Help... Trojan.downloader and Spyware

I have bitdefender and it recently found a trojan: trojan.downloader.small.bfi.

It is unable to quaranteen or delete the file, and when I tried to boot into safe mode (thinking I might be able to get rid of the file that way), my computer won't log in, hanging at agp440.sys.

So, I started using my own Spybot Search and Destroy program and Ad-aware only to find that Ad-aware hangs on the file that has the virus.

Well, that led me here. I ran through the Read & Run me first routine as much as I could.

Spybod S&D and Counterspy were both run and both didn't find anything.

I then tried to run the Bitdefender Online Scan, but it wouldn't run. The file attached is from my home copy of Bitfender, which I am able to run. That shows the trojan.

I then ran the Panda Active Scan, which found a lot of Spyware but not the trojan that I could see). It couldn't get rid of any of it, but maybe I could delete the files it showed? I did run the CCleaner, which I thought would delete all the cookies.

The other logs are attached in the following email (GetRunkeys, ShowNew, and Hijack this).

Can you suggest any course of action?

Thank you

 

Here are the other log files..

Thank you.

 

As I mentioned in the initial post, I cannot get the file to remove. If you look at the log I posted, it states that the move and quarantine have failed.

As I also mentioned, for some reason the Bitdefender online scan will not run on my computer (and the Panda Scan does work). I did load the required activex controls... It keeps asking me to everytime I try and seems to fail.

The reason I posted the first time was because I cannot get rid of the file listed (it has been there every step of the way). CCleaner, my own deletes, and Bitdefender seem to be blocked from accessing this file.

I also cannot get my computer to boot into safe mode, which might be related, I don't know.

 

Should I take this to mean that you see nothing else wrong with the logs? I really want to be able to get rid of that file, but I also want to be sure there aren't any other major problems. I'm not convinced that file (trojan) is the only thing preventing me from booting into safe mode. I don't like not being able to get into safe mode.

It also bothers me that I cannot get the Bitdefender online scan to run when the installed program runs on my computer.

Erik

 

CCleaner does not delete that file. It is there. This is what I've said in my messages. It is there as plain as I can see.

That exe file is one I don't know about, and anything that was put there yesterday is unknown to me as the only thing I did is run the scans outlined in the readme. The Panda Active Scan took 4 hours and the other hours of my day were spent at work.

As for the antivirus, I uninstalled the Norton Antivirus part of system works because I didn't like how it worked, and the subscription ran out. I then bought Bitdefender. I kept the remaining part of NortonSystem Works because I wanted Ghost for backups, but only one Anti-virus on the computer.

I just want to be able to get rid of that file, and it is assuring that you don't see much else. I am guessing this one file, whatever it is, may be blocking me from getting into Safe Mode?

Erik

 

I just wanted to reiterate that while CCleaner is supposed to get rid of all temp files, it will not get rid of that one file. I'll try to post a screen shot of that folder / directory, later this afternoon... I'm not at that computer at the moment.

Erik

 

Hey... by the way, thanks for that link. I'll give that a try, and it is a little reassuring to know that might