Trouble with win32/agent.qt trojan variant

[dtgbrown]

Hello,

I have obtained the virtumundo malware ect. In attempting to follow your instructions, I run into a problem. First a bit of background. After obtaining this, I ran a scan with NOD32 antivirus and was deleting various .exe files it was red flagging and prompting me about. A log:

Scan performed at: 5/24/2007 13:22:17 PM
Scanning Log
NOD32 version 2277 (20070518) NT
Command line: c:\windows\system32\drvlal.dll c:\program files\ipwindows\ipwins.exe C:\WINDOWS\system32\drvlal.dll

Date: 24.5.2007 Time: 13:22:18
Anti-Stealth technology is enabled.
Scanned disks, folders and files: c:\windows\system32\drvlal.dll; c:\program files\ipwindows\ipwins.exe
c:\windows\system32\drvlal.dll - a variant of Win32/Agent.QT trojan
c:\program files\ipwindows\ipwins.exe - Win32/Adware.Toolbar.888Bar application - deleted
Number of scanned files: 2
Number of threats found: 2
Number of files cleaned: 2
Time of completion: 13:22:44 Total scanning time: 26 sec (00:00:26)

Notes:
[2] File is being used (open or running). System restart is required for the cleaning to complete.

So I reboot, and then this occurs every time I try to complete the scan/cleaning:

Time Module Object Name Threat Action User Information
5/24/2007 17:26:13 PM AMON file C:\WINDOWS\system32\ntio256.sys Win32/Rootkit.Agent.CF trojan NT AUTHORITY\SYSTEM Event occurred when attempting to access the file.

Exasperated by several reboots when I attempted to get rid of this, I google searched drvlal.dll thinking it was a system file that I needed to get a clean copy of and put back into the system32 folder, which if you were to do this is the only website that comes up. After looking around, I was attempting to follow your instructions and run the online scan when I ran into the same NT AUTHORITY\SYSTEM forced reboot. It seems any time I get near this thing it forces a reboot. Any advice on how to proceed is greatly appreciated.

 

[momok]

Hi

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. These are a comprehensive mix of steps to remove common malware, as well as provide us logs of your system to look at so we can further remove any tricky nasties.
Do follow all the instructions exactly.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly Momok =)

This thread is for the use of dtgbrown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dtgbrown]

I feel sheepish, I missed the "if this online scan doesn't work move on to the next step" instruction somehow. Anyway, after going through everything it seems to have been eradicated. However, I feel obligated to post the logs both because I appreciate the help, and just to ensure it's all gone. A little peace of mind. Great website, never would have found it if I didn't get this so there is a silver lining I suppose...

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

SManager

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

smanager.7.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C65F3A4B-D7A1-DF5B-DF06-F8ADDACB75E3} - C:\WINDOWS\system32\cdi.dll (file missing)

O4 - HKLM\..\Run: [SManager] smanager.7.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1FF3A8A-C923-4425-A337-C9EA5D7613F7}: NameServer = 166.102.165.11,166.102.165.13 < only fix this if you do not recognise the domain to be from your ISP

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\ssqro.dll.vir
C:\DOCUME~1\Downtown\
C:\WINDOWS\system32\klikalka.exe
C:\WINDOWS\ALCXMNTR.EXE

Also do a search in your system for all traces of 'smanager' and delete all files and folders related to it.

Reboot into normal mode and rehide your protected OS files.

Please visit this link http://virusscan.jotti.org/

Click the Browse... button and navigate to the following file:
C:\WINDOWS\system32\killapps.exe
Click Open

Please let me know the results.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


Regards,
Your friendly Momok =)

This thread is for the use of dtgbrown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[dtgbrown]

Ok, nothing was found in the services or processes, and the online scan came back fine except for one Fortinet
Found HackerTool/Killapp, everything else came back with "Found Nothing". I followed the other instructions, with one exception. I wanted to ask is it absolutely necessary to delete the entire C:\DOCUME~1\Downtown\ as that includes my documents which has quite a few files I'd care not to lose. I've included fresh logs, if they are clean perhaps I will not have to delete this, please let me know your thoughts, and as always your assistance has been much appreciated.

 

[momok]

Hi,

You can keep the downtown folder. I thought it suspicious as it contained one of the infected files. Is the RUNME.BAT familiar to you? If not, then please delete it.

Apart from that, your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly Momok =)

This thread is for the use of dtgbrown only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.