Author Topic: Help cleaning up Trojan.Agent/Gen-Nullo[Short]  (Read 5322 times)

0 Members and 1 Guest are viewing this topic.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« on: February 08, 2013, 04:03:29 AM »
Hello, I was sent here by ravencajun on GardenWeb after posting http://ths.gardenweb.com/forums/load/comphelp/msg0218553429136.html?14 on the Computer Help forum.  I am susanjn on GardenWeb.

I have already run MalWareBytes and SuperAntiSpyware, and deleted what they found.

I have read the Log Posting Instructions and have the three logs described.  The instructions there say to paste the three logs here, but attach.txt says "unless specifically instructed, do not post this log".  So I'll wait until specifically instructed.

Thanks,
Susan

Offline MikeW

  • LzD Friends
  • Sr. Member
  • *****
  • Posts: 374
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #1 on: February 08, 2013, 06:49:43 AM »
Hi rutabaga
Please go ahead and paste all the logs in your next reply
Win 7 Home Premium  IE11 MSE Mbam Pro

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #2 on: February 08, 2013, 11:13:41 AM »

Offline MikeW

  • LzD Friends
  • Sr. Member
  • *****
  • Posts: 374
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #3 on: February 08, 2013, 02:18:48 PM »
Thanks.  Corrine will be by soon to advise you
Win 7 Home Premium  IE11 MSE Mbam Pro

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2802
  • Laissez les bons temps rouler!
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #4 on: February 08, 2013, 04:14:00 PM »
Hi Susan glad you made it over successfully.
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #5 on: February 08, 2013, 05:52:12 PM »
Thanks, Mike.  A little later than "soon".  All errands completed before much snow accumulation but it has been coming down steadily since 9AM this morning.  Trying to keep the path out the back for the dogs open.  Funny, the news reports keep showing the Boston, MA area and from what I see, it is a lot worse here. 

Hi, Susan.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Thank you for the link to your thread at GW.  Ravencajun (R-C here) gave me a heads up. 

I am pleased to see that you have changed your email password to a stronger one and are not using it at another site.  My suggestion, as you visit other sites where you used the same password, be sure to change the password.  Make the password at each place you have an account unique in some way, even if it is a minor adjustment to a base password.  For banking, credit card or any sites you make purchases or online bill payments, make those passwords completely unique and strong.

It is likely that MBAM took care of the malware, with SAS picking up tracking cookies.  Whatever SAS found in System Restore would have only been harmful if you restored to an infected restore point.

So, let's take care of the outdated, vulnerable software first and then we'll do some cleanup with ComboFix.

1.  Adobe Reader

I note that you have both an outdated, vulnerable version of Adobe Reader as well as Foxit installed.  Although it is your choice to have both, there really is no need.  If you need to keep Adobe Reader, please install the latest update from http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.  Be careful to uncheck the unneeded McAfee scan as well as any unneeded add-ons that may be offered with the update.

2.  Adobe Flash Player

A critical security update was released for Adobe Flash Player yesterday.  Please update both versions from the direct links below:

Non-IE (Opera, Firefox, Etc.):  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_plugin.exe
Flash Player For Internet Explorer 7, 8 & 9:  http://download.macromedia.com/get/flashplayer/current/licensing/win/install_flash_player_11_active_x.exe

3.  Java

Java seems to be a malware magnet.  Please consider whether you really need it installed on your computer.  Either uninstall it or update Java to the latest version, Java Version 7 Update 13.  Be sure to UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.  See Java, The Never-Ending Saga for instructions on disabling Java via the Java Control Panel and only enable it when it is needed.

4.  Please follow these instructions carefully.

Download ComboFix from here.

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray. 

Note:  If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum:  How to disable your security applications.

Now, please run ComboFix:
  • Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
  • Double-click ComboFix.exe on your desktop and follow the prompts.
  • As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click "Yes" to continue scanning for malware.
  • When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #6 on: February 08, 2013, 11:06:52 PM »
I uninstalled Adobe Reader and updated Foxit.
I updated Flash.
I updated Java and disabled it.  I have no idea if I ever use it.

