Trojan.Dropper.PGen and Trojan.Agent.Gen-Start Page found, assistance requested

MalwareBytes has noted a Trojan.Dropper.PGen on my machine, and SUPERAntiSpyware has noted Trojan.Agent.Gen-Start Page on my machine both from a OTL.exe downloaded from wwx.bleepingcomputer.com. The actual file detected is -OTL.exe.part (Trojan.Dropper.PGen). I renamed with “-” when detection happened.

Avast (avast! Free Antivirus, Program version: 8.0.1489, Virus definitions version 130715-1) has not caught this. I cannot find the Explorer path where Avast scan file logs are kept so I cannot export and deliver them to you.

Since I downloaded OTL.exe from bleepingcomputer, both Chrome and Firefox are redirecting Google Search to another location.

I have done no removal or quarantine yet. MalwareBytes and SUPERAntiSpyware are open waiting for a decision

I am running Windows 7 64bit. This is a newly formated drive. I did several scans from Malwarebytes , SuperAntiSpyware, and Windows Defender with clean results yesterday. Also did a boot scan this morning with Avast with no detections. This started happening when I downloaded OTL.exe from bleeping computer today.

Attached are my Malwarebytes and SuperAntiSpyware logs from today. Any assistance is appreciated.

Hi,

Files Detected: 2
C:\Users\Jonathan\Desktop\Diagnostics\Virus-Malware Scanning-OTL.exe.part (Trojan.Dropper.PGen) → No action taken.
C:\Users\Jonathan\Desktop\Diagnostics\Virus-Malware Scanning-_O_T_L.exe.part (Trojan.Dropper.PGen) → No action taken.

This is incomplete download. For that reason MBAM detects OTL using heuristics. This is FP.

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

it is not uncommon that these tools are detected by other malware tools… avast have detected OTL several times also

try this download… same result?
http://forum.avast.com/index.php?topic=53253.0

Not the same result with OTL.exe downloaded from the link you provided. Scanned clear and ran.

Malwarebytes deleted the previous files Trojan OTL files. Note that there are many comments regarding Trojan infected files from bleeping computer.

Here is the OTL log from the version you sent me.

Please note that in regard to system behavior, Firefox and Chrome are redirecting Google Search to another page. Also, My computer just completely froze up and I restarted in Safe Mode with Networking.

Hello magna86,

I uploaded several malware/virus detection programs that I downloaded from bleeping computer to Virus Total website and 7 out of 10 were listed by three or more malware detection services as having some kind of virus/malware. I’m not sure what it all means.

Do you have another reliable link to Farbar Recovery Scan Tool other than bleeping computer.

Thank you.

Here are the Farbar Recovery Scan Tool Logs. The scan was done while in Safe Mode.
Thank you for your help.

I don’t know if this is important, but there is a Temporary Internet Files folder that won’t let me in (read only, hidden) to see what is there. It has 860 files and 20 folders. C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files. Again, thank you for your assistance.

Please note that in regard to system behavior, Firefox and Chrome are redirecting Google Search to another page. Also, My computer just completely froze up and I restarted in Safe Mode with Networking.
run AdwCleaner and attach the log http://forum.avast.com/index.php?topic=53253.0

magna86 will be back later today and check the logs

Here is the AdwCleaner log. I am holding off on rebooting from AdwCleaner (the directions say to reboot) till you give me the OK.

yes, it only removes browser crap, nothing important. :wink:

did your redirect problem go away?

Yes, the redirect for google search went away. I am now in Windows 7 normal mode.

-What is our next step: Should I rescan with the software I used for our process here? I’m going to shred the suspicious virus/malware programs I downloaded.

-Also, what software do you recommend, free or paid, that will scan every file during download for virus or malware? Avast Browser Integration Security Plugin is already plugged into all my browsers. Other software recommendations are much appreciated. Prevention is my goal.

-Before I click on any search engine URL, I scan the URL with one or two of several URL scanners. Which URL scanner do you find is the most accurate? It is WOT (which I did not check) that gives the heads up for bleepingcomputer.com (not that I don’t appreciate what they do) and grusskartencenter.com.

