I got some nasty malware on my computer this week; I’ve had it shut off until I had the energy to investigate what was going on. AVG Free was reporting I had four viruses on it at various times:
Trojan dropper.agent.git
Trojan dropper.agent.dbo
Backdoor.agent.PDA
Virus Win32.lop (an adware virus)
However, no amount of quarantining was getting rid of the viruses, something was actively installing them. The damn thing was also continuing to infect other programs on my system..
Looking in my Windows\System32 folder I found several recently modified files:
ctfmon.exe
sstqp.dll
ddccaxv.dll
ptqss.ini
sstqp.exe
vturq.exe
qrutv.ini
I’m sure most of these file names were randomly generated… I was able to delete all of them except the dll’s. sstqp.exe kept reappearing, but I managed to nullify it by deleting it and then replacing it with a 0k read-only file.
Searching the registry, sure enough, I found a dozen spots where these files were referenced. Some in pretty clever places: Did you know you can specify an executable to run whenever winlogon is run? Did you know you can specify an executable to run whenever the windows authentication service is run? **Seriously** — what the hell Microsoft? You can’t even boot in command prompt mode to get rid of this crap.
Deleting their references in the registry didn’t work, something was just adding them right back. I needed to delete the dll’s to prevent them from loading, but how?
This stumped me for a good hour. I tried a bunch of different things to get rid of the dll’s (without pulling the drive and putting it into another NTFS compatible system) but nothing seemed to work. Running Unlocker on them hard-locked the system. Move on Boot was worthless.
Finally, while searching for references to “dropper.agent.git” I stumbled upon a hacky little tool called The Avenger that did the trick. With this tool you have to write a script that specifies the file(s) to delete and it will delete them the next time your computer starts up, presumably before Windows has a chance to execute them. IT WORKED.
Thank you, Avenger!