Trojan Dropper Agent 8.B infection

Papa Ray · 08-09-2005, 10:57 AM

Hey,

Well, despite having all my anti-everything programs, all updated and a firewall and running AVG, I got infected.

I used AVG to try and remove but by following their directions, I rebooted (to remove trojan) and wound up with my backup files infected now. When it rebooted it
told me that files had been replaced and to stick in my windows xp cd, which of course I don't have because this is a preloaded system.

One of the infected files was I386\system32\cisvc.ex_\cisvc.exe (infected embedded object) so I would guess that it re-infected the restore files.

So, am I screwed or what?

I did a goggle on this virus/trojan "Dropper Agent" and didn't come up with anything but others that had questions.

Thanks for any assistance or advice.

My confidence level in all of my so-called protection programs has dropped by about 90 percent.

I run SpywarGuard, SpywareBlaster, TrojanHunter, Ad-Aware SE personal and Spybot-search and destroy. I run them religiously after every on-line session. I may not have some of them configured correctly but they have been keeping me out of trouble for about two years.

So..I don't know what happpened. I don't go or download anything I am not sure about, and if I do, I check them out before opening.

Thanks again for any assistance or advice.

Papa Ray
West Texas
USA

Windows XP, Home Edition, SP1

bry623 · 08-09-2005, 01:38 PM

Hello and Welcome to TSF!

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here. Do not fix anything in HijackThis since they may be harmless. Make sure to include the System information at the top of the log as well.

HardRoxx · 08-09-2005, 03:05 PM

Wow!
You are the third person in one day who asked for this! Seems that this trojan is infecting everybody... If you check out, there are more 2 topics here talking about this problem. You will surely find good information there. See ya!

MicroBell · 08-09-2005, 05:56 PM

I've just confirm this is a false Postive from AVG. This file is NOT infected!! Update your virus definitions!

Quote From Grisoft AVG Tech Support!

Quote:

Yesterday, we noticed a false alarm on file
>
> C:\Windows\System32\cisvc.exe
>
> This file was detected as a
>
> Dropper.Agent.8.B

Papa Ray · 08-09-2005, 06:27 PM

Hey,

Thanks for the feedback. I had the latest as of last night, but when I read this post, I requested an update and got a
"URGENT PRIORITY UPDATE"

So, I guess they got a flood of calls and/or such.

Thanks again.

Papa Ray
West Texas
USA

BTW, What is CISV.EXE?

MicroBell · 08-09-2005, 06:49 PM

Quote:

Originally Posted by Papa Ray

BTW, What is CISV.EXE?

Process File: cisvc or cisvc.exe
Process Name: Microsoft Index Service Helper

It is used to monitor the memory usage in CIDAEMON.exe and prevent low memory problems.

Papa Ray · 08-10-2005, 07:23 AM

Hey,

Thanks for the info. I read another post here with same? problem. It was recommended to run a online scan. I thought I would do it, even though I had already ran house call with negative results.

Here is what I got, notice there is no listing for the virus that I refered to in the orginal post.

But...

Total number of scanned files: 49283
Number of viruses found: 8
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 3429.875 sec

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 10, 2005 07:56:52
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/08/2005
Kaspersky Anti-Virus database records: 142911
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 49283
Number of viruses found: 8
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 3429 sec

Infected Object Name - Virus Name
C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333
C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/OMNITHREAD_RT.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g
C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333
C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333
C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000380.DLL Infected: not-a-virus:AdWare.ToolBar.MyWebSearch.l
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000381.DLL Infected: not-a-virus:AdWare.ToolBar.MyWebSearch.o
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000384.DLL Infected: not-a-virus:AdWare.MySearch.e
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP12\A0000434.dll Infected: not-a-virus:AdWare.MySearch.e
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP5\A0000132.exe Infected: not-a-virus:AdWare.Gator.6051
C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP6\A0000144.dll Infected: not-a-virus:AdWare.Altnet.d
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx Infected: not-a-virus:AdWare.MediaTickets.a

Scan process completed.

Reading the additional info provided (all it says (I think) is that hackers disguise their work by making it look like normal good program entries, or something like that.

These items were not reported by AVG or housecall, and of course, housecall didn't report the CISVC.exe as being infected.

So... are these "12 infected objects" false positives?

Thanks for any opinions.

Papa Ray
West Texas
USA

**POADB** · 08-10-2005, 11:41 AM

C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx

Delete the above file.

The files associated with IBM can be considered as riskware. Likely a false positive.
The rest live in System Restore Points. You can flush those out be disabling system restore, rebooting and then enabling system restore.

Papa Ray · 08-10-2005, 12:33 PM

Hey,]

Ok, deleted that, will disable restore and reboot.

Question: Which I know is unfair and such, but still would
like your opinion.

The scare and actions that the "false postive" that AVG gave me on the "Dropper.Agent 8/B (cisve.exe) which caused me to delete and reboot and gave me the msg.
that files have been "replaced" by an unrecognisable
vrsionand that windows wanted me to restore these files
by "inserting my Windows XP Home Edition CD Rom"
CAUSE ME CONCERN...Just how am I too know if the files
my system are running on are correct?

And..since I don't have this CD, because this is a preloaded system, how am I to restore these files?

If indeed they need restoring..I understand that htey hve
to do with Windows checking if I have enough memory or something like that. Well I have more than enough memory. So do I need to Care?

I think I will go get a cold beer.

Papa Ray
West Texas
USA

MicroBell · 08-10-2005, 09:57 PM

If AVG removed them they are in the Virus vault. Simply open the vault..highlight the file..and click the restore button. If you delete them..check your recycle bin and see if they are there. If so..restore them from there.

If they are truely gone from the PC..you have 2 choices.

a. Replace the files using another PC that has the same OS (Windows XP Home Edition)
b. Remove it's startup entry so it won't display that message at startup.

If either of those is NOT an option..you can try to use my file (which I attached in that zip file) and place it in both of your directorys that you removed it from.

*Note* My file is from an XP Pro SP-1 system.

Papa Ray · 08-11-2005, 12:10 PM

Thanks for the file. I will need it.

You guys are a great resource, I appriciate your expertice and knowledge.

Thanks

Papa Ray
West Texas
USA

08-09-2005, 10:57 AM	#1 (permalink)
Papa Ray Registered User Join Date: Aug 2005 Posts: 14 OS: Win XP	Trojan Dropper Agent 8.B infection Hey, Well, despite having all my anti-everything programs, all updated and a firewall and running AVG, I got infected. I used AVG to try and remove but by following their directions, I rebooted (to remove trojan) and wound up with my backup files infected now. When it rebooted it told me that files had been replaced and to stick in my windows xp cd, which of course I don't have because this is a preloaded system. One of the infected files was I386\system32\cisvc.ex_\cisvc.exe (infected embedded object) so I would guess that it re-infected the restore files. So, am I screwed or what? I did a goggle on this virus/trojan "Dropper Agent" and didn't come up with anything but others that had questions. Thanks for any assistance or advice. My confidence level in all of my so-called protection programs has dropped by about 90 percent. I run SpywarGuard, SpywareBlaster, TrojanHunter, Ad-Aware SE personal and Spybot-search and destroy. I run them religiously after every on-line session. I may not have some of them configured correctly but they have been keeping me out of trouble for about two years. So..I don't know what happpened. I don't go or download anything I am not sure about, and if I do, I check them out before opening. Thanks again for any assistance or advice. Papa Ray West Texas USA Windows XP, Home Edition, SP1

08-09-2005, 01:38 PM	#2 (permalink)
bry623 Manager, The Conversation Pit/Analyst, Security Team Join Date: Apr 2002 Location: NW Territory circa 1787 Posts: 11,692 OS: winxp pro sp2	Hello and Welcome to TSF! Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it back here. Do not fix anything in HijackThis since they may be harmless. Make sure to include the System information at the top of the log as well. __________________ "If you aren't a liberal when you're 20, you have no heart. If you aren't a conservative when you are 50, you have no brain"

08-10-2005, 11:41 AM	#8 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,482 OS: XP SP2	C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx Delete the above file. The files associated with IBM can be considered as riskware. Likely a false positive. The rest live in System Restore Points. You can flush those out be disabling system restore, rebooting and then enabling system restore. __________________

08-09-2005, 03:05 PM	#3 (permalink)
HardRoxx Registered User Join Date: Aug 2005 Posts: 7 OS: WinXP	Wow! You are the third person in one day who asked for this! Seems that this trojan is infecting everybody... If you check out, there are more 2 topics here talking about this problem. You will surely find good information there. See ya!

08-09-2005, 06:27 PM	#5 (permalink)
Papa Ray Registered User Join Date: Aug 2005 Posts: 14 OS: Win XP	Hey, Thanks for the feedback. I had the latest as of last night, but when I read this post, I requested an update and got a "URGENT PRIORITY UPDATE" So, I guess they got a flood of calls and/or such. Thanks again. Papa Ray West Texas USA BTW, What is CISV.EXE?

08-10-2005, 07:23 AM	#7 (permalink)
Papa Ray Registered User Join Date: Aug 2005 Posts: 14 OS: Win XP	Hey, Thanks for the info. I read another post here with same? problem. It was recommended to run a online scan. I thought I would do it, even though I had already ran house call with negative results. Here is what I got, notice there is no listing for the virus that I refered to in the orginal post. But... Total number of scanned files: 49283 Number of viruses found: 8 Number of infected objects: 12 Number of suspicious objects: 0 Duration of the scan process: 3429.875 sec ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, August 10, 2005 07:56:52 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 10/08/2005 Kaspersky Anti-Virus database records: 142911 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: false Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 49283 Number of viruses found: 8 Number of infected objects: 12 Number of suspicious objects: 0 Duration of the scan process: 3429 sec Infected Object Name - Virus Name C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/OMNITHREAD_RT.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 C:\IBMTOOLS\DRIVERS\RRU301A\US\rrpc\superinstall.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000380.DLL Infected: not-a-virus:AdWare.ToolBar.MyWebSearch.l C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000381.DLL Infected: not-a-virus:AdWare.ToolBar.MyWebSearch.o C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP10\A0000384.DLL Infected: not-a-virus:AdWare.MySearch.e C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP12\A0000434.dll Infected: not-a-virus:AdWare.MySearch.e C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP5\A0000132.exe Infected: not-a-virus:AdWare.Gator.6051 C:\System Volume Information\_restore{1E15204D-F4EA-483F-AF75-8818F1DAD398}\RP6\A0000144.dll Infected: not-a-virus:AdWare.Altnet.d C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx Infected: not-a-virus:AdWare.MediaTickets.a Scan process completed. Reading the additional info provided (all it says (I think) is that hackers disguise their work by making it look like normal good program entries, or something like that. These items were not reported by AVG or housecall, and of course, housecall didn't report the CISVC.exe as being infected. So... are these "12 infected objects" false positives? Thanks for any opinions. Papa Ray West Texas USA

08-10-2005, 12:33 PM	#9 (permalink)
Papa Ray Registered User Join Date: Aug 2005 Posts: 14 OS: Win XP	Hey,] Ok, deleted that, will disable restore and reboot. Question: Which I know is unfair and such, but still would like your opinion. The scare and actions that the "false postive" that AVG gave me on the "Dropper.Agent 8/B (cisve.exe) which caused me to delete and reboot and gave me the msg. that files have been "replaced" by an unrecognisable vrsionand that windows wanted me to restore these files by "inserting my Windows XP Home Edition CD Rom" CAUSE ME CONCERN...Just how am I too know if the files my system are running on are correct? And..since I don't have this CD, because this is a preloaded system, how am I to restore these files? If indeed they need restoring..I understand that htey hve to do with Windows checking if I have enough memory or something like that. Well I have more than enough memory. So do I need to Care? I think I will go get a cold beer. Papa Ray West Texas USA

08-11-2005, 12:10 PM	#11 (permalink)
Papa Ray Registered User Join Date: Aug 2005 Posts: 14 OS: Win XP	Thanks for the file. I will need it. You guys are a great resource, I appriciate your expertice and knowledge. Thanks Papa Ray West Texas USA