Jump to content
juice370

Trogan.Agent.CK ?

Recommended Posts

Hi Ian.

From what I've found, it's normally associated with a rogue antispyware program, but without the exact file path, it's hard to say.

Is SAS or some other program detecting it?

Share this post


Link to post
Share on other sites

Hi Ian.

From what I've found, it's normally associated with a rogue antispyware program, but without the exact file path, it's hard to say.

Is SAS or some other program detecting it?

Hi Seth,

Thanks for the fast response.

I've got more info. Naively I'm new to all this, I run McAfee AntiVirus bundled with my laptop (no other security) and today reading the forums have DL'd MBAM and SAS. Am I correct in saying that MBAM and SAS are the same company as your forums are identical?

Anyways here's the full story as posted on the MBAM forum earlier. I'll run the SAS scan now and report back.

Hi,

Any help appreciated on the following.

It looks like I had my PC hacked last night, not sure how but walked back into my office and Paypal had opened up on my PC and my account had sent someone money to themselves calling themselves ronocftw@live.com. I had the Paypal Order Success page open as if i'd just sent money. Done some searching its apparently a guy called Conor W Terry using that email addy. I've Informed P.Pal and my bank so that is covered. They intially tried to take £104 but I only had £50 in this account and then they took £35 and this is currently going through... I can only cancel it and claim it back once its completed apparently. So...

It seems I have various trojans and rogue.agents on my PC picked up by MBAM. So taking advice I've installed both MBAM and SAS. Running SAS as you read this.

Q: In addition to the below I now have 2 small white squares top left of my desktop, appeared yesterday any ideas what these are and how to get rid?

But here are my concerns/report from MBAM if you can help until the SAS report is run:

c:\Users\Ian\AppData\Roaming\windefender.exe (Spyware.Spyeyes) -> No action taken.

c:\Users\Ian\AppData\Local\Temp\vxgjnpjdzjfivlg9.exe (Spyware.Spyeyes) -> No action taken.

c:\Users\Ian\local settings\temporary internet files\Content.IE5\BGPJKHPB\nb1[2].exe (Spyware.Spyeyes) -> No action taken.

c:\Users\Ian\AppData\Roaming\local.exe (Trojan.Agent) -> No action taken.

c:\Users\Ian\AppData\Roaming\microsoft\System\Services\csrss.exe (Trojan.Agent) -> No action taken.

c:\Users\Ian\AppData\Roaming\data.dat (Stolen.Data) -> No action taken.

c:\Users\Ian\AppData\Roaming\35320.exe (Rogue.Agent.Gen) -> No action taken.

c:\Users\Ian\AppData\Roaming\54401.exe (Rogue.Agent.Gen) -> No action taken.

c:\Users\Ian\AppData\Roaming\Program.exe (Trojan.Agent.Gen) -> No action taken.

Thanks for your input

Ian

Share this post


Link to post
Share on other sites

You're welcome.

Definitely infected. I suggest you change your online passwords ASAP and clear your restore points once the system is clean.

- Please post the SAS scan log.

- The SAS and MB forum don't look identical to me, but regardless they're not the same company.

Share this post


Link to post
Share on other sites

You're welcome.

Definitely infected. I suggest you change your online passwords ASAP and clear your restore points once the system is clean.

- Please post the SAS scan log.

- The SAS and MB forum don't look identical to me, but regardless they're not the same company.

I meant the sign up process, must just be the same software seth. OK i'll generate the report when it finishes and start to sort this out ASAP.

Cheers

Ian

Share this post


Link to post
Share on other sites

Normal mode is fine for now.

Here you go Seth, any advice would be great. I had to cut out all of the Cookies as the post was too long. If you need those let me know.

A few Q's RE the below data. BTW I'm currently using the free edition, happy to upgrade if its worth it, not sure of the difference at this point.

- I've now got the report box in front of me with all of the checkboxes. How do i go through and delete each independently?

- Do i leave the checks in the boxes I want to delete or the one i want to keep?

- Should I delete all cookies in the report. I use LastPass to automate all passwords, if I delete all cookies will Lastpass lose all my passwords?

- These (directly below) are the main concern i'd say and are the ones running on start-up, found in the Data > Roaming folder:

Trojan.Agent/Gen-Falleg[T-Cont]

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\35320.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\35320.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\54401.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\54401.EXE

C:\Windows\Prefetch\35320.EXE-CFF7E38D.pf

Here is the full Scanner log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 01/24/2011 at 05:06 PM

Application Version : 4.48.1000

Core Rules Database Version : 6260

Trace Rules Database Version: 4072

Scan type : Quick Scan

Total Scan Time : 01:20:03

Memory items scanned : 1067

Memory threats detected : 2

Registry items scanned : 3266

Registry threats detected : 0

File items scanned : 41671

File threats detected : 731

Trojan.Agent/Gen-Falleg[T-Cont]

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\35320.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\35320.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\54401.EXE

