Topic: Trojan Downloader.Agent.KUM

[mistybear]

I have had two trojans now in the past week, same trojan, downloader.Agent.KUM.   (And no I haven't been visiting porn sites)

I googled it, but the only entry was in, I think, German. So not much help.

The first one was in c:/windows/system32/WM.EXE

The second one in c:/system volume information/_restore

AVG picked up both of these and they are in the vault.

I have uninstalled  ZoneAlarm and installed Comodo, don't know if this will help me. (and yet another piece of bloody software to work out how to use )

So why am I getting the same one, just unlucky or is it hiding somewhere. I ran Hijackthis last night and everything was fine except for one entry which was missing its file, so I fixed it. 

[Sandra]

The second one in c:/system volume information/_restore

Thats where its hiding MB.

Turn system restore off then restart in safe mode and run your scan again.
It will delete the one thats in the restore file and once you have made sure that its definately gone then re enable system restore.

[mistybear]

Thanks Sandra, but I can't remember how to do that? 
 

[Sandra]

Right click on My computer, go to properties and click on the system restore tab in the window which opens.
Turn it off in there.

Restart the pc and keep pressing F8 for safe mode 

[mistybear]

Ok did that, though AVG didn't find anything.   

Not sure if I did it right as after F8 it didn't say anything about safe mode.

I don't know if this matters but I using msconfig and in boot ini, boot options isn't selected.

[Simon]

I wonder how the trojan got in in the first place?  I know you've probably said, but what's your security set up again?  Your anti-virus / anti-spyware should have stopped it.  The firewall (ZA / Comodo) won't stop it getting in, but it should stop it transmitting anything, providing you haven't inadvertently allowed it, which is quite easy to do, given the confusing pop ups some firewalls produce.

[Sandra]

When you press F8 repeatedly you should ge a screen asking what you want to do.
Start windows normally, Use last known good configuration, Safe mode plus a few others.
You use the up and down arrows to select which option then press enter.

Did you get a boot order screen when you pressed F8 as some raid and Sata motherboards have that option.
If you got that then it can be awkward to time the pressing F8 at the right time to get the safe mode option screen up.
It needs to be pressed after the first screen with all the text appears and before the second one fully completes.

If you didnt get the boot order screen then you arent pressing the F8 button early enough or possibly long enough, do not keep it pressed, you have to press it on and release and press again quickly repeatedly.

[mistybear]

I have AVG-Anti Virus, which is what caught it.

Windows Defender, which isn't bad either.

I have SpyBot, Spy Blaster, A Squared and AdAware.

And I'm having a hard time understanding Comodo.

[mistybear]

Sandra, I really can't remember at the moment, I'm really tired. It blew an absolute gale here last night and the noise kept waking me up. And I have a shade sail attached to the side of the house, underneath my bedroom window and it came loose early this morning and kept banging against the wall.

So I'm off to bed, so hopefully it will make more sense in the morning.

[Simon]

You don't have a USB keyboard do you, MB?  I do, and can't get into safe mode using it, because it doesn't come to life until Windows is half loaded.  I have to use a PS/2 keyboard (with the purple connector) if ever I need to access safe mode.

[Clive]

Don't forget to switch system restore back on again afterwards as it may just come in handy.

[Sandra]

Good point Simon, I forget that people often have USB or wifi keyboards these days for some obscure reason, although newer mobo bios seems to be having USB keyboard support available which helps a little if its enabled   

[Simon]

Ah, that's a question I have been meaning to ask for ages, Sandra.  How do you enable USB keyboard support?  Oddly enough, I was working on a PC much older then mine sometime last year, and I could use my USB keyboard to get into safe mode with no problem, so I'm wondering if it's not enabled on mine? 

[sam]

you can enable it in the mobo settings normally simon...

[mistybear]

It did dawn on me last night that if AVG caught the trojan, letting me know by alert, and I moved it to the vault until I knew what it was exactly. Then doesn't that now mean, that there is no longer a trojan in restore. But Michael had a point when he asked, "how did AVG detect a trojan in restore, in the first place?"

Having said all that, I used msconfig to boot in safe mode, a lot easier for me, turned off restore and ran a scan which last almost one and a half hours  and found absolutely nothing.