Expert: Brian Benosky - 11/9/2010

Question
QUESTION: Hi Brian, yes, the replies from AllExperts seem to be playing up as they are truncated and I don't get the option to reply so have to ask a new question. I ran CCleaner which has cleared out a lot of junk, but when I re-booted and checked with Malwarebytes, the Trojan.Agent.H is still reported. Here is the logfile:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5041

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

06/11/2010 09:03:23
mbam-log-2010-11-06 (09-03-23).txt

Scan type: Quick scan
Objects scanned: 19535
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gassffg (Trojan.Agent.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ANSWER: Hi Brian

Let's try removing the offending file manually.  Click Start, type Regedit, then hit Enter.  Navigate to the following entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gassffg

Select and Delete ONLY the entry: gassffg

After deleting, exit the registry and download FileASSASSIN from here:

http://www.malwarebytes.org/fa-setup.exe

Install and run the program.  Check the circle named Use delete on Windows reboot function.  In the box above that, copy and paste the following:

c:\users\user\appdata\local\gassffg.exe

Now click the Execute button.  Do the same for the following file:

c:\windows\TEMP\TMP0000005212BDF37C4F8658DC

After executing, reboot the computer, run the MBAM scan, and let me know if it comes up clean.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, gassfg successfully removed manually using regedit. FileASSASSIN couldn't find either of the files you mentioned, so i rebooted and repeated the exercise. Gassfg was no longer in the registry, and fileASSASSIN still couldn't find them. Malwarebytes shows no infection.

Fingers crossed???

Cheers, Brian

ANSWER: Hi Brian

Yes, it appears that you have properly deleted the menace.  I saw in your logs that you have Symantec Anti-virus installed.  If your subscription is current, download the latest definitions and run a complete system scan.  If not, let me know so we can properly uninstall it and get you some free protection.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, As long as my employer maintains their subscription to Symantec, I can get the updates :-). However, I'm not that convinced it's much good, as it's failed to protect me from recent virus problems. Do you recommend anything I could run alongside it, or should I replace it with something more comprehensive?

I ran the full scan, and apart from an finding and deleting an unidentified tracking cookie, the results were clear.

Thanks again,  Brian

Answer
Hi Brian

You're most welcome for the assistance.  Glad we got it all cleaned up!  I was never a fan of Symantec's products.  Honestly, most of the folks that I help are running their programs, so that tells you something there.  Personally, I use the free Avira Anti-Vir, and have not had anything slip through it.  You may wish to run something alongside Symantec to fortify your protection.  Spybot Search & Destroy is free and offers real-time protection.  Other good choices would be Malwarebytes and SuperAntiSpyware, however both only offer real-time protection in the paid versions.  If you need further help, or advice, just let me know.  Always glad to help.  Cheers!

Brian