Trojan.Agent.FDP

Viruses and worms
1

I have win 7 x 64 and at some time my pc took 3 minutes to boot. I eventually found this trojan: Trojan.Agent.FDP and once I cleaned it the PC boots very fast. Does anyone know the profile and definition of this trojan? I would like to know what it does and what damage if any it has done to my PC. :cry:

2

Hi,

Go to the page here >> http://forum.avast.com/index.php?topic=53253.0

Follow the instructions for OTL, Malwarebytes and aswMBR and then attach the logs created to your next reply.

3

Malwarebytes got rid of it for me and now y PC boots much faster. :slight_smile:

4

you should still attach the logs requested as there may be leftover files that needs to be removed

so attach the log from Malwarebytes so the experts can see what was removed
and also the OTL and aswMBR logs to see if there are any leftover files

5

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.18.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
yiannis :: YIANNIS-PC [administrator]

4/18/2012 12:08:59 PM
mbam-log-2012-04-18 (12-08-59).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 483845
Time elapsed: 1 hour(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\yiannis\AppData\Local\TempImages\CheckVer104.exe (Trojan.Agent.FDP) → Quarantined and deleted successfully.

(end)

6

Hi,

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us,el-GR;q=0.5
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9D 2B 1B 70 25 57 CA 01  [binary data]
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes,DefaultScope = {81BBD267-A0F1-4BC3-A3E7-E4981FE18C7E}
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=IEFM1&q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=100581
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://supertoolbar.ask.com/redirect?client=ie&tb=WBR&o=&src=crm&q={searchTerms}&locale={locale.underscore}
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{59B569FA-7E2F-4222-96CC-E02CEE5026D5}: "URL" = http://search.yahoo.com/search?ei=utf-8&fr=vmn&type=vdio2&p={searchTerms}
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{81BBD267-A0F1-4BC3-A3E7-E4981FE18C7E}: "URL" = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7SKPB_enGR352
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..\SearchScopes\{FFB9BBB9-26BE-4844-B622-FE065EA09877}: "URL" = http://www.dealio.com/products.html?kwd={searchTerms}
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
FF - prefs.js..browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..keyword.URL: "http://search.babylon.com/?AF=100581&babsrc=adbartrp&mntrId=10b21da80000000000000026186a3d58&q="
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O15 - HKU\S-1-5-21-4149854431-98036347-1619213294-1001\..Trusted Domains: christianforums.com ([www] http in Trusted sites)
[2012/04/15 12:52:08 | 000,022,528 | ---- | M] () -- C:\Users\yiannis\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[1 C:\Users\yiannis\*.tmp files -> C:\Users\yiannis\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

7

Cross my fingers! :-X

8

Here is the MBR log which I forgot to attach previously! :cry:

9

Run a new scan with OTL and attach the new log. :slight_smile:

10

Here is the log file. I run the quick scan is that ok?

11

Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

[*]Please go here then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

[*][quote]Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
[*]Select the option YES, I accept the Terms of Use then click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif

[*]When prompted allow the Add-On/Active X to install.
[*]Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif

[*]The virus signature database… will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
[*]Now click on:
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

In your next reply please attach the logs made by Malwarebytes and ESET. :slight_smile:

12

I will post the logs on the next post. Since running the fix I am having the following problem which has me stumped: All links and shortcuts that should open Firefox now open Office WORD??? :frowning:

13

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.20.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
yiannis :: YIANNIS-PC [administrator]

4/20/2012 10:00:27 AM
mbam-log-2012-04-20 (10-00-27).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 485233
Time elapsed: 44 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

14

Took 4 hours to complete ESET scan. Results posted on next post :smiley:

15

I am surprised that even after a boot and full scan; Avast did not detect them!

F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 297.zip a variant of Win32/Keygen.BH application
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 300.zip a variant of Win32/Server-Web.HFS.A application
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 61.zip a variant of Win32/Agent.SZW trojan
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 67.zip a variant of Win32/Server-Web.HFS.A application
F:\YIANNIS-PC\Backup Set 2011-06-26 115653\Backup Files 2011-06-26 115653\Backup files 3.zip a variant of Win32/Agent.SZW trojan
F:\YIANNIS-PC\Backup Set 2011-12-07 203945\Backup Files 2011-12-07 203945\Backup files 3.zip a variant of Win32/Agent.SZW trojan
F:\YIANNIS-PC\Backup Set 2012-03-16 160752\Backup Files 2012-03-16 160752\Backup files 8.zip a variant of Win32/Agent.SZW trojan

16

Hi,

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:Files
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 297.zip   
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 300.zip  
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 61.zip   
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 67.zip  
F:\YIANNIS-PC\Backup Set 2011-06-26 115653\Backup Files 2011-06-26 115653\Backup files 3.zip   
F:\YIANNIS-PC\Backup Set 2011-12-07 203945\Backup Files 2011-12-07 203945\Backup files 3.zip   
F:\YIANNIS-PC\Backup Set 2012-03-16 160752\Backup Files 2012-03-16 160752\Backup files 8.zip

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

17

All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 297.zip moved successfully.
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 300.zip moved successfully.
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 61.zip moved successfully.
F:\YIANNIS-PC\Backup Set 2011-06-19 124342\Backup Files 2011-06-19 124342\Backup files 67.zip moved successfully.
F:\YIANNIS-PC\Backup Set 2011-06-26 115653\Backup Files 2011-06-26 115653\Backup files 3.zip moved successfully.
F:\YIANNIS-PC\Backup Set 2011-12-07 203945\Backup Files 2011-12-07 203945\Backup files 3.zip moved successfully.
File\Folder F:\YIANNIS-PC\Backup Set 2012-03-16 160752\Backup Files 2012-03-16 160752\Backup files 8.zip not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: CURRENT_USER
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: yiannis
->Temp folder emptied: 86801681 bytes
->Temporary Internet Files folder emptied: 4950632 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 317341615 bytes
->Flash cache emptied: 1470 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 8405015 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 398.00 mb

18

I just don’t know how to thank you for your help and time spent helping me. THANK YOU! :slight_smile:

19
I just don't know how to thank you for your help and time spent helping me. THANK YOU!
Your thanks is enough. :)

When you ran OTL for the first time there should have been another log created named Extras.txt. Could you attach that please?

How is your system running?

20

System running strangely at times. I am not sure what it is but I keep hoping that with many reboots it will calm down. Search is weird to say the least and boot times vary so much that I am not sure what is going on. I have checked the integrity of the HDDs and they pass. I am very surprised that Avast missed these infections. Anyway as a long time fan of Avast I will continue to use it. Once more thank you!