Trojan horse Dropper.Agent.GIT infecting program files

Good Morning!!
I've noticed this Trojan after I rebooted my PC three days ago and my wireless mouse's auxiliary buttons didn't work. I did an AVG scan and indeed my mouse's mouse32a.exe among other applications was infected with this agent. I scanned, vaulted, quarantined, removed, immunized for the past three days, but with no luck. Some of my programs are not working now, eg AVG Control Center. When I reinstall the removed files from their original sources, CDs, setup files, etc, they get infected all over again.

I stumbled upon this forum in a Google search, and I find your site very informative and helpful. I run everything in the Malware sticky to the T, and I attach the reports accordingly.

Thank you in advance!!

 

Hi hzd6!
Welcome to Major Geeks!

I'm looking through your logs and will get back to you in awhile. This takes some time, so thanks for being patient.

abri

 

Hi hzd6!

1) Please disable your guest account if you don't use it.

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 2


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {A16B4FB3-5B68-437E-87AD-35594FD201B4} - C:\WINDOWS\system32\ddcyx.dll (file missing)
O2 - BHO: (no name) - {C558ABAA-0CD3-409E-A868-29A43DDFC641} - C:\WINDOWS\system32\vturr.dll
O2 - BHO: (no name) - {CBFA0E8E-7489-4A16-8D6E-0D58BFFB6134} - C:\WINDOWS\system32\pmnolki.dll
O2 - BHO: (no name) - {CD8262DE-E835-47FE-BE24-B0953DBB59C5} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O4 - HKLM\..\RunOnce: [SpybotDeletingA6542] command /c del "C:\WINDOWS\system32\pmkjg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9071] cmd /c del "C:\WINDOWS\system32\pmkjg.dll_old"
O4 - Global Startup: officejet 6100.lnk = ?
O20 - Winlogon Notify: pmnolki - C:\WINDOWS\SYSTEM32\pmnolki.dll

Do the following belong to programs you know or want to keep? If not, please fix them as well. If you're not sure about them, leave them. In particular, I would like to know if you know anything about KClient.The kia-hotline looks like it belongs to Kia.

O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} (knowledge.Knowledge_UserControl) - http://www.kia-hotline.com/OCX/Knowledge.CAB

After you click fix, just close hijackthis.


4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hey abri!!

Thanks for you speedy reply and clear and easy instructions.

1) Guest account was'nt activated, so I left it unactivated.

2) I removed Java (TM) 6 Update 2 (111.00MB) as instructed.

3) The text in bold was different, but the vturr.dll was still there so I remove it
O2 - BHO: (no name) - {C558ABAA-0CD3-409E-A868-29A43DDFC641} - C:\WINDOWS\system32\vturr.dll

These two wasn't even present in the scan:
O4 - HKLM\..\RunOnce: [SpybotDeletingA6542] command /c del "C:\WINDOWS\system32\pmkjg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9071] cmd /c del "C:\WINDOWS\system32\pmkjg.dll_old"

I've kept these two as you mentioned, as I use these regularly for work:
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {8D558E41-D24F-441D-A7C9-75B278C326FD} (knowledge.Knowledge_UserControl) - http://www.kia-hotline.com/OCX/Knowledge.CAB

4) I've disabled Windows Messenger with the application reffered to.

5) The Avenger worked perfect and I attach the log file accordingly.

6) So did ATF Cleaner.

My PC was a bit faster after the Avenger reboot and I'm running an AVG scan right now. I await your further instructions, thank you.

 

Hi hzd6!

1) Please scan the following file(s) at either
jotti or VirusTotal and let me know the results.

C:\WINDOWS\TempFile
C:\tmp.bmp

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\vturr.exe
O2 - BHO: (no name) - {0C1B1660-6F66-4A43-A456-6EC1EE7BFE61} - C:\WINDOWS\system32\vturr.dll (file missing)


3) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

4) In post #3 step 6, you ran ATF Cleaner. Please do that again now using those instructions.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates.

Let me know how things are running now?

abri

 

Hey abri. Trust you had a nice weekend.

The scan results as requested:

Jotti:
C:\WINDOWS\TempFile = The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
C:\tmp.bmp = OK

I've disabled the default Windows firewall during above scan

VirusTotal:
C:\WINDOWS\TempFile = 0 bytes size received
C:\tmp.bmp = Datei tmp.bmp empfangen 2008.01.14 07:19:28 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/32 (0%)

Just a quick question. Am I suppose to reinstall the applications which was infected after I've done all the instructions in your replies?

I attach the new MGlogs.zip accordingly, thanks.

 

Hi hzd6!

Please delete the following: C:\tmp.bmp

Please rename the following from C:\WINDOWS\TempFile to TempFile.zzz
Tell me if you are able to rename this.

You only need to reinstall applications which aren't working. If they're working they probably didn't get damaged.

I apologize, you got caught in the middle of an update so the following needs to be uninstalled and replaced with the updated version. Please do the following:


1) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 3

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

I want to post you our final clean-up instructions. Be sure your computer is working all right before you continue with these:

abri

 

Hey abdri!!

I've followed all your instructions and everything has been working fine for the past two days now. Several AVG Anti-Virus and AVG Anti Spyware scans has produced crystal results. Thank you for all you effort and patience. All of the best!!

 

You're welcome!
Thanks for letting me know!
Happy and safe surfing!
abri