Trojan.agent.aaga

Newbie here. I've been getting notices of this Trojan a lot (thank God for bitdefender blocking it). The infected files are as follows:


autorun.inf


mstcpcon20.dll


netused.dll


dnscon70.dll


netmanage.dll


delbf.tmp


netman~1.dll


mstcpc~1.dll


sr1000r.dll


all are pretty much located at c:\windows\system32\


Any help? Tried using SuperAntiSpyware and it can't detect/delete them.

Comments

  • alexcrist
    alexcrist
    edited July 2007

    Hi newype06,


    I searched the web and those files seem to be real malware.


    You can try an On-Demand scan in Safe Mode, because there are higher chances that the files can be deleted.


    First of all, you should create a shortcut on your Desktop to BitDefender Console (the BitDefender version for SafeMode). For this, right-click on your Desktop and select New -> Shortcut. A window will appear on your screen where you have to write the following line:


    "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdc.exe" /files /boot /arc /mail /log=C:\bd.log /fixed /list /prompt


    Then click Next, write whatever name you want for the shortcut, restart your PC in safe mode and double-click on the shortcut you just created.


    To start your PC in SafeMode, just restart it and keep pressed F8 while it boot_s. The BootMenu will appear, where you can select Start in SafeMode.


    After you open that shortcut, BitDefender will scan your entire PC and it will warn you if it finds anything. I hope this fixes your problem.


    If you still have problems (the files can't be deleted in SafeMode), then try to follow the instructions HERE to delete the files.


    Please post if you solved it or not.


    Cris.

  • Ok will do it ASAP.


    Just curious, was the trojan recently discovered?

  • This could be the case, but there are many malware out there that can't be disinfected in the traditional way. They are loaded in memory, and they can't be deleted. Some of them attach themself to processes like Winlogon.exe; Terminating this process causes the computer to reboot. This is why many times the user has to do his part. If SuperAntiSpyware doesn't detect them means that they haven't added the definition. SAS is not an AV software like BD, and it doesn't detect all malware programs.


    If you can't disinfect your PC in the way Cris told you in his earlier post, you should follow the steps indicated here by Cd-Man to delete the files.


    Good luck! :)


    Andrei

  • Ok I haven't done the safe mode scan yet since for the past 2 days I haven't been encountering any problems... so far. Might do it later this week.


    But question though- about the autorun.inf infected, I've read some stuffs about how to remove it properly like deleting files which are named also autorun.inf. Is it safe to delete those said files? Here's basically my issue with autorun, every time I attach my iPod nano with the usb cable to my comp, bitdefender pops in saying 'autorun.inf is infected with trojan.agent.aaga, your computer has NOT been infected' repeatedly. Is the iPod infected or the drive? Coz I've inserted some memory sticks, sd/cf cards on the card reader and bitdefender doesn't pop up with them.


    Also, how bad is this trojan.agent.aaga anyway?

  • On the iPod, look for this file: RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE, and if you can find it, upload it here (it is most likely hidden, so set up your Explorer to show all files). Then tell BD to delete the infected autorun.inf on the iPod.

  • On the iPod, look for this file: RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE, and if you can find it, upload it here (it is most likely hidden, so set up your Explorer to show all files). Then tell BD to delete the infected autorun.inf on the iPod.


    Ok I'm kinda new to these things- but how can I find that particular file? I mean where is the RECYCLER folder located?

  • Hi newype06,


    I searched the web and those files seem to be real malware.


    You can try an On-Demand scan in Safe Mode, because there are higher chances that the files can be deleted.


    First of all, you should create a shortcut on your Desktop to BitDefender Console (the BitDefender version for SafeMode). For this, right-click on your Desktop and select New -> Shortcut. A window will appear on your screen where you have to write the following line:


    "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdc.exe" /files /boot /arc /mail /log=C:\bd.log /fixed /list /prompt


    Then click Next, write whatever name you want for the shortcut, restart your PC in safe mode and double-click on the shortcut you just created.


    To start your PC in SafeMode, just restart it and keep pressed F8 while it boot_s. The BootMenu will appear, where you can select Start in SafeMode.


    After you open that shortcut, BitDefender will scan your entire PC and it will warn you if it finds anything. I hope this fixes your problem.


    If you still have problems (the files can't be deleted in SafeMode), then try to follow the instructions HERE to delete the files.


    Please post if you solved it or not.


    Cris.


    is it possible to just scan one drive (c://) using the shortcut?

