Problem with a trojan

i’ve got a reall problem latelty with this TrojWare.Win32.Downloader.Agent.~AJK@1582157
i can’t get rid of it
i scaned it with comodo several times it always finds something but can’t permamenlty erase it

what should i do?

If you think its safe, add it “Ignore > Add to My Own Safe Files”.

Else, check with “www.virustotal.com”.

Alternately, submit the file to comodo for analysis.

umm i think i wrtited it wrong
i meant it deletes some files with this trojan but iit finds antoher one after like 30 mins and it can find like 20 files a day like this

i’m asking how to get rid of this bug becouse although i scan the system it stays somewhere

Follow What to do if you’re infected - eXPerience Rev.2 and report back to us.

Here is my log from hijack i scaned my comp with SUPERAntiSpyware Free Edition (which remowes some spyware) and Malwarebytes’ Anti-Malware (that can’t delet some bad reg that blocks my task magister and reg edit) oh right i can’t use task m or reg edit the pop up says its blocked my adminitrator

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:45:59, on 2009-06-05
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [uTorrent] “C:\Program Files\uTorrent\uTorrent.exe”
O4 - HKCU..\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199973358198
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe


End of file - 7298 bytes

and here is the log from mbam

Malwarebytes’ Anti-Malware 1.37
Database version: 2232
Windows 5.1.2600 Dodatek Service Pack 3

2009-06-05 17:59:15
mbam-log-2009-06-05 (17-59-15).txt

Scan type: Quick Scan
Objects scanned: 88172
Time elapsed: 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

If you are the administrator and didn’t set this yourself, you should place a check against this item in HijackThis:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Then press ‘Fix Checked’.

Hopefully this is what is preventing the removal of the malware.

If you are not the administrator you should ask them first.

I tried to remove it with hijack but when i scan again it’s still there same witth mbam it finds the bad regiteries i try to remove them but after reboot it’s still doesn’t work.
And i have the administrator acount.

You could try this, but I have no personal experience of it so at your own risk:

http://www.dougknox.com/security/scripts_desc/regtools.htm

I wonder if someone managed to fight off this intruder. Like with the thread opener Comodo reports this TrojWare.Win32.Downloader.Agent.~AJK[at]1582157 as being present. But thing is it reports the virus in some exe files in the Temp folder of my user which try to execute themselves into the memory BUT no all of them. So some of the exes do manage to load and with the Task Manager disabled I have to kill them either from command line (with /f option otherwise it’s locked!) or with third party software (like Process Explorer). Nevermind this exes though - they try to mine information but the real problem is that something downloads them as soon as I connect to the Internet and Comodo never identifies this activity (i.e. some process is trying to connect to some host and download stuff). I’ve scanned with Hijackthis but there are no suspicious files which are to run when the system start and also there are no suspicious processes running other than the aforementioned exe files which I kill and the fact that when I try to go into safe mode results in an error and an immediate restart leads me to believe that some system files might have been tampered with by this virus. I believe I got infected when a friend of mine put his usb flash drive into my computer…
PS: I’ve also tried Spybot S&D and Superantispyware and they too didn’t eliminate the culprit.

Please also try running Bitdefender. The tutorial has been updated to What to do if you’re infected - eXPerience Rev.3

It sounds like there may be some cloaking going on (rootkit). When scanning with Bitdefender did not work you can try the anti rootkit tool GMER http://www.gmer.net/ . It is a bit of a Spartan tool.

Malwarebytes' Anti-Malware 1.37 and Database version: 2232
Malwarebytes is now at version 1.38 and database 2407

An alternative is to try Avria Free version, it has a 99% detection rating

also after updating the AV software, I would run it in windows “safe mode”
You can access safe mode by doing this (for most computers)
1)shut down computer
2)Power on compuer
3)The second you power up the computer, keep hitting the “F8” key until a new screen comes up
4)When new screen comes up, go to “Start in Safe Mode” (NO NETWORKING)
5)Run Malwarebytes 1.38 and remove infections
6)Then run avira and clean what it finds
7)Repeat step 5 and 6 again to make sure none of it comes back
8)Log off the computer and restart in normal mode
9)If everything is fine, delete all the “system restore backups” and create a new one

Hope this helps :-TU

Well I was about to write some stuff about how undetectable this thing is but since Comodo regularly detects mipmkn.sys as an uknown malware and I delete it and then it is there again upon restart I’ve checked the DDS log and noticed a service name dabp470n5 which is apparently a part of a virus http://www.threatexpert.com/report.aspx?md5=b686d6cb14895dbe672411d1f4f13cef. It worries me that it could probably be some newer modification than the one I’ve linked but still I will try to clean it. But with so many deleted registry key it won’t be easy even if it is the correct virus :frowning:

Try searching the registry for mipmkn.sys and dabp470n5 and see if you find references to other file(s) they may be protector files.

When you can find processes with Process Explorer you can suspend them. That will allow you to erase them on disk and to erase the registry keys.

When that doesn’t help try the mentioned rootkit scanner gmer.

Well it seems as if it really is that virus but I still can’t clean it. I can’t search through the registry because it’s disabled along with task manager and the virus is persistent so when I change something of it’s settings it changes it back in a matter of seconds. With gmer I can browse through some part of the registry but it’s very limited. I scanned online with bitdefender and it cleaned off a lot of files (about 600) infected with this Win32.Sality.OG but as the infection is apparently active in the system this isn’t a lot of good. The virus also deletes the [BootSafe] registry keys so when I try to go safe mode it BSoDs. This is getting pretty irritating >:(
PS: there is even a thread about this virus in this very subforum but I believe Comodo still has problems detecting it as the thread is from 14 jun and I’ve come to the conclusion that the infection occurred 15 jun 10:20 PM (although to be honest it’s not me who is maintaining this computer so the anti-virus definitions may not have been updated)

I took a look at the information by ThreatExpert. It is picked up by Ikarus (which is now part of A Squared anti malware scanner). You can try to scan with A Squared and see if that can handle it. Or try the trial version of Kaspersky. Also try the scanners mentioned in What to do if you’re infected - eXPerience Rev.3 and make the described Hijack This log.

I also found a removal tool by AVG: Free Virus Scan & Cleaner | Free Malware Removal Tools | AVG .

I cannot guarantee these tips will work as malware evolves. When the scanning does not work I will give you a couple of url’s for boards specialised in removing malware using a Hijack This log.

Thanks for the assist. I’ve tried the a^2 software but in a rather strange manner the computer restarted so a conflict with Comodo may have occurred. Also this AV don’t offer disinfection but only deletion. So I’ve run a second bitdefender on-line check and clean sweep and it seems that after it cleaned at least MOST of the files (well at the very least those which are in the autorun) the virus seems to not be reemerging after a restart. So now I will reinstall Comodo (in case it has been compromised) and try to seek out and restore all of the damages this virus did. I’ve added a SafeBoot key to the registry (not empty of course :D) and will see if it manages to boot in Safe Mode now. I will also set in gpedit.msc (Group Policy) autorun to off on all devices as to hopefully evade such infections in the future (coming from the usb drive).

Good luck and keep us posted.

With malware infection it never hurts to try multiple scanners. Using a trial version of paid programs may help. A2 and CIS live together happily here; I have A2 on demand only.