C:\USERS\IAN\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\54401.EXE

C:\Windows\Prefetch\35320.EXE-CFF7E38D.pf

cdn4.specificclick.net [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

cdn5.specificclick.net [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

cloud.video.unrulymedia.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

ec.atdmt.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

gw.callingbanners.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

ia.media-imdb.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

imelite.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.azfamily.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.buto.tv [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.heavy.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.kyte.tv [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.monster.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.mtvnservices.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

media.scanscout.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

s0.2mdn.net [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

secure-uk.imrworldwide.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

secure-us.imrworldwide.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

sftrack.searchforce.net [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

spe.atdmt.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

track.webgains.com [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

tracking.onefeed.co.uk [ C:\Users\Ian\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\4BBRKK5E ]

C:\Windows\Temp\Cookies\ian@statse.webtrendslive[2].txt

Trojan.Unclassified/CmdUtil

C:\USERS\IAN\APPDATA\LOCAL\AD\ADSYSTEM.DLL

Trojan.Agent/Gen-FakeAlert[Cush]

C:\USERS\IAN\APPDATA\ROAMING\WINDEFENDER.EXE

Share this post


Link to post
Share on other sites
A few Q's RE the below data. BTW I'm currently using the free edition, happy to upgrade if its worth it, not sure of the difference at this point.

https://www.superantispyware.com/superantispywarefreevspro.html

- I've now got the report box in front of me with all of the checkboxes. How do i go through and delete each independently?

- Do i leave the checks in the boxes I want to delete or the one i want to keep?

The checks need to be on for removal.

- Should I delete all cookies in the report. I use LastPass to automate all passwords, if I delete all cookies will Lastpass lose all my passwords?

https://www.superantispyware.com/supportfaqdisplay.html?faq=26

I suggest you leave the cookies and uncheck SAS's option to detect them.

Check off anything SAS finds (other than the tracking cookies), and allow SAS to remove those items. After the requested SAS restart, update it and run a quick scan. If anything other than tracking cookies appear, let me know.

Share this post


Link to post
Share on other sites

Literally within the last 15 minutes I've had a pop up keep hassling me called "Security Shield" it has placed a logo in my system tray after initially just started to scan my C drive, 2 shades of blue. Is this itself a virus, do you know it?

I'll get on with the removal now ASAP. Thanks for your continued advice.

Share this post


Link to post
Share on other sites

Literally within the last 15 minutes I've had a pop up keep hassling me called "Security Shield" it has placed a logo in my system tray after initially just started to scan my C drive, 2 shades of blue. Is this itself a virus, do you know it?

I'll get on with the removal now ASAP. Thanks for your continued advice.

You're welcome.

Yes, Security Shield is an infection I'm aware of.

Share this post


Link to post
Share on other sites

Hi Seth / Anyone else interested in this thread...

SecurityShield exe was located in User > AppData > Local folder. To delete I had to boot in Safe Mode, go to the folder and delete it. This immediately deleted 17 other malware/virus' call them what you will.

One that is persistent and keeps returning having been removed in SAS and MB is in User > AppData > Roaming > 9747.exe

I'm now scanning SAS again for any remaining items.

I'll keep you posted.

Share this post


Link to post
Share on other sites

Hi Seth,

All Trojans, etc gone. All that remains are the Chrome / Firefox cookies.

I use Lastpass to automate all password entries. Do you know if I delete the Cookies above, will Lastpass lose all my usernames and passwords?

Thanks for your help so far.

Cheers

Ian

Share this post


Link to post
Share on other sites

I can't see how removing cookies would affect Lastpass passwords, but you'll need to contact them to confirm. Also note my cookie suggestion in post #9.

Share this post


Link to post
Share on other sites

I can't see how removing cookies would affect Lastpass passwords, but you'll need to contact them to confirm. Also note my cookie suggestion in post #9.

Everything seems OK Seth apart from 2 items that won't delete in normal mode, found in User < AppData > Roaming > 9747.exe and dat.dat in same folder.

Also do you know what these are below, found in the same folder, could these be worth deleting?

windef.exe

local.exe

Thanks

Ian

Share this post


Link to post
Share on other sites

You can submit questionable files to Virus Total. The files will be examined by numerous antimalware programs and you'll see the results virtually immediately:

http://www.virustotal.com/

Just click on "Browse", navigate to the file, highlight it, click open, then "Send File".

Share this post


Link to post
Share on other sites

Apologies for the delay, been catching up on order processing post changing lots and lots of passwords.

Sorted Seth. Tried the VT and it didn't really tell me much, but deleted the file 9747.exe anyways.

Did you recommend I do something with the Windows Restore feature?

Also how long is the trial period on SAS Pro and also how many updates do you get with the pro paid license?

Thanks

Ian

Share this post


Link to post
Share on other sites
Did you recommend I do something with the Windows Restore feature?

Yes.

Purge the restore points by disabling System Restore, restarting the computer, then enabling System Restore.

Also how long is the trial period on SAS Pro and also how many updates do you get with the pro paid license?

The trial version is good for 15 days.

With a license you get unlimited updates for the life of the product.

Share this post


Link to post
Share on other sites

Thanks for all your help Seth. All looks to be sorted now.

I'm grabbing the Pro License on Monday when back in the office, using the trial it looks really good.

Thanks

Ian

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×