trojan horse Backdoor.Agent.ETK

Welcome to Major Geeks!

Is there a reason for you creating two user accounts? I refer to gasgalore

Well you missed a few parts of the READ & RUN ME. Also slow PCs are more frequently related to what you are running then they are due to malware.

Now to the finer points of what was missed in the sticky.

Step 0 - You did not uninstall Viewpoint Media Player in step 0.
Step 3 - You still have Symantec Internet Security Suite installed and you also have AVG7.

Uninstall all of the below now.

• Symantec KB-DocID:2003093015493306
• Symantec Technical Support Web Controls
• Viewpoint Media Player

If they do not show in Add/Remove programs or if they will not uninstall, tell me.

Is your copy of Spy Sweeper a paid version or a free trial? If paid you should now uninstall AVG Antispyware to avoid conflicts and the additional use of system resources which will slow you down too. Note also that Spy Sweeper has been known to slow down some PCs.

You should also uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
Mozilla Firefox (1.5.0.11)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox

You can also do the below to have HijackThis remove some non-malware items that are wasting system resources.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.

Now attach new logs from ShowNew and HJT and tell me what current malware problems you are having if any.

 

If you do not show any real signs of major malware after doing all the scans, then you just don't have any. You have to also consider whether you installed any new software just prior to the problems or even if you updated any software. Updates to anything including your Windows OS. Don't forget, you may have some software set to automatically update. Thus you would not even know it occurred.

I cannot explain your clock but it is not malware. And Add/Remove programs typically gives incorrect information for when a program was last used. In fact, I often see it telling me something was last use a couple years ago when I just used it today. Again, this is not malware.

You still have a component of Symantec installed which is also running a service and wasting resources. Uninstall LiveUpdate 3.0 (Symantec Corporation)

Also have HJT fix the below left over from uninstalling Spy Sweeper:
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


Now attach a new HJT log. I want to make sure the service for LiveUpdate goes away.

Is your PC running any better?

 

I doubt it, but let's dig a little deeper even though I do not expect to find anything.


Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.




When is the last time you did a defrag of your hard disk?
How about an error check on the hard disk?

 

Well that was what I suspected. I don't think you are having malware problems and I will probably be sending you off to the Software Forum, but first I want you to try something.

Click Start, Run, and enter msconfig and click OK.

• Now in MSconfig select the Services tab and check the box at the bottom to Hide all Microsoft Services
• Now locate the service or services for ZoneAlarm. You should see TrueVector for the service and ZoneLabs for the Manufacturer.
• Uncheck everything from ZoneLabs (it may just be TrueVector)
• Now click Apply
• Then click the Startup tab and uncheck zlclient which is also for ZoneAlarm
• Now click Apply and OK

Then reboot your PC. Does it seem significantly better?

Do not run with ZoneAlarm disable for any length of time. Just check out to see if it is noticably better and then run MSconfig and select Normal Startup to get your firewall back in place.

 

Ooop! Sorry I forgot that you were on Win2K (too many threads in progress).

Yes run services.msc and stop and disable the service. You will have to undo that at a later time.

And to temporarily stop zlient from starting up, you can have HJT fix the below line:

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

It will be saved in HJT's backups and you can restore from the backups after checking things out.

 

Sometimes trying to stop a program from running is not as effective as uninstalling.

Try uninstalling ZoneAlarm (just as a test) and then reboot and check your performance.

Also just as an additional check, run the below.

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

Did you uninstall ZoneAlarm?

Sorry about that. I meant to just ask you to run a second scan just to make sure nothing showed up.

How do things run when you boot in safe mode?

What happens if you boot into normal mode but use a different user account?

Note: you do have a few other items running at startup that you don't need.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe