Win32.trojan.agent and Ad-Aware/antivirus problems.

Discussion in 'Malware Help (A Specialist Will Reply)' started by arw8506, Aug 1, 2008.

  1. arw8506

    arw8506 Private E-2

    Hello, and thanks in advance for any help you can give! I know there were a few threads already about win32.trojan.agent infections, but they all seem different than my problem. Mine does not have the pop-ups telling me that my computer is infected and asking me to download software to get rid of it, instead it's affecting my ability to download updates for Ad-aware and my antivirus (e-Trust).

    I first noticed a problem when my computer started running more slowly so I ran Ad-Aware on 7/29/08 and it found the win32.trojan.agent. Unfortunately, I hadn't ran Ad-Aware since 5/12, so I have no idea how long it's been on my computer. I quarantined it and read in previous threads that it often comes back, so I ran Ad-aware again on 7/31, and it was back again. However, when I tried to quarantine it this time, Ad-aware had an error message pop up that said something about being unable to continue and the program closed before I could quarantine it.

    Since then, my antivirus will not download new updates, which it is supposed to automatically do. I have tried to manually as well, and both ways, the downloader will start and then not finish. I did run all of the READ AND RUN ME FIRST procedures in the order listed. Then I tried Ad-aware again. This time, Ad-aware did not find the win32.trojan.agent, but there is still a problem with my antivirus and Ad-aware being able to download updates.

    Thanks so much for your help!
     

    Attached Files:

    arw8506, Aug 1, 2008
    #1
  2. arw8506

    arw8506 Private E-2

    Here's my Hijack This log. Also I should mention that Spybot only found 12 tracking cookies.
     

    Attached Files:

    arw8506, Aug 1, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The procedure does not ask for a HijackThis log. You need to attach the C:\MGlogs.zip file that was requested from running MGtools.
     
    chaslang, Aug 2, 2008
    #3
  4. arw8506

    arw8506 Private E-2

    Oops, here it is. Thanks!
     

    Attached Files:

    arw8506, Aug 2, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any malware issues.

    What version of Ad-Aware are you using? It is really not that helpful with the current malware that exists in the world. You would be much, much, much better off with SUPERAntiSpyware than Ad-Aware anyway.

    If you still have problems updating your antivirus, make sure that you are not blocking the updates within your own firewall. Otherwise an uninstall, reboot, reinstall may be required.
     
    chaslang, Aug 2, 2008
    #5
  6. arw8506

    arw8506 Private E-2

    Thank you, chaslang, for checking my logs and the antispyware advice! Unfortunately, I'm pretty sure that my computer is still having problems. I was able to reinstall my antivirus and it is now receiving updates properly.

    However, now SUPER antispyware is acting up. Last night, I was running a scan and left my computer for about 12 minutes. When I got back, it was still stuck on scanning my registry and had not moved on to the files, however, the number of registry files scanned was stuck around 4100 and the files it was claiming to scan looked questionable. I tried to abort the scan, but it would not allow me. Trying to close SUPER antispyware through task manager did not work either, instead I got a message that "This program cannot be closed because it is locked by the system." I had to manually shut down my computer without closing.

    Tonight, I tried it again, with the exact same problem. The program is stuck on scanning: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internetsettings\ZoneMap\Domains\a variety of questionable endings, such as names of various spyware, adult-themed content, etc.

    Even though you said that Ad-Aware is not as useful as SUPER anti-spyware, I decided to run it again to see if the win32.trojan.agent was back, since it has been the only program that has detected it. (I have the 2008 version of Ad-Aware). This time, it detected 3 of them, which I was able to successfully quarantine. After quarantining in Ad-Aware, SUPER anti-spyware still is scanning bogus registry items and not moving on to the files.

    So, my question for you is: even though my logs were clean, do I still need to be worried about being infected with the trojan? If so, what is my next step?
     
    arw8506, Aug 6, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Whatever they are, they are not due to any existing malware.

    Those are not questionable of problem registry entries. They wer put into your registry by Spybot (or similar) to protect you from malicious websites. You can remove all of these temporarily by running the below:


    Please download DelDomains and unzip it to your desktop. Do not run it yet.

    Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

    After deleting these you can see if SUPERAntiSpyware will continue. Frequently when a program gets stuck while scanning the registry, it can be a sign of registry corruption.

    Once you are sure you have resolved this issue, you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adds.


    Without seeing a log from Ad-Aware I cannot comment on what it may have found. All I can tell you is what we know from much expience and that is that Ad-Aware is not that effective compared to many other tools. Yes you can always notice that one tool may find something not reported by another tool. You could go on to run another 20 different applications and they may each report something not reported by the others. However in many cases, what is being reported is either insignificant leftovers, false positives, or just something one program scans for that the others do not. All Ad-Aware may be reporting to you is something in System Restore ( which is the System Volume Information folder). If this is the case, completing my final instructions below will take care of System Restore entries.

    You are not infected!

    Now we need to cleanup some items from running ComboFix.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combo-fix" /u
        • Notes: The space between the combo-fix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combo-fix folder from combofix.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Aug 7, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds