been removed.

    But I am concerned that there are still more Dropper.Agent on your system.

    AVG alerted you to another, did it disinfect it. Can you check AVG logs.

    The "error loading..." is a startup entry (shortcut) to cehvhfcw.dll which is now gone.
    To remove the startup entry you can use THIS tool, and remove it.
    You can also disable other startup entries not required to start with Windows as well.

    Due to your other issues with updating, I am asking for support from other members reading this post. To recheck if all malware is removed.

    It is likely that any other member will ask for a new HijackThis Log to be created. Therefore can you please attach an updated log in a reply to this message; after restart of using Startup
  5. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,712

    Pleas go to http://www.kaspersky.com/virusscanner and run the online scanner which will give you a report.
    You can also try http://virusscan.jotti.org/ but this is often very busy and I do not have much experience with it.
    Please also run hijackthis and post a log. Please make sure you have the latest version and run it as crusty.exe from c:\program files\hijackthis\
  6. buljo

    buljo TS Rookie Topic Starter

    Than you for now. Going to work until 22:00, I will post again around 23:30.
  7. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,712

    Hi buljo - not sure what this means in terms of your time zone but look forward to hearing what you find.
  8. buljo

    buljo TS Rookie Topic Starter

    Hello again.
    This is the situation:
    - Dropper agent is still here on my machine.
    - Microsoft Internet explorer is for some reason blocked so I can't run http://www.kaspersky.com/virusscanne
    - Firefox is working fine but Kaspersky work only with MS Internet Explorer
    - I will try http://virusscan.jotti.org/ - result: too busy, try later...............
    - HJT is reporting some error with program - ERROR#5, invalid procedure or something...
    - This is the log from HJT after reporting error:

    (Moderator edit: Please do not copy and paste your logs. Instead, post them as attachments only in either .txt or .log format. To learn how to attach a log file, please see HERE.)

    My friend told me that he will give me Norton Corporate od CD. What do you think about that idea?
  9. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    No Norton - I hate it !

    Stick with AVG

    Wait for response regarding logs
  10. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,712

    Please clear these entries using the Hijackthis fix tool
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\1XConfig.exe
    F3 - REG:win.ini: load=C:\WINDOWS\system32\byxyy.exe
    O2 - BHO: (no name) - {4F83066E-60A0-4E62-ABB6-9EB9975E74BC} - C:\WINDOWS\system32\byxyy.dll
    O2 - BHO: {bd26969a-62b4-5438-8094-ee7a0367cb58} - {85bc7630-a7ee-4908-8345-4b26a96962db} - C:\WINDOWS\system32\ebeqjrtk.dll (file missing)
    O2 - BHO: (no name) - {DD900A82-4DD3-417D-80DC-272DE892B9FB} - C:\WINDOWS\system32\qopno.dll (file missing)
    O4 - HKLM\..\Run: [107ca3fe] rundll32.exe "C:\WINDOWS\system32\cehvhfcw.dll",b
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
    O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

    and report on your progress.
  11. momok

    momok TS Rookie Posts: 2,272

    Those files will not be so easily deleted just by fixing in HJT.

    Ideally the user should boot into safe mode, fix those entries, and then unhide all his system/hidden files and folders and delete those bad files manually.

    Regards,
    momok
     
  12. buljo

    buljo TS Rookie Topic Starter

    I decided to Format:C

    I decided to Format:C

    After that I reinstall my system and AVG, AVG anti spyware, AD-Aware and Zone alarm but Dropper.Agent.GIT i again on my machine in drive D:

    This is the log from AVG anti spyware:

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 15:46:23 22.1.2008

    + Scan result:



    D:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP10\A0002788.exe -> Dropper.Agent.dgo : No action taken.


    ::Report end
  13. AlbertLionheart

    AlbertLionheart TechSpot Chancellor Posts: 2,712

    The virus is in the system restore file - you can either leave it there as it will do no further harm unless you open the file. Or you can clear the system restore files by turning it off (Control Panel > System Restore)
    cheers
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.