Trojan?

Hi, I got a virus a while back and you guys were awesome and helped me fix it. That problem is all cleared up, but my computer has been doing some weird stuff lately so I'm back(sorry) hoping that you can help me figure it out. I've had some odd problems getting some stuff to open. Nothing would happen when I double click on it and I would have to right click on it and select "open". The thing that really alarmed me is that I can't get the Bodog Poker client to open at all. Zone Alarm also started giving me messages asking if WMP54Gv4.exe should be allowed to access the net. I recently added a Linksys wireless network connection, which is what that is, but it seemed weird that it would need clearance when I told Zonealarm to remember that when I first installed it and it hasn't asked since. It also seemed weird that it would happen the same time as those other things. I checked the AVG test results(it is scheduled to run nightly), and it had found some trojans, but had been unable to heal them because they were embedded in the archive. So I deleted the .rar file that AVG said was infected, and then came back here and followed the Malware Removal Guide. I still can't get Bodog to open. I'm not sure if there is just some weird unrelated problem with that specific program, but it seemed like several things got weird at the same time. I was unable to run Bitdefender, and had to run Panda Active scan in normal boot mode. I didn't see much of anything but tracking cookies come up in the scans I ran, so once again I am thoroughly :confused, and would appreciate some help.

 

Here's the Shownew and HJT logs. The recent AVG AV scans I ran said that kernel32.dll, user32.dll, shell32.dll, and ntoskrnl.exe had changed. The trojan that it found was listed as "Trojan horse PSW.Generic4.VMJ". I never ran the file that was infected, so I wouldn't think it spread, but I'm confused, please help.

 

Hi Myologic,
Your problems may not all be related. Please run this:

 

I downloaded and ran BlacklightBeta like you said. It doesn't look like it found anything but I'll attach the log. I looked at the AVG test results again, and last night's scan came up clean. I guess it was just seeing a trojan in that file I had downloaded, but I never ran or opened the file so I guess it didn't spread to my computer? The only other thing that AVG had found in the past was in the Java cache and says "virus identified Java/ByteVerify", but AVG deleted it and it hasn't come up since. I still can't get the Bodog poker client to open. When I click on it the hourglass comes up by the cursor but it never opens. This is strange because I've been using it for a while and never had any problems like this before, and that problem started the same time as those other odd things that I mentioned in my previous post.

 

OK, here's an update on the situation. I tried to go to Bodog's homepage @ www.bodog.com but it wouldn't load, which I thought was quite odd. I did a search and came across someone on Yahoo Answers talking about Bodog, and apparently there is some kind of legal dispute with that web address, so it(temporarily?) changed to www.newbodog.com. I looked there for some support help and it seems like their recommendation if you are having any trouble with the software is to uninstall it, then download and install the latest update. Reluctantly I tried that, and it worked! The program opens now. I still don't understand what happened to make it stop working, but I guess that's water under the bridge now. Maybe this has been a coincidental bunch of glitches and trojan scares. One thing I forgot to mention was that when these problems first popped up I googled WMP54Gv4.exe and came across a page that said "Some malware camouflage themselves as WMP54Gv4.exe". So having that trigger Zone Alarm when it should have already been cleared, together with AVG finding a trojan and Bodog not opening, I was pretty sure that there something going on. I'm still not sure about it, maybe I am infected, but it kinda looks like it may have been a false alarm?

 

Hi Mycologic!
I'd read that about Bodog also and was going to suggest reinstalling as the next thing. You beat me to it! It often happens that problems come all at the same time and it's the greatest temptation to think they're all related, because it's logical they could be. The virus checkers do pick up things in incoming mails and it's best to not only delete those e-mails, but to run CCleaner afterwards to make sure they're out of the trash bin as well. It would be worth your time to read our How to Protect yourself from malware!

It offers good tips for a couple of good preventative programs which most people don't know about and I've found the combination of tools and suggestions there to be very useful.
If you have any other questions or problems, please look around the site. There's a lot here!
Good luck to you!
abri

 

Hey Abri, thanks for the help, what you guys do here is SOOO cool, you rock! :dood I went through the How to Protect yourself from malware! guide after the first time I came here with that virus. I run AVG nightly, and I've got spybot, ad-aware, AVG Anti-Spyware, ZoneAlarm, CCleaner, & a-squared(though I haven't really done much with that one yet). I've been running Firefox for quite a while now.

