win32.agent.qt appears again and again...

Discussion in 'Malware Help (A Specialist Will Reply)' started by thobi2001, Feb 7, 2008.

  1. thobi2001

    thobi2001 Private E-2

    Hey there,

    I've got a problem with a trojan I got somewhere. Spybot identifies the thing as win32.agent.qt and tries to remove it. It seems to be successfull in the beginning but the trojan is there again after I rebooted the computer. And can't get rid of this thing!

    Here is the Logfile of HijackThis after I removed the thing again with Spybot.

    Logfile of HijackThis v1.99.1
    Scan saved at 21:22:06, on 07.02.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)

    Can anybody help me?

    Tom
     
    Last edited by a moderator: Feb 7, 2008
    thobi2001, Feb 7, 2008
    #1
  2. Lev

    Lev MajorGeek

    Lev, Feb 7, 2008
    #2
  3. thobi2001

    thobi2001 Private E-2

    Hey!

    First of all, thank you for your help!!! I really don't know what to do otherwise.

    I followed the instructions in the "Read and Run me first..."-Thread. But there wasn't really a satisfactory result.

    As I wrote before Spybot recognizes the thing as Win32.Agent.qt and also tries to remove it. But after some time it's there again. And I can't find where it's sitting. Spybot says it's a Registry-Database-Value and gives the following Path: HKEY_USERS\S-1-5-21-2415682206-914002717-4149115087-1005\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com

    I included all the logs from three tools mentioned in the "Read and run me first.."-thread but the MGTools gave me Error-message Type 4 because I don't have .NET Framework Software installed. (I don't wanna have it) I included the logfiles anyway.

    I really hope you can help me!

    Thanks again!

    Tom
     

    Attached Files:

    thobi2001, Feb 8, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Although you now appear to be using Avast as your antivirus, you still have items from Symantec hanging around. Please run this:Norton Removal Tool (SymNRT)

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_05


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    File::
C:\WINDOWS\mrofinu572.exe.tmp
 
Folder::
C:\WINDOWS\system32\dp1
C:\WINDOWS\system32\feq9
C:\WINDOWS\system32\nGpxx01
 
Registry::
[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\ShellExecuteHooks]
"{E180F496-8A4B-44E2-9FE0-0364E345DB7F}"=-
[-HKEY_USERS\S-1-5-21-2415682206-914002717-4149115087-1005\Software\Microsoft\Internet Explorer\New Windows\Allow\*.starsdoor.com]
[HKEY_USERS\S-1-5-21-2415682206-914002717-4149115087-1005\Software\Microsoft\Internet Explorer\New Windows\Allow]
"*.starsdoor.com"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 9, 2008
    #4
  5. thobi2001

    thobi2001 Private E-2

    Hey there!

    I did everything you said and the trojan is gone! A friend of mine who knows a little bit about this stuff came around and also confirmed that nothing's there any more! :)

    Thank's a lot for your advice and especially for the hint with the Norton-Removal-Tool. I always had problems removing Norton Antivirus after the test period.

    Thank's again! And all the best!

    Tom
     
    thobi2001, Feb 10, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should attach the requested follow up logs so we can be sure.
     
    chaslang, Feb 11, 2008
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds