Trojan.Agent.Trace - removed. Do I still need to reformat / reinstall?

JanZborovjan

New member
Local time
11:32 AM
Messages
5
Hello,

the title says it all. Few days ago, Malwarebytes Anti-Malware scan encountered a Trojan.Agent.Trace.

So I booted to safe mode and removed it. Then I scanned again and 0 threats were detected, so I suppose the trojan has been removed.

I also checked the system with Malwarebytes Anti-Rootkit, 0 threats found. Panda antivirus scan also showed 0 threats so... the system looks and behaves clean.

But still a question lingers here. Some security experts on the internet say even after removing backdoor trojans there is vulnerability in the system left... so the best option is allegedly to reformat>reinstall.

What is your opinion guys ? Do I really NEED to reformat>reinstall ? I got automatic Windows Updates, constantly turned on Windows Firewall... and doing regular antivirus scans. Is there really any threat in NOT doing reformat>reinstall ?

Many Thanks !
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64
Computer type
Laptop
OS
Windows 7 Home Premium x64
Hi:

Trojan.Agent.Trace
That's rather "TLI" (too little information).:(

It is exactly that: a "trace" (aka leftover or remnant) from some sort of trojan.

Without scan logs and more data from the system, it's impossible to say for sure what the original trojan was, or whether is was a "backdoor" critter, or whether you are completely clean.

Reinstalling Windows would seem be a bit over-the-top, under the circumstances, without more information.

If you're not sure, then you would probably need to run additional, deeper scans -- preferably under the guidance of a trained malware expert -- either here, or at a dedicated, reputable computer disinfection forum. It helps to have a bit of expert guidance, in order to run the correct tools in the proper order.

>>>Also, for the record, MBAM should be run under NORMAL Windows mode, in order to work properly and completely. Running it under Safe Mode is a workaround only for extreme cases where it will not work under Normal mode.;)

Hope this helps a bit,

MM
 

My Computer My Computer

At a glance

OEM Windows 7 Ult (x64) SP1Intel Core-i7 3770 @ 3.4 GHz16 GB DDR3 SDRAM @ 1333 MHzNVidia GeForce GT620 1 GB
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell Studio XPS 8500
OS
OEM Windows 7 Ult (x64) SP1
CPU
Intel Core-i7 3770 @ 3.4 GHz
Motherboard
"Dell" branded
Memory
16 GB DDR3 SDRAM @ 1333 MHz
Graphics Card(s)
NVidia GeForce GT620 1 GB
Sound Card
THX TruStudio PC
Monitor(s) Displays
Dell U2410 Full HD
Hard Drives
2.0 TB SATA2 @ 7200 RPM
PSU
350W
Keyboard
MS 4000 Ergon - Wired
Mouse
Logitech Anywhere MX
Internet Speed
Cable HSI w/Turbo (router)
Antivirus
KIS-MBAM Premium-MBAE Premium
Browser
Fx (current version); IE
Other Info
And a Win7/64 Pro laptop; And a Win10/64 Pro desktop.
Thanks Moxie for the reply.

First I ran MBAM under NORMAL Windows mode, but when the scan reached certain folder, MBAM just stopped responding. Very weird behaviour, so I was suspecting either HW failure or a virus. Rebooting to SAFE mode gave me answer.

Here is a scanlog, hope it helps.

Code:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8. 11. 2015
Scan Time: 22:14
Logfile: 
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.08.05
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: eraser

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382751
Time Elapsed: 9 min, 37 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
Trojan.Agent.Trace, C:\Users\eraser\AppData\Roaming\apachesrvin.vbs, Quarantined, [61349ae14249f640f8fb2087857e8c74], 
Trojan.Agent.Trace, C:\Users\eraser\AppData\Roaming\die.bat, Quarantined, [41540c6f503b1521b67be3c5669db848], 

Physical Sectors: 0
(No malicious items detected)


(end)
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64
Computer type
Laptop
OS
Windows 7 Home Premium x64
There's no need for re-installing or anything. Just scan your system daily and you are good to go. Also don't worry, because Malwarebytes has quarantined it.
 

My Computer My Computer

At a glance

Windows 10 Pro x64AMD Ryzen 5 1600 @ [email protected]G.Skill Flare X 16GB (2x8GB) DDR4-2400 @ 2666MHzSapphire Radeon Vega 56 NITRO+
Computer type
PC/Desktop
Computer Manufacturer/Model Number
me!
OS
Windows 10 Pro x64
CPU
AMD Ryzen 5 1600 @ [email protected]
Motherboard
ASUS B350 PRIME-PLUS
Memory
G.Skill Flare X 16GB (2x8GB) DDR4-2400 @ 2666MHz
Graphics Card(s)
Sapphire Radeon Vega 56 NITRO+
Sound Card
None
Monitor(s) Displays
ASUS VG248QZ
Screen Resolution
1920x1080
Hard Drives
Samsung 850 EVO 250GB*, 1TB Seagate Constellation ES, 2x Samsung 840 250GB in RAID0*

*Thanks ICIT2LOL for supplying me with all of these drives!
PSU
Corsair VS550
Case
Corsair Crystal 460X
Cooling
AMD Wraith Spire
Keyboard
Ducky Shine 6 w/ MX Browns and PBT keycaps
Mouse
Xtrfy M1-Ice
Internet Speed
100MBit/s down, 20MBit/s up
Antivirus
Bitdefender
Browser
Google Chrome
Thank you. I had to reinstall anyway (because of AMD drivers messed my system), but appreciate your answer anyway !
 

My Computer My Computer

At a glance

Windows 7 Home Premium x64
Computer type
Laptop
OS
Windows 7 Home Premium x64
I would recommend changing all passwords for everything. They could of been stolen.
I would also recommend contacting all your banking and credit card institution to inform them your accounts might of been compromised. Then follow their instruction.

Trojan.Agent.Trace.
This is a piece of malware that has worm, downloader, backdoor, keylogger and spy ability. It may arrive on a system after being exploited by a copy of the worm, residing on an infected machine in the network. After execution, the malware will inject a piece of code in kernel mode (by gaining access to \Device\PhysicalMemory). It will make a copy of itself inside c:\windows\fonts\unwise_.exe (hidden), execute it and continue execution there. The original file it will then be deleted. The worm will register itself as a service under the name: Windows Hosts Controller, and setting the information to "Enables Windows Host Controller Service. This service cannot be stopped." discouraging users from deleting it.
- The worm has the ability to spread via:
o USB drives; when it detects a new drive, it will make a fresh copy of itself, on the USB drive in the following directory:
Recycler\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx\file-name.exe. It will also create an autorun.inf file that will point to the new cop
 

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.
Back
Top