  • Hello newype06


    To see the recycler folder you have to do this go start,my computer,double click on the icon of your hard disc where windows is installed on. After that go to tools,folder options,display,uncheck the option hide operatingsystem files (it could be named differently in the English version) do not forget to confirm by pressing on apply and ok. Now you will see a folder called recycler and after that you can find the file and attach it to your next post.


    Regards


    Niels

  • ^ done and i didn't see the mmc32.exe file. So how to fix up the iPod autorun problem? Full scan I suppose?


    Thing is I have 2 HDs and one of em is just a backup that I'm so certain has NO malware problems. Any way I could do a safe mode full scan w/o scanning that said drive?

  • Niels
    Niels
    edited July 2007

    Hello newype06


    I recommend that you perform a deep scan. Than there also will be scanned inside archives.


    If you can't find it on that location than take a look in your recycle bin. When you explored your ipod go to tools,folder options,display,check the option show hidden files and folders. See if you can locate mmc32.EXE It could be that you can't see the extension. If you find mmc32 that is the file. To fix your ipod problem normally when you enabled show hidden files and folders you must see a file called autorun or if you have enable the option in windows to show file extensions autorun.inf just delete the file manually or you can BitDefender let scan only removable drives scan.


    Another way to scan your pc is by using the installation cd-rom of BitDefender. Reboot with the cd-rom inside after that you will see a screen with linuxdefender as name. Press enter. After that you will see a desktop. Now you have to rightclick on install ntfs write drivers and choose for admin and install ntfs drivers. Try to perform scan.


    Regards


    Niels

  • Ok- I found autorun.inf and mmc32.exe on my windows/temp folder. Both are infected. Is it safe to delete these by dumping em into the recycle bin and empty it using ashampoo web optimizer (it really deletes the file permanently)?

  • Hello newype06


    Please archive first both files in password protected archive with the following password: infected and attach it to your next post.


    After you done that you may delete these files. If I am not wrong I thought that ashampoo also place the deleted files in the recycle bin. You can use a file shredder so you can't recover the file(s): http://download.com.com/3000-2092-10164976.html or you can select these files and press on shift+delete.


    Regards


    Niels

  • I managed to fix the autorun problem.


    However the trojan.agent.aaga on the other files (mstcpcon20.dll, netused.dll, dnscon70.dll, sr1000r.dll etc.) are still there. I already did a full scan in safemode and BD can't disinfect them. Are there still other solutions besides deleting them manually?

  • Hello newype06


    You can try this also download a file shredder:


    http://download.com.com/3000-2092-10164976.html


    Start the program and drag and drop the files and press on start shredding.


    If that fails you can download this:


    http://download.bleepingcomputer.com/spyware/KillBox.exe


    To select the file to be deleted press on the folder icon


    Double click on killbox and select standard file kill,end explorer shell while killing file,unregister .dll before deleting. After you done that press on red circle with a white cross inside. Do this for all the files.


    Regards


    Niels

  • what those programs do exactly? disinfect or simply delete? I'm worried about deleting them coz it might crash my comp.

  • Hi newype06,


    what those programs do exactly? disinfect or simply delete? I'm worried about deleting them coz it might crash my comp.


    Those files do not belong to Windows. They were installed there by the virus, so they simply cannot be cleaned. They have to be deleted.


    Windows can perfectly live without those files. As a proof, I don't have any of those files if my PC. ;)


    Cris.

  • Hello newype06


    The first program removes files completely. When you just place it in your recycle bin and empty you recycle bin the files are still recoverable. Not when you use a file shredder. The second tool is to remove files that are locked that program you should only use when the first program fails.


    These are random chosen names and as Cris said they are not windows files.


    Regards


    Niels

  • i've googled the trojan and found this thailand bitdefender site: http://www.bitdefenderthailand.com/webboar...tail.php?id=436


    anyway to translate it? it might be a remove tool or something... thanks in advance

  • Hello newype06


    All available removal tools you can find here: http://www.bitdefender.com/nl/Downloads/br...reeRemovalTool/


    There isn't a link offered in the topic you referred to. Is BitDefender still detecting these files?


    Regards


    Niels

  • Hello newype06


    All available removal tools you can find here: http://www.bitdefender.com/nl/Downloads/br...reeRemovalTool/


    There isn't a link offered in the topic you referred to. Is BitDefender still detecting these files?


    Regards


    Niels


    yes BitDefender is still detecting them since I haven't done the deleting method yet.