8 replies to this topic

[yenooc]

I have Malwarebytes' Anti-Malware 1.36. It has been repeatedly finding a Trojan.Agent in a folder called A on our computer. It does not name a specific file in that folder that is infected. Here is the text of the most recent log file:

Malwarebytes' Anti-Malware 1.36
Database version: 2036
Windows 5.1.2600 Service Pack 3

4/24/2009 2:02:44 PM
mbam-log-2009-04-24 (14-02-44).txt

Scan type: Quick Scan
Objects scanned: 81846
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\A (Trojan.Agent) -> Delete on reboot.


I have run SuperAntiSpyware and Zone Alarm Anti-Virus and Anti-Spyware, and none of those programs find this Trojan. Malwarebytes Anti-Virus does not find this Trojan when run in Safe Mode, only in regular mode. I have cleared all system restore points, I have disabled Zone Alarm so it will not run on reboot and I have run Malwarebytes' Anti-Malware and rebooted into regular mode when Malwarebytes' Anti-Malware finds this Trojan, but it is still there.

It confuses me that Malwarebytes' Anti-Malware does not name a specific file in the folder as being infected with this Trojan. Is this normal? Is this a false positive? Any help anyone can give would be much appreciated.

[deathtospyware]

I had almost the same experience earlier this year and tracked it down to a corrupted file. This may not be the case for you but it can't hurt to try running chkdsk c: /f from the command prompt and rebooting to let chkdsk do it's thing. After reboot run MBAM again and check the results. Just a thought.

[yenooc]

deathtospyware, on Apr 24 2009, 08:10 PM, said:

I had almost the same experience earlier this year and tracked it down to a corrupted file. This may not be the case for you but it can't hurt to try running chkdsk c: /f from the command prompt and rebooting to let chkdsk do it's thing. After reboot run MBAM again and check the results. Just a thought.

Thank you for the suggestion. I want to try it, but am not sure how long it will take. My hard drive is 1.5 terabytes, and looking around on the Microsoft site, the best estimate I can find is "running CHKDSK can take anywhere from a few seconds to several days, depending on your specific situation". Microsoft also says "Warning Microsoft does not recommend interrupting the chkdsk process when it is used with the /f switch. Microsoft does not guarantee the integrity of the disk if the chkdsk program is interrupted." So, I am a little nervous that I could start chkdsk, and it would run for days. I wish I had a better idea of how long it would take, it sounds like a great idea to run it.

[deathtospyware]

yenooc, on Apr 24 2009, 11:28 PM, said:

Thank you for the suggestion. I want to try it, but am not sure how long it will take. My hard drive is 1.5 terabytes, and looking around on the Microsoft site, the best estimate I can find is "running CHKDSK can take anywhere from a few seconds to several days, depending on your specific situation". Microsoft also says "Warning Microsoft does not recommend interrupting the chkdsk process when it is used with the /f switch. Microsoft does not guarantee the integrity of the disk if the chkdsk program is interrupted." So, I am a little nervous that I could start chkdsk, and it would run for days. I wish I had a better idea of how long it would take, it sounds like a great idea to run it.

I have found chkdsk to be like anything else, the more files it has to check the longer it takes. The free space check is usually pretty fast. It took chkdsk 2 hours to scan a corrupted 80 gig USB drive but only 1 hour to check my 320 gig SATA drive. If it's just a few file corruptions chkdsk is realitively quick, if it's bad sectors it can take a long, long time. Given the size of your drive I would expect anywhere from 4-8 hours depending on the amount of data you have. If Windows hasn't flagged it for checking it's probably not bad sectors but just a few corruptions that Windows doesn't care about if they aren't system files.

[yenooc]

deathtospyware, on Apr 26 2009, 08:14 AM, said:

I have found chkdsk to be like anything else, the more files it has to check the longer it takes. The free space check is usually pretty fast. It took chkdsk 2 hours to scan a corrupted 80 gig USB drive but only 1 hour to check my 320 gig SATA drive. If it's just a few file corruptions chkdsk is realitively quick, if it's bad sectors it can take a long, long time. Given the size of your drive I would expect anywhere from 4-8 hours depending on the amount of data you have. If Windows hasn't flagged it for checking it's probably not bad sectors but just a few corruptions that Windows doesn't care about if they aren't system files.

Thank you for your detailed and thoughtful response. I am planning to try chkdsk at some point soon, that is a very good idea!

[deathtospyware]

One thing I forgot to mention is that if you try to access the folder/file in Windows explorer and it gives you an access violation error or any other access error is a good sign the folder/file could be corrupted, but not always. It could be locked by the system also. In your case look for a file or folder named A in the root C:\. If you don't see it try showing hidden files and see if it appears. If not then the problem won't be solved by chkdsk and perhaps someone else can further assist you.

[AdvancedSetup]

If you need assistance with Malware removal please post as shown below. We do not work on logs in the General forum.

Hello and Welcome to Malwarebytes.org

If you're having Malware related issues with your computer that you're unable to resolve.

• Please read and follow the instructions provided here: I'm infected - What do I do now?
  
• If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  
• When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

[yenooc]

deathtospyware, on Apr 26 2009, 01:32 PM, said:

One thing I forgot to mention is that if you try to access the folder/file in Windows explorer and it gives you an access violation error or any other access error is a good sign the folder/file could be corrupted, but not always. It could be locked by the system also. In your case look for a file or folder named A in the root C:\. If you don't see it try showing hidden files and see if it appears. If not then the problem won't be solved by chkdsk and perhaps someone else can further assist you.

Thank you for your further thoughts on this issue, deathtospyware.

I am not getting any access errors (thank goodness). There is a folder called "A" on the C drive, it is user-created. What is confusing me is that no file in that folder is named as being the source of the virus, and there are many many files in the A folder.

[AdvancedSetup]

Your best bet to clean the system is to post in the HJT forum as posted above where someone with experience in this area will be happy to assist you.