Expert: Brian Benosky - 11/19/2010

Question
QUESTION: Hi Brian, I'm afraid Trojan.Agent.H has reappeared - it seems to come back every time I re-start the computer. Malawarebytes clears it, but it's a bit of a pain having to run this every time I re-start. Is there a permanent solution? I assume the problem is lurking deep in my hard drive.

If I change to another antivirus programme, do i need to do anything special to remove the Symantec?

Thanks,

Brian

ANSWER: Hi Brian

This is a pesky bugger.  Does it keep showing up on MBAM in the same location?  
To uninstall Symantec products, you need to use the Norton Removal Tool found here:

http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

I would suggest uninstalling the components of Symantec, such as Live Update, before running the tool.  That seems to work best.

After removal, download Avast Anti-Virus Free from here:

http://www.avast.com/en-gb/free-antivirus-download

After installing, run the Boot-time scan.  That will give you the best chance of catching the rootkit.  Let me know the results.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian, A pesky bugger indeed! I removed Symantec with the removal tool. When I rebooted, Malwarebytes detected Trojan.Agent.H. I installed Avast and ran the boot time scan - it found another Trojan in a 'Guest' Profile on the computer, and a couple of corrupted files but nothing related to Trojan.Agent.H. After the computer re-started, I ran Malwarebytes, and it detected Trojan.Agent.H. I've attached the log at the end - it always is associated with the gassfg entry.

One good thing, the computer is a lot snappier without Symantec :-)

What next?

Many thanks,

Brian

Log File:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5041

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

19/11/2010 09:16:59
mbam-log-2010-11-19 (09-16-59).txt

Scan type: Quick scan
Objects scanned: 3216
Time elapsed: 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gassffg (Trojan.Agent.H) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Answer
Hi Brian

Time to call in some heavy hitters.  You have stated previously that GMER was unable to run.  Though now without Symantec in the way, it may be able to scan successfully.  Try running it and see if it detects anything.  If it does not work, try downloading UnHackMe from here:

http://www.greatissoftware.com/unhackme.zip

The program is Shareware, but will function for 30 days...more than enough time to kill this bug.  Unzip, install and run.

1. Click the Check button.
2. If a Trojan will be found you will see the Results page.
3. Click on the Stop button and restart your computer.
4. The rootkit will be completely deleted at the next reboot of your computer.

Send me a follow-up when done.

Brian