-I’d like to start learning about all these virus/malware issues. Can you direct me to place where I can start learning the fundamentals step-by-step? Then, later, I can help other people with these problems. I’ll start reading this forum regularly, also.

Hi,

Is this your personal computer or computer that is member of some server domain?

Please note that in regard to system behavior, Firefox and Chrome are redirecting Google Search to another page.
On which page you being redirected?
I uploaded several malware/virus detection programs that I downloaded from bleeping computer to Virus Total website and 7 out of 10 were listed by three or more malware detection services as having some kind of virus/malware. I'm not sure what it all means.
Do you have another reliable link to Farbar Recovery Scan Tool other than bleeping computer.

All tools download from bleeping official download page are legit and valid tools.

I don't know if this is important, but there is a Temporary Internet Files folder that won't let me in (read only, hidden) to see what is there. It has 860 files and 20 folders. C:\Users\Jonathan\AppData\Local\Microsoft\Windows\Temporary Internet Files.

It does not matter what’s inside. These files are used by Windows. TFC will look&clean thouse temp folder if it needed.

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Here is the AdwCleaner log. I am holding off on rebooting from AdwCleaner (the directions say to reboot) till you give me the OK.

Dude, please relax, there’s no reason to panic and allow AdwCleaner to restart the computer.

=================================

Please download Shortcut Cleaner from here:
http://www.bleepingcomputer.com/download/shortcut-cleaner/

Run the tool, follow instructions and attach here created logs.

======== THEN =========

Additional Check:

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

It is WOT (which I did not check) that gives the heads up for bleepingcomputer.com (not that I don't appreciate what they do) and grusskartencenter.com.

WOT would never put on my own computer. Avast AV has a similar modul that may also do the job.

Here is the TDSSKiller.exe log.

I was being redirected to www.grusskartencenter.com.

TFC.exe is still downloading after more than an hour - must be in high demand.

There is much discussion, pro and con, on the web about malware being distributed through bleepingcomputer.com. I don’t know what to believe. I try to arrive at a correlation between possible causes and possible effects (symptoms) within a narrow time frame of actions, based on experience, empirical evidence and anecdotal evidence. Analysis, at varying levels of accuracy, is one of my interests. What caused this problem from a systems point of view, and how can I avoid or solve it in the future?

I am now relaxing, allowing my Central Nervous System (also known as CPU, BUS, RAM, ROM, Virtual Memory, etc.) to go into sleep mode (but not hibernate mode - must stay aware, must define problems and find solutions).

Your help is greatly appreciated. Call on me anytime.

For anyone, don’t click on the link I provided above at wxw.grusskartencenter.com. I forgot to add an x to the URL.

Domain for grusskartencenter isn’t malicious but it’s expired hosting. I don’t see any malware traces. Let’s go for extra check:

Please download zoek.exe (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this instruction.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



emptyclsid;
filesrcm;
startupall;
iedefaults
emptytemp;
firefoxlook;
chromelook;
autoclean;



  1. Save notepad as zoekscript.txt

http://www.mcshield.net/personal/magna86/Images/zoekscript_big.gif

[*]Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named “zoek-results.log

Please attach it to your reply.

Here is the Zoek log.

I am now relaxing, allowing my Central Nervous System (also known as CPU, BUS, RAM, ROM, Virtual Memory, etc.) to go into sleep mode (but not hibernate mode - must stay aware, must define problems and find solutions).

;D

Please answer at my question.


[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this instruction.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system



resethosts;
C:\Windows\version;vs
ipconfig /flushdns >> %temp%\log.txt;b
resetIEproxy;
FFdefaults;
about-addons-memory@tn123.org.xpi;ff
redirectcleaner@example.net.xpi;ff
chrdefaults;
emptyalltemp;


  1. Save notepad as zoekscript.txt

http://www.mcshield.net/personal/magna86/Images/zoekscript_big.gif

[*]Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named “zoek-results.log

Please attach it to your reply.

How is your computer running now?

This is my personal computer.

Attached is zoek-results2.log

I am still running the computer through its paces. So far, so good. You’re great.

I noticed that the redirect blocker add-in in firefox has been removed. Was that a problem add on? Should I avoid it?