Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Need help removing RedGirl Trojan  (Read 5495 times)

0 Members and 1 Guest are viewing this topic.

agnostida

    Topic Starter


    Rookie

    Need help removing RedGirl Trojan
    « on: November 26, 2008, 04:50:21 PM »
    I am running Windows XP and have completed the Malware Removal Guide protocol.  I am using the up-to-date free versions of AVG, Malwarebytes, and SuperAntiSpyware.

    Earlier when looking to reduce my start-up time I found the following under services: C:\WINDOWS\system32\RedGirl.exe穆ervice (it had been stopped).  Since it looked suspicious I went online and found this information:

    Troj/Agent-GVO
    When first run Troj/Agent-GVO copies itself to<System>\RedGirl.exe and creates the file<System>\RedGirl.dat. The file RedGirl.dat is detected as Mal/Behav-024. The file RedGirl.exe is registered as a new system driver service named "RedGirl", with a display name of "RedGirl" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\RedGirl

    My Anti-virus and Spyware did not detect this.  I have gone into services and set the start-up type to Disabled.  I've  looked in C:\Windows\System32 for RedGirl (.dat or .exe) and did not find anything (I also ran a search). Supposedly this Trojan loads a module (RedGirl.dat) into the address space of other processes such as C:\ProgramFiles\internet explore\iexplorer.exe address space:0xd00000 - 0xFE400 but I am too much of a newbie to know how to track this down.  I DID find the following registry keys:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl\Enum
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl\Security
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl\Enum

    I don't know how to proceed.  If there are no program files listed for this am I still infected?  Do I need to remove the registry keys?  I've copied down the values for the registry keys if that helps at all.  Like I said, I am very new at all of this.

    Thanks!

    [Saving space - attachment deleted by admin]

    CBMatt

    • Mod & Malware Specialist


    • Prodigy

    • Sad and lonely...and loving every minute of it.
    • Thanked: 167
      • Yes
    • Experience: Experienced
    • OS: Windows 7
    Re: Need help removing RedGirl Trojan
    « Reply #1 on: November 29, 2008, 02:27:39 AM »
    Other than your lack of a firewall, I don't see anything wrong with your logs.  It's possible that you simply had this infection in the past and the computer still has logs of it in the registry.  However, if you would like to try a deeper scan, follow these instructions...

    Download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.
    Quote
    An undefined problem has an infinite number of solutions.
    由obert A. Humphrey

    agnostida

      Topic Starter


      Rookie

      Re: Need help removing RedGirl Trojan
      « Reply #2 on: November 29, 2008, 08:28:02 PM »
      Thank you very much for the response!

      I checked the website for ComboFix and I am a little nervous about instigating this scan.  It seems more complicated than the other scans I have run.  I have to install and run a recovery console?  It also sounds as if I run the chance of royally screwing things up if I do it incorrectly.  Eeeek.  That being said, if I have a virus out there that is sending my personal information back up into the ether, well then, I'll give it a go.
      But, it also sounds as if running the scan might be unnecessary since I cannot find any of the .exe files for RedGirl on my computer.  Registry keys in and of themselves are harmless, yes?  I think you might be right about this infection being in the past.

      Some more tidbits of information:

      According to the source I found on the web, in addition to the creation of new registry keys (see old post) the following registry values might have been modified:
      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
      Mine is: (Default) 0x0000001d (29)   I have no idea if that is changed or not

      AND

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
      Again mine is: (Default) 0x0000001d (29)

      I have reinstated my windows firewall, so that should be okay.

      My computer is running great.  I have no complaints.  The only reason I contacted you was that I found RedGirl in my startup services and panicked.  I was able to track down some information but I am not computer-savvy enough to interpret it.  A little knowledge is a dangerous thing.

      Thank you so much for taking the time to go over this.  My feeling is that things are okay now and that I don't need to work on this further.  If, however, in your expert opinion, I should continue to track this down, well then, let's roll up our sleeves....

      Confirmation of a yay or a nay would be appreciated, and again, thank you so very much!

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: Need help removing RedGirl Trojan
      « Reply #3 on: November 29, 2008, 08:41:25 PM »
      ComboFix is typically safe to run under supervision of someone trained to use it as we are.

      Here are some more detailed instructions to help take the confusion out of it's use.

      Download ComboFixゥ by sUBs from one of the below links. Be sure top save it to the Desktop.

      Link #1
      Link #2

      **Note:  It is important that it is saved directly to your Desktop

      Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

      Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
       
      Double click combofix.exe & follow the prompts.

      For Windows XP Systems install the Recovery Console:

      - If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
      - If for some reason your Internet is not working click No.
      - If you are not using Windows XP, you will not be prompted.
      - When prompted to accept the EULA click OK.
      - Accept Microsoft's EULA (Click Yes).
      - When you are told that the RC is installed correctly click YES to continue scanning for malware.

      When finished ComboFix will produce a log for you.
      Post the ComboFix log and a new HijackThis log in your next reply.

      Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

      Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

      CBMatt

      • Mod & Malware Specialist


      • Prodigy

      • Sad and lonely...and loving every minute of it.
      • Thanked: 167
        • Yes
      • Experience: Experienced
      • OS: Windows 7
      Re: Need help removing RedGirl Trojan
      « Reply #4 on: November 30, 2008, 05:25:41 AM »
      If you follow the steps posted by evilfantasy, it's a breeze.  You spend most of your time just waiting for the log to pop up.

      You're not obligated to go through with this whole process, but this program will help us determine whether or not the infection is active on your computer, so it would be a good idea to go through with it.
      Quote
      An undefined problem has an infinite number of solutions.
      由obert A. Humphrey

      agnostida

        Topic Starter


        Rookie

        Re: Need help removing RedGirl Trojan
        « Reply #5 on: December 03, 2008, 01:43:31 AM »
        Thanks everyone for all the help.  The simple, detailed instructions for combofix helped ease my anxiety and so I did heed the recommendation - I ran the program and have attached my logs.

        Do I now need to uninstall windows xp recovery console?  Does it take up much space? (I am indeed a novice.)

        Also, I am thinking of downloading Comodo firewall to take the place of my generic windows firewall.  Would you recommend this?  Are there any settings I need to change, or anything else I should be aware of before I download?  I am running AVG antivirus, Malwarebytes, and Superantispyware, the free versions all.

        Oh yeah, and how do I get rid of combofix?

        Again, my extreme gratitude for all your help.

        [Saving space - attachment deleted by admin]

        agnostida

          Topic Starter


          Rookie

          Re: Need help removing RedGirl Trojan
          « Reply #6 on: December 03, 2008, 02:03:51 AM »
          Sorry, this is in addition to my very last reply as of 10 minutes ago. 

          After running combofix I now have in my c drive window (along with the newly posted combofix log) a file named Qoobox and two strange icons labeled Boot.bak and cmldr respectively.  These are brand spankin' new.  What are they? What do I do with them?

          Thank you for your patience and time!

          CBMatt

          • Mod & Malware Specialist


          • Prodigy

          • Sad and lonely...and loving every minute of it.
          • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: Need help removing RedGirl Trojan
          « Reply #7 on: December 03, 2008, 03:29:37 AM »
          Qoobox is part of ComboFix.  The other two files should be part of the Recovery Console, which you should keep (it takes up very little space).  Once we're done with ComboFix, I'll tell you how to remove it.

          For the most part, your log appears fairly normal, but I did indeed locate the RedGirl infection in your system.  Looks like your suspicions were correct.  I was hoping ComboFix would take care of it automatically, but I guess we'll have to do this manually.  Follow these instructions very closely...

          Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

          Delete these files/folders, as follows:

          1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
          It must be Notepad, not Wordpad.
          2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

          Code: [Select]
          KillAll::

          File::
          c:\windows\system32\RedGirl.exe
          c:\windows\system32\RedGirl.dat
          c:\windows\system32\RedGirl.bat

          Registry::
          [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_REDGIRL]
          [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RedGirl]
          [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_REDGIRL]
          [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RedGirl]

          3. Go to the Notepad window and click Edit > Paste
          4. Then click File > Save
          5. Name the file CFScript.txt - Save the file to your Desktop
          6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



          ComboFix will begin to execute, just follow the prompts.
          After reboot (in case it asks to reboot), it will produce a log for you.
          Post that log (Combofix.txt) in your next reply.

          Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
          Quote
          An undefined problem has an infinite number of solutions.
          由obert A. Humphrey

          agnostida

            Topic Starter


            Rookie

            Re: Need help removing RedGirl Trojan
            « Reply #8 on: December 03, 2008, 10:23:52 AM »
            Wow. Thanks. 

            Okay, so I followed your instructions and have attached the log.

            I realize now that I never thought to disable my AVG or firewall this time around.  I hope it was not a necessary step.

            Also, now since running combofix the FIRST time - when I boot up my computer it flashes the following: Please select the operating system to start.... plus some more text that passes by too quickly to take note.  This is new.  Don't know if it means anything or if I should now do something to take care of this.

            I place it all at your honorable feet.

            Many thanks!

            [Saving space - attachment deleted by admin]

            agnostida

              Topic Starter


              Rookie

              Re: Need help removing RedGirl Trojan
              « Reply #9 on: December 03, 2008, 11:20:32 AM »
              Hope I am not bogging down these posts with unnecessary information, but since I am such a novice, I don't know what is unnecessary.

              Have now had a better chance to read the boot up message - Please select the operating system to start - and I believe it has something to do with microsoft windows recovery console.  I believe the computer is automatically choosing this and booting up for me.

              As to my earlier post about not turning off my AVG during the RedGirl deletion process... when I just now turned off my computer (for the first time after running the deletion program) the following error message was shown: avgrsx.exe application error  the instruction could not be read.... and more that I did not catch before the machine turned off.  Hmmmm.  Should I uninstall and then reinstall AVG? 

              Sorry.  Now it seems I have a bunch of niggling questions, but I don't know what is worrisome or ignorable.

              Thanks!  Oh... my log was posted with my previous reply.

              CBMatt

              • Mod & Malware Specialist


              • Prodigy

              • Sad and lonely...and loving every minute of it.
              • Thanked: 167
                • Yes
              • Experience: Experienced
              • OS: Windows 7
              Re: Need help removing RedGirl Trojan
              « Reply #10 on: December 03, 2008, 08:49:01 PM »
              No worries, you're not bogging anything down.  Most users don't give enough info...when it comes to malware, "too much" info can be a good thing.  To answer your first question...the Windows Recovery Console was added by ComboFix.  You'll have to get used to seeing a new bootup, but trust me, this is something you should have.  If you ever have any major problems, this option could very well save your computer.  And don't worry, your computer is still booting in the normal mode.

              As for AVG, uninstalling and reinstalling is probably a good idea.  If it doesn't work, then you can get more help on their forums.  The latest version of AVG has all sorts of quirks and difficulties, and they know a lot more about making it work than I do.

              By looking at your latest log, it looks like your infection should be gone now.  At the very least, it's inactive.  If you happen to come across any traces of it, just let me know and I can help you remove them.

              You no longer need ComboFix, so let's go ahead and uninstall it.  Click on the Start menu and go to Run.  Type in combofix /u (note the space before "/u") and click OK.  It will now be removed.

              You should now clean out your System Restore.  This is to remove any infected files that have been backed up by Windows.  Please follow these steps...

              1.  Go to Start > Programs > Accessories > System Tools > System Restore
              2.  Click on System Restore Settings.
              3.  Check Turn off System Restore and click OK.
              4.  Restart your computer.
              5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
              6.  Create a new restore point and close the program.

              System Restore will now be active again.  If you would like to learn more about System Restore, go here.
              Quote
              An undefined problem has an infinite number of solutions.
              由obert A. Humphrey

              agnostida

                Topic Starter


                Rookie

                Re: Need help removing RedGirl Trojan
                « Reply #11 on: December 04, 2008, 01:27:41 AM »
                Whew.  So far so good!

                If AVG is having problems, is this the antivirus I should be using?  Any recommends?

