Trojan.agent.aaga

newtype06

Newbie here. I've been getting notices of this Trojan a lot (thank God for bitdefender blocking it). The infected files are as follows:

autorun.inf

mstcpcon20.dll

netused.dll

dnscon70.dll

netmanage.dll

delbf.tmp

netman~1.dll

mstcpc~1.dll

sr1000r.dll

all are pretty much located at c:\windows\system32\

Any help? Tried using SuperAntiSpyware and it can't detect/delete them.

alexcrist

Hi newype06,

I searched the web and those files seem to be real malware.

You can try an On-Demand scan in Safe Mode, because there are higher chances that the files can be deleted.

First of all, you should create a shortcut on your Desktop to BitDefender Console (the BitDefender version for SafeMode). For this, right-click on your Desktop and select New -> Shortcut. A window will appear on your screen where you have to write the following line:

"C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdc.exe" /files /boot /arc /mail /log=C:\bd.log /fixed /list /prompt

Then click Next, write whatever name you want for the shortcut, restart your PC in safe mode and double-click on the shortcut you just created.

To start your PC in SafeMode, just restart it and keep pressed F8 while it boot_s. The BootMenu will appear, where you can select Start in SafeMode.

After you open that shortcut, BitDefender will scan your entire PC and it will warn you if it finds anything. I hope this fixes your problem.

If you still have problems (the files can't be deleted in SafeMode), then try to follow the instructions HERE to delete the files.

Please post if you solved it or not.

Cris.

newtype06

Ok will do it ASAP.

Just curious, was the trojan recently discovered?

AndreiASM

This could be the case, but there are many malware out there that can't be disinfected in the traditional way. They are loaded in memory, and they can't be deleted. Some of them attach themself to processes like Winlogon.exe; Terminating this process causes the computer to reboot. This is why many times the user has to do his part. If SuperAntiSpyware doesn't detect them means that they haven't added the definition. SAS is not an AV software like BD, and it doesn't detect all malware programs.

If you can't disinfect your PC in the way Cris told you in his earlier post, you should follow the steps indicated here by Cd-Man to delete the files.

Good luck!

Andrei

newtype06

Ok I haven't done the safe mode scan yet since for the past 2 days I haven't been encountering any problems... so far. Might do it later this week.

But question though- about the autorun.inf infected, I've read some stuffs about how to remove it properly like deleting files which are named also autorun.inf. Is it safe to delete those said files? Here's basically my issue with autorun, every time I attach my iPod nano with the usb cable to my comp, bitdefender pops in saying 'autorun.inf is infected with trojan.agent.aaga, your computer has NOT been infected' repeatedly. Is the iPod infected or the drive? Coz I've inserted some memory sticks, sd/cf cards on the card reader and bitdefender doesn't pop up with them.

Also, how bad is this trojan.agent.aaga anyway?

vlad

On the iPod, look for this file: RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE, and if you can find it, upload it here (it is most likely hidden, so set up your Explorer to show all files). Then tell BD to delete the infected autorun.inf on the iPod.

newtype06

On the iPod, look for this file: RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE, and if you can find it, upload it here (it is most likely hidden, so set up your Explorer to show all files). Then tell BD to delete the infected autorun.inf on the iPod.

Ok I'm kinda new to these things- but how can I find that particular file? I mean where is the RECYCLER folder located?

newtype06

Hi newype06,

I searched the web and those files seem to be real malware.

You can try an On-Demand scan in Safe Mode, because there are higher chances that the files can be deleted.

First of all, you should create a shortcut on your Desktop to BitDefender Console (the BitDefender version for SafeMode). For this, right-click on your Desktop and select New -> Shortcut. A window will appear on your screen where you have to write the following line:

"C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdc.exe" /files /boot /arc /mail /log=C:\bd.log /fixed /list /prompt

Then click Next, write whatever name you want for the shortcut, restart your PC in safe mode and double-click on the shortcut you just created.

To start your PC in SafeMode, just restart it and keep pressed F8 while it boot_s. The BootMenu will appear, where you can select Start in SafeMode.

After you open that shortcut, BitDefender will scan your entire PC and it will warn you if it finds anything. I hope this fixes your problem.

If you still have problems (the files can't be deleted in SafeMode), then try to follow the instructions HERE to delete the files.

Please post if you solved it or not.

Cris.

is it possible to just scan one drive (c://) using the shortcut?

Niels

Hello newype06

To see the recycler folder you have to do this go start,my computer,double click on the icon of your hard disc where windows is installed on. After that go to tools,folder options,display,uncheck the option hide operatingsystem files (it could be named differently in the English version) do not forget to confirm by pressing on apply and ok. Now you will see a folder called recycler and after that you can find the file and attach it to your next post.

Regards

Niels

newtype06

^ done and i didn't see the mmc32.exe file. So how to fix up the iPod autorun problem? Full scan I suppose?

Thing is I have 2 HDs and one of em is just a backup that I'm so certain has NO malware problems. Any way I could do a safe mode full scan w/o scanning that said drive?

Niels

Hello newype06

I recommend that you perform a deep scan. Than there also will be scanned inside archives.

If you can't find it on that location than take a look in your recycle bin. When you explored your ipod go to tools,folder options,display,check the option show hidden files and folders. See if you can locate mmc32.EXE It could be that you can't see the extension. If you find mmc32 that is the file. To fix your ipod problem normally when you enabled show hidden files and folders you must see a file called autorun or if you have enable the option in windows to show file extensions autorun.inf just delete the file manually or you can BitDefender let scan only removable drives scan.

Another way to scan your pc is by using the installation cd-rom of BitDefender. Reboot with the cd-rom inside after that you will see a screen with linuxdefender as name. Press enter. After that you will see a desktop. Now you have to rightclick on install ntfs write drivers and choose for admin and install ntfs drivers. Try to perform scan.

Regards

Niels

newtype06

Ok- I found autorun.inf and mmc32.exe on my windows/temp folder. Both are infected. Is it safe to delete these by dumping em into the recycle bin and empty it using ashampoo web optimizer (it really deletes the file permanently)?

Niels

Hello newype06

Please archive first both files in password protected archive with the following password: infected and attach it to your next post.

After you done that you may delete these files. If I am not wrong I thought that ashampoo also place the deleted files in the recycle bin. You can use a file shredder so you can't recover the file(s): http://download.com.com/3000-2092-10164976.html or you can select these files and press on shift+delete.

Regards

Niels

newtype06

I managed to fix the autorun problem.

However the trojan.agent.aaga on the other files (mstcpcon20.dll, netused.dll, dnscon70.dll, sr1000r.dll etc.) are still there. I already did a full scan in safemode and BD can't disinfect them. Are there still other solutions besides deleting them manually?

Niels

Hello newype06

You can try this also download a file shredder:

http://download.com.com/3000-2092-10164976.html

Start the program and drag and drop the files and press on start shredding.

If that fails you can download this:

http://download.bleepingcomputer.com/spyware/KillBox.exe

To select the file to be deleted press on the folder icon

Double click on killbox and select standard file kill,end explorer shell while killing file,unregister .dll before deleting. After you done that press on red circle with a white cross inside. Do this for all the files.

Regards

Niels

newtype06

what those programs do exactly? disinfect or simply delete? I'm worried about deleting them coz it might crash my comp.

alexcrist

Hi newype06,

what those programs do exactly? disinfect or simply delete? I'm worried about deleting them coz it might crash my comp.

Those files do not belong to Windows. They were installed there by the virus, so they simply cannot be cleaned. They have to be deleted.

Windows can perfectly live without those files. As a proof, I don't have any of those files if my PC.

Cris.

Niels

Hello newype06

The first program removes files completely. When you just place it in your recycle bin and empty you recycle bin the files are still recoverable. Not when you use a file shredder. The second tool is to remove files that are locked that program you should only use when the first program fails.

These are random chosen names and as Cris said they are not windows files.

Regards

Niels

newtype06

i've googled the trojan and found this thailand bitdefender site: http://www.bitdefenderthailand.com/webboar...tail.php?id=436

anyway to translate it? it might be a remove tool or something... thanks in advance

Niels

Hello newype06

All available removal tools you can find here: http://www.bitdefender.com/nl/Downloads/br...reeRemovalTool/

There isn't a link offered in the topic you referred to. Is BitDefender still detecting these files?

Regards

Niels

newtype06

Hello newype06

All available removal tools you can find here: http://www.bitdefender.com/nl/Downloads/br...reeRemovalTool/

There isn't a link offered in the topic you referred to. Is BitDefender still detecting these files?

Regards

Niels

yes BitDefender is still detecting them since I haven't done the deleting method yet.