I downloaded ComboFix to my desktop and ran it (after turning off MSE).  The computer rebooted and I was presented with a Microsoft web page telling me I had a blue screen error.

There is no c:/ComboFix.txt.  However, there is a folder called ComboFix that when clicked looks like My Computer in Windows Explorer.  I did a screen shot but don't know how to insert that here. Do I need to upload it to Photobucket or somewhere like that?

Thank you,
Susan


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #7 on: February 09, 2013, 12:23:01 AM »
Hi, Susan.  When you click on the Reply option (or preview the post if you use the Quick Reply box), click on Attachments and other options below the reply box.  From there you can browse to the screen copy, select it and post your reply.  It will be attached. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #8 on: February 09, 2013, 01:10:47 AM »
Screen shot of c:/combofix

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #9 on: February 09, 2013, 01:48:51 PM »
Hi, Susan.

What do you see if you click on the plus sign next to C:\Combofix?  Is there a folder for Qoobox?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #10 on: February 09, 2013, 04:27:47 PM »
Wow.  Interesting.  I was about to tell you it was an infinite loop, but I drilled down a couple more layers:


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #11 on: February 09, 2013, 08:49:28 PM »
Hi, Susan.

That is really strange, Susan.  Before we go any further, please make sure everything is working correctly.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #12 on: February 10, 2013, 12:25:10 AM »
Corrine,

Is there anything in particular that you'd like me to check?  I've been using the machine all day, and it seems to be working fine.

Thanks,
Susan

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15965
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #13 on: February 10, 2013, 01:19:38 AM »
I think something would have shown up by now.  Please do an online scan.   (No hurry, I'll be shutting down in a couple minutes.)

Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline rutabaga

  • Jr. Member
  • **
  • Posts: 11
    • View Profile
Re: Help cleaning up Trojan.Agent/Gen-Nullo[Short]
« Reply #14 on: February 10, 2013, 04:23:27 AM »
Corrine, here's the log from ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=8
# iexplore.exe=7.00.6000.17115 (vista_gdr.121029-1623)
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=b983bb85891d9740b2219356c3bfcba9
# engine=13113
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-02-10 06:14:37
# local_time=2013-02-10 12:14:37 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5892 16777213 88 94 10822386 13173049 0 0
# scanned=67570
# found=6
# cleaned=0
# scan_time=6773
sh=C02423884B82F50565A8AA2BE8F974E821760F18 ft=0 fh=0000000000000000 vn="Eicar test file" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temp\Av-test.txt"
sh=F53194FE335C1DF41F1BC945626206D3F844FA89 ft=1 fh=d05664838e1e7c7e vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temp\fox33.tmp\Foxit Reader en5.4.5.124(toolbar) Setup.exe"
sh=DE069B1F515C20517E8A2A54011ABD2D6711A7D6 ft=0 fh=0000000000000000 vn="Win32/OpenCandy application" ac=I fn="C:\Documents and Settings\Susan\Local Settings\Temporary Internet Files\Content.IE5\R030AT19\stubinst_pkg_en-us[1].cab"
sh=91EC186153FB33A4562204E4BE5631168C2BA206 ft=1 fh=eb969c333e6297d9 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\My Documents\Downloads\CuteWriter.exe"
sh=AC92E28269FBECA27F00EC0759C77D8AE1FBBA7D ft=1 fh=ed5561659328eb74 vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="C:\Documents and Settings\Susan\My Documents\Downloads\FoxitReader502.0718_enu_Setup.exe"
sh=80EC40B449844036AF4397EA6A83E6413B05FE1D ft=1 fh=0a2342e7b0e140db vn="probably a variant of Win32/Adware.Softomate.AD application" ac=I fn="C:\Documents and Settings\Susan\My Documents\My Archives\My Documents on Popcorn\Downloads\couponprinter.exe"