                Also, should I keep SuperAntiSpyware on my computer as a second anti-spyware program (I am using Malwarebytes) or should I also uninstall this?  I originally downloaded it as one of the steps for the spyware removal protocol.

                I guess I am basically asking what combination of programs will help me the most in keeping my computer clean and also not be impossible to use, since I am still new at handling computer software.  It really shows your prowess that you were able to guide me step by step through the virus removal process!

                I have an external hard drive that I basically use to drag and drop my picture and music files and other documents into for backup.  Do I need to worry about this somehow harboring something nasty?

                And... if I were to be looking for RedGirl again would it just show up in the same places?  I can't think of how else I would know that it is back since the anti-virus etc... didn't find it.  Is checking under start-up and services enough?

                I cannot thank you enough for your time and patience.

                CBMatt

                • Mod & Malware Specialist


                • Prodigy

                • Sad and lonely...and loving every minute of it.
                • Thanked: 167
                  • Yes
                • Experience: Experienced
                • OS: Windows 7
                Re: Need help removing RedGirl Trojan
                « Reply #12 on: December 04, 2008, 04:54:01 AM »
                1.  Whether or not you keep AVG is up to you.  Despite its flaws, it is still an effective program and it is what I use.  However, if its occasional hiccups (I had problems at first, but not anymore with the latest updates) make you uneasy, there are other good programs such as Avast and Avira.  Just make sure you only use one.

                2.  Anti-spyware isn't as strict and it's generally okay to have a couple.  I would suggest keeping both MBAM and SAS; they're great programs that compliment each other nicely.

                3.  Your external hard drive could become infected if it's connected to your computer during a time of infection.  I don't think RedGirl is the type to hop onto external devices (so it should be clean), but in the event that you want to scan your external drive, most anti-virus programs will let you.  With AVG 8, simply double-click on the icon in the system tray (the colored square), click on Computer Scanner on the left panel, click on Scan specific files or folders, place a checkmark to your external drive, and then start the scan.

                4.  RedGirl doesn't have a whole lot of variety and it almost always installs itself in the same place.  I don't expect you to be reinfected with it, but if you ever want to check, just look in the same locations where you found it.  A startup entry starts the infection when your computer boots and a service entry [depending on the setting] keeps it running...so if it doesn't exist in these two places, then it is most likely inactive.

                I hope that answers everything to you and that you stay safe and clean.  And if you have any further questions, don't hesitate to ask.
                Quote
                An undefined problem has an infinite number of solutions.
                由obert A. Humphrey

                agnostida

                  Topic Starter


                  Rookie

                  Re: Need help removing RedGirl Trojan
                  « Reply #13 on: December 06, 2008, 01:22:29 PM »
                  So I have uninstalled and reinstalled AVG.  Everything else I am keeping.

                  Wow.  I have a clean machine!  Chris, I cannot thank you enough for your generous patience and expert help.  I feel empowered!  With your detailed guidance I was able to tackle this problem and succeed.  I am walking taller.  Although believe me, I do realize you were the actual one who did the work.
                  Still.  A clean machine!

                  One last question (or set of related questions).  Should I uninstall HijackThis?  I was thinking of keeping it since I might need it in the future.  And why were we asked to rename it Sniper?

                  Many, many thanks.  You have my sincere gratitude and admiration.

                  CBMatt

                  • Mod & Malware Specialist


                  • Prodigy

                  • Sad and lonely...and loving every minute of it.
                  • Thanked: 167
                    • Yes
                  • Experience: Experienced
                  • OS: Windows 7
                  Re: Need help removing RedGirl Trojan
                  « Reply #14 on: December 06, 2008, 03:46:52 PM »
                  You are very welcome indeed; I'm glad things are going well.  Whether you keep or remove HijackThis is up to you.  Just be aware that you shouldn't modify the results without being instructed by a specialist.  I would hate for you to accidentally remove something important.

                  We instruct renaming it Sniper because some infections are able to hide themselves when they see HijackThis.exe running.  By renaming it to sniper.exe, infections are less likely to detect HijackThis, which increases our chances of finding the malware.
                  Quote
                  An undefined problem has an infinite number of solutions.
                  由obert A. Humphrey