Trojan horse Dropper.Agent.GIT

Hello

I woke up this morning and AVG had found Trojan horse Dropper.Agent.GIT. It looks like it disabled the contol center for AVG. I ran the scans and here are the files. Thank you for any help that you can provide me.

 

Hi findeld!
Welcome to Major Geeks!

Please go back and rerun AVG Antispyware and make sure it fixes everything it finds!

Also, your msconfig is not set to normal system startup. Go to Start / Run and type in msconfig. In the window that opens up, check the box that says normal system startup. Accept the change. After you reboot your computer, please rerun the C:\MGtools\GetLogs.bat and post a new set of MGlogs.zip which you can find directly under C:\

abri

 

Hello abri
Here is the new avg spyware scan log and mgtools log. The spyware scan came back clean. I also set computer to normal start up. Thanks for your help

 

Hi findeld!

Your computer has a lot of things on it that shouldn't be on there. Let's do the following:

1) If AVG Antivirus is your current resident antivirus program, please run each of the following:

Norton Removal Tool (SymNRT)

McAfee Consumer Product Removal Tool (SymNRT)


2) Go to add/remove programs and uninstall the below:

- Viewpoint Manager (Remove Only)


3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O4 - HKLM\..\Run: [YCJPWZDJQ] C:\WINDOWS\YCJPWZDJQ.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [unautbdo] C:\WINDOWS\System32\obdcqhss.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [msbb] C:\Program Files\180Solutions\msbb.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\DMSERV~3.EXE /onreboot
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [SpywareBot] "C:\Program Files\SpywareBot\SpywareBot.exe" -boot
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\rwknu.exe


After you click fix, just close hijackthis.


5) Now, download and install Erunt. Use it to create a backup of your registry.

6) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

7) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

9) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


10) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hello abri

I ran all the steps listed below. My computer seems to be running better, but the control console for avg is still not showing up am I going to have to reload it. Thank you for all the help oyu have provided me so far. Here are the logs for avanger and mgtools

 

Hi Findeld!
We're getting there.

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"

2) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

3) Please tell me what is in the following folder. Do not open any files.

C:\WINDOWS\TGF1cmVuIFNrb3A

4) Then run CCleaner.


5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

6) Go to this link How to Protect Yourself from Malware and find AVG free and download the installation program. Do not install it yet. If you still have the installation program on your computer from when you first installed it, allow the new program to overwrite the old one. Then shut your computer off, disconnect it from the internet and reboot while it's still disconnected. Go to add/remove programs and uninstall AVG antivirus. Then run the installation program for AVG which you downloaded before disconnecting from the internet. Once AVG antivirus is properly installed, reconnect to the internet and allow it to update. See if the control window is back now.

Let me know how things are running now?

abri

 

Hello abri,

Did the steps below. There was nothing in the C:\WINDOWS\TGF1cmVuIFNrb3A folder. Here is the log for mgtools.

 

Hi findeld!

Please go to Windows Explorer and delete this folder:

C:\WINDOWS\TGF1cmVuIFNrb3A

After that please do the following:

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

abri