Anyways, the Bodog thing is solved, but I'm still having some weird glitches or something that I wanted to check on. For a while I was getting a weird message about the Linksys Wireless Network Monitor, which said: "Access violation at address 0040756D in module 'WMP54Gv4.exe' Read of address 00000368" We recently added a wireless network connection to my computer, so it had something to do with that. Then a Windows security alert popped up saying AVG was off, but I checked AVG and it said that everything was up and running. I'm not sure what caused that, but it finally went away so hopefully it wasn't a symptom of a larger problem. There's one other thing that came up that I'm still having problems with. At least a dozen times a day I get a ZoneAlarm security alert that says: "InstallShield Update Service Agent is trying to access the trusted zone. application: agent.exe" This won't stop, it keeps popping up, and I've allowed and denied it, but haven't noticed anything different either way, but it WON'T GO AWAY, which is driving me nuts. What is that all about? I'm not sure if I'm supposed to block it or give it access, but I guess if I find out what it is and what I'm supposed to do with it I can tell ZoneAlarm to remember that setting and stop bugging me. So as usual I need some guidance, help!

 

Hi Mycologic!
Normally it's an update service used by companies like Macrovision to look for their updates. If it's in the folder C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe it is legitimate. If you find agent.exe in another place, please tell me.
You can tell Zone Alarm not to allow it access to the internet and to always accept this setting.
Additionally, you can run HijackThis (look in the READ & RUN ME for installation instructions) and see if you have the following line:

Be sure if you find it, that it has the word -start at the end of the line. If so, you can tick this line and have HJT fix it (making sure you exit all browsers first). This will keep it from loading at start-up. Please do not fix any other lines. Your goal is to keep it from plaguing you, not to disable any software associated with it.
Tell me if this works.
Also, please tell me if you are using ZoneAlarm free or Pro. Pro is a bit overly ambitious sometimes and gives warnings about things like your antivirus trying to make changes to the registry. Generally with ZoneAlarm (I use free), I simply say no to everything, and if something doesn't work, I reboot and say allow the next time around. Once I've established that a program will only work if connected to the internet, then I tick the box to always use this setting.
If you go to Start/Settings/Windows Firewall, the Windows firewall should be set as disabled. If you go to Start/Settings/Security Center, despite having 'Windows Firewall turned off, it should still list you as having an active Antivirus (green) and an active Firewall (green). If it gives you a warning that your Antivirus is not connected, this could be because your computer has not yet connected to the internet. AVG picks up updates whenever you connect to the internet. If it gets behind in its updates, it turns black and then your Windows Security Center registers this as your having no antivirus. Just connect to the internet and let it update. That will usually satisfy both of these programs.

abri

 

Hola Abri,
Thank you for the much needed guidance! I searched my computer and the update service agent was only in the folder you said it should be. I told ZoneAlarm to deny it and remember that setting, so it looks like that problem has been solved. It seems kinda strange to me that this came up, because I've been running ZoneAlarm for several months now and haven't had anything like that before. Anyway, I ran Hijack This, but didn't see the line you mentioned.

I have the free ZoneAlarm, thanks for the tip on managing stuff with it. The Windows firewall is off, but in the system security the firewall and anti-virus are both green. I guess I must have been doing something and missed an AVG update, so windows scared me and told me it was off.

So, I believe everything is up and running smoothly, thanks to you. Again, I am so impressed by, and grateful for the service that the people here provide! :drool Keep up the good work. :major

 

Hi Mycologic,
There are a few final cleaning instructions we always do to get rid of the tools we used on your computer and the logs they created. If your computer seems to be working fine, please follow the instructions in the box, including setting a new restore point. Also, please take the time to read through the How to protect your computer from malware, as it has some good tips in there. It's possible the reason that Zone Alarm started giving you warnings about the update service agent, where it hadn't for months before, is because one of the companies whose software you're using, decided to start using it as part of their package and simply installed it during one of their updates. If you find you need it for updates later, you can always go into Zone Alarm and allow it again under the programs list.
Here are those final instructions: