Can't get rid of trojan.win32.agent.cs

Hi! I desperately need your help.

I started receiving a message from my anti-virus that W32/Agent.MY was found in an infected file C:\WINDOWS\Fonts\abrlib.dll. It was unable to disinfect the file so I tried some other anti-virus software and ultimately went through all of the suggested scans as advised on your site (Trend Micro, Symantec, McAfee Stinger, Ad-Aware, etc.). Most of the programs found the virus but were unable to delete it (I have taken notes of messages I received if you need further information). After all of those were unsuccessful I installed the Hijack This program and saved a log file. I am reluctant at this point to start deleting because although I read the instructions carefully, I am not confident that I will choose the right files to delete.

My next step would be to take my computer to a professional but would prefer to save some money and do it myself if possible...which is where you come in! I would greatly appreciate any advice you can give.

Thanks so much!

 

Hi,

Download Hijackthis at https://netfiles.uiuc.edu/ehowes/www/merijn/HijackThis.exe

and post your log before ou try deleting something

Sgt.

 

Please take the time to familiarize yourself with how things work in this forum before offering your help to members. Hijack this is not a virus or spyware remover...there are other steps that need to be taken before using it. Additionally, if providing links to downloads we ask that you link to downloads here at MajorGeeks rather than to other sites. Thank You.



@ emilyc:

Please read the Announcement at the top of everypage in the Spyware Forum. Also please read and follow the sticky thread guidelines.

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Okay, I have attached my log.

Thank you!!!

 

Please look in Add/Remove Programs and uninstall the following programs:

Viewpoint

NEXT:
Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

 

Okay, here's the new log...

Thanks!

 

Download Pocket KillBox
(Don't run it yet)

The first thing I notice is that your running Command Software Systems Anti-Virus and Kaspersky Anti-Virus. Running two antivirus programs is NOT recommended. It can cause conflicts on your computer so pick ONE and uninstall the other.

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca10.hpwis.com/

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} -C:\WINDOWS\Fonts\abrlib.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab

O20 - Winlogon Notify: abrlib - C:\WINDOWS\Fonts\abrlib.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\Fonts\abrlib.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

DURING THE REBOOT, BOOT INTO SAFE MODE!

NOW:
Navigate to and DELETE the following if they should remain:

C:\Program Files\Win Comm ←–– Delete this whole folder if it exist!

C:\WINDOWS\Fonts\abrlib.dll ←–– Double check to make sure this file is gone, if not right click and delete it!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above,
Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

No luck unfortunately!

The virus is still being found. I also receive an error message everytime I restart my computer which has only happened since I went through all of the scans the other day. It says "Runner Error: Invalid BackWeb application id '1940576'".

I have attached the new hijack this log.

Thanks for your help.

 

Have HJT create a startup list. Post that log to your next post.

 

Here you go!

 

Boot into Safe Mode

Click Start > Run > type in the following:

regsvr32 /u C:\WINDOWS\Fonts\abrlib.dll

If you get any errors or anything let me know!

Special step to delete abrlib.dll:
- Click Start, Run, and enter cmd in the box and click OK. This opens a commend prompt windows.
- Enter the following command lines each followed by the enter key
cd C:\WINDOWS\Fonts\
attrib -r -h -s abrlib.dll
del abrlib.dll
exit

Now, run CCleaner!

After running CCleaner reboot into Normal Mode and attach a fresh HJT log.

 

Okay, so part 1 went fine with a RegSvr32 message saying it "succeeded".

Part 2 did not. After I typed the command "del abrlib.dll" it said "This process cannot access the file because it is being used by another process".

I still ran CCleaner and have attached a new HJT log.

I really appreciate all of your help and your patience! I'm still staying positive that we will get rid of this!

Thanks.

 

If everything went ok with the unregistering. Boot back into Safe Mode and try to manually delete the file.

While in Safe Mode scan with HJT and have it fix the below entries:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} -C:\WINDOWS\Fonts\abrlib.dll

O20 - Winlogon Notify: abrlib - C:\WINDOWS\Fonts\abrlib.dll

 

Okay, I went into safe mode and tried to delete the file and it said "Can not delete the file because it is being used by another person or program".

I was able to delete the 2 entries from HJT though.

Does it make a difference if I boot in "safe mode" or "safe mode with networking"? Should I unplug my modem when I am trying to delete the file? I'm not really sure what this file is and don't know much about these viruses but is someone actually accessing my computer from somewhere else? While in safe mode, should I ctrl+alt+del and end a process that is running?

Where did this thing come from and why is it so difficult to delete!!??

Thank you.

 

Safe Mode w/ Networking is Safe Mode with networking components so your able to access the internet in safe mode, very nice.

I prefer regular Safe Mode for this removal as its a pain to remove sometimes. Anyway, this is part of Trojan.Vundo and can be difficult to remove sometimes.

Lets procede with the fix, download the following removal tools:

• Trojan Vundo Removal Tool
• Trojan Vundo B Removal Tool

Now, Reboot into SAFE MODE and run these removal tools one at a time. Afterwards reboot into normal mode and attach one last HJT log.

Also, as a reminder, be sure System Restore IS DISABLED!

 

Neither of those tools even found the virus. Very strange.

Also, when I boot into regular safe mode, my computer becomes unstable or something and my screen goes black after only a minute or so. It does not seem to do that when I boot in safe mode with networking.

I have also tried to manually delete the file again using the safe mode with command prompts and was still told it was being used by another process. Is there any way of finding the process that is using the file, ending it, then deleting the file?

I can't believe this! Please don't cut me off!

I have attached another HJT log. Oh yeah, and I double checked that my system is not set to restore.

Thanks!!!!!!!!!!!!!!!

 

Quote AbbySue

No Problem, sorry for that

Quote AbbySue

I think, the best before running Hijackthis, would be to reboot on to "safe Mode"

 

Running HJT from Safe Mode does NOT show all entries & processes as normal mode would show. NEVER run HJT from Safe Mode unless special requested by a professional. Sometimes the infection(s) are so bad you have to start by doing this, but very rare.

Closing your browsers and other progams is the easiest thing to do. If you cant follow those simple instructions then you dont need a computer. LOL!

 

emilyc,

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

NOW, Boot Into Safe Mode!

After your in Safe Mode, open the folder C:\WINDOWS\FONTS

Now, hit Control+Shift+Esc to open Task Manager. End TASK on explorer.exe
(Your desktop will disappear, this is normal)

Now, use Alt+Tab to scroll back to the C:\WINDOWS\Fonts

Now, delete the file:

abrlib.dll

Reboot and attach a HJT log.

 

I added the fix.reg to the registry but had problems with the other part. Two things:

1) While in safe mode, alt+tab does not work. When I end "explorer.exe" the font folder I opened seems to close also so I have no way of getting back to it; and

2) I do not see the file abrlib.dll in the fonts folder but when I do a search it is there (even though I have it set to show hidden files) so I'm not sure I would be able to just delete it from the folder.

Hmmmm...

 

Attach a current HJT log, lets see what remains.

 

Oh my gosh I think it's gone!!! Yay!!!!!!! Thank you so much!!!

Now, my only problem is when I reboot I get the message "Runner Error: Invalid BackWeb application id '1940576'".

Attached is the new log.

Thank you!!!

 

Your HJT log is clean!

Now, for the other problem you mentioned. Since you are now Malware free, please post this problem in the Software Forum. Those guys will get you all fixed up.

For the time being, please follow all of the steps in this thread.

How to Protect yourself from malware!

 

Excellent! Thank you so much for all of your help...I know it was a huge pain. I feel like I should pay for it. Is there anywhere I can donate or something?

Thanks!

 

Yes, #22 did the trick - thanks!

So I have looked in C:\documents and settings\username\Start Menu\Programs\Startup. Instead of "username" I have "administrator", "all users", "default user" and "owner". The only file in common with all of them in the startup folder is "desktop.ini".

I posted my question to the Software Forum and had a user instruct me to do the following:
"Start>Run>type "msconfig" and hit enter>goto "Startup">Scroll down and find the Backweb Agent and untick the box> Click Apply/Ok>Restart the computer and see if it helps

*Again* Backweb is an unneccessary program provided by HP/Compaq that sends information from your computer to the HP Centre. Aas it has no effect on your computer whatsoever, it is safe to disable from the Startup options . If the warning should re-appear after doing the above steps, then if you are WinXP, you would need to turn off your System Restore before doing the above steps and then turn on System Restore after you are done....then restart your computer which will give you a brand new restore point without Back Web in it........ "

I haven't done it yet. Do you agree with this?

Thanks!

 

Okay, attached is the Startup List Log. I don't really understand what you mean by doing that for each user. There doesn't seem to be any way to specify the user. Also, I couldn't find that .lnk file so couldn't delete it (as per #26).

Thanks!

 

Okay, I searched for Compaq Connections.lnk and it found it 4 times (they are all shortcuts).

One is just called Compaq Connections and is in C:\Documents and Settings\All Users\Start Menu\Programs\Startup.

The other 3 are called Compaq Connections, About Compaq Connections, and Disable Compaq Connections are all found in C:\Documents and Settings\All Users\Start Menu\Programs\PC Help & Tools\Compaq Connections.

Should I click on Disable Compaq Connections?

Thanks!

 

When I click delete it says "Deleting the shortcut to Backweb-1940576 only removes the icon. It does not uninstall the program." Should I uninstall the program? Do I need it for anything?

Thanks!

 

Sorry...I'm high maintenance!

After deleting 2 shortcuts, I just found "BackWeb-1940576.exe" in C:\Program Files\Compaq Connections\1940576\Program\. That's what I should be deleting right? Just want to make sure. I searched for "backweb" and found about 60 for Spybot and 4 others under BackWeb Client/6.2.3.66L/Program. Are they bad?

Thanks!

 

Well, it looks like deleting the shortcuts worked!

Thank you very much for your help. My computer is running so perfectly now - what a relief!

 

emilyc,

Glad everything is running good for you

To keep your system clean, I would recommend following ALL of the steps in this thread.

How to Protect yourself from malware!

Browse Safely!