Win32:Agent-MJG[Drp]

system · November 30, 2007, 9:23pm

Howdy,

Upon starting one of our computers this morning, Avast detected that a malware dropper, Win32:Agent-MJG, had infected a few of our startup programs. While running a boot-time scan, it found more similarly infected files throughout the drive, including several in the Windows/ and System Volume Information/ directories.

I moved all 29 infected files to the chest as suggested. Everything now appears to be working fine, and a subsequent scan revealed no more infected files. Hurray!

So, I guess my question is: now what?

Sorry for the ignorance, but where do I go from here? As long as everything continues to function properly, should I just assume that the issue has been resolved? Are there any further steps I should take?

Any suggestions or feedback is appreciated. Thanks!

Ron

Lisandro · November 30, 2007, 9:28pm

I suggest:

Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
Immunize your system with SpywareBlaster or Windows Advanced Care.
Check if you have insecure applications with Secunia Software Inspector.

Ron, asking for learning… where is the ignorance? There isn’t. You’re on the right place to learn.

system · December 1, 2007, 12:16am

Excellent. Thanks for your help. Everything seems to be in order.

I’ve included the HijackThis log below.

Thanks again!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:46 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\blwin32\blw110.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\WWB\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipage.ingrambook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108603196358
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187056308078
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

–
End of file - 5953 bytes

DavidR · December 1, 2007, 12:30am

Your JAVA is way out of date and could be exploited.

Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware. First remove All Older Versions From Add/Remove Programs.

Then get the latest update from here http://www.java.com/en/download/index.jsp

Or JRE version 6 update 3 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

You don’t appear to have an active firewall, what is your firewall ?

FIX in HJT
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Suspect/Unknown (do you know it ?):
C:\blwin32\blw110.exe

Upload the file to VirusTotal - Multi engine on-line virus scanner and report the findings here. If multiple detections on VT send the sample to virus@avast.com zipped and password protected with the password in email body and undetected malware in the subject.

A google search on the above file name returns zero hits

Other than that I don’t see anything obvious.

oldman960 · December 1, 2007, 12:42am

Follow DavidR’s advice annd do you recognize these?

*.doginhispen.com
*.whataboutadog.com

system · December 1, 2007, 12:58am

Thanks, David.

Not sure how the JAVA got so out of date on that computer. I’ll get that taken care of.

I’m not sure what to do with this, though I recognize the myway component as unwanted.

The blwin32 is legit. It’s the client app for Booklog, our point-of-sale and inventory system.

Thanks again for the help. It’s much appreciated.

Ron

system · December 1, 2007, 1:06am

I don’t recognize either of those, but I’ll check with the other users.

DavidR · December 1, 2007, 1:14am

OK, run hijackthis again, just the scan element not creation of log, once this is done close any open windows other than HJT.
Look for the entries I said to fix and tick the box to the left of the entry.
Now click the Fix Selected button at the bottom of the window.

That should make a back-up of the changes made and remove these entries from the registry.

The question oldman asks about, trusted sites
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com

I see what he is getting at as they appear to be associated with a trojan, Downloader.Agent.awf, probably something already dealt with by avast. So if ‘you’ didn’t add these to your trusted zone, which I doubt, add these entries to the ones you fix.

system · December 1, 2007, 1:26am

Ah, got it. I’ve fixed all four of those items. No one recognized either of those domains.

Thanks again.

system · December 1, 2007, 1:39am

Hi “Travel” :

  Dell puts a definite Adware, and possibly spyware program on their
  computers called "My Way" ; there is Info in the Dell Support Forums 
  about removing this at :
  http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&message.id=42328 .

  I recommend you do so .

  P.S. And you should seriously consider "replacing" the increasingly vulnerable
  Adobe Reader with the slimmer Foxit Reader; I did so some months ago .

Win32:Agent-MJG[Drp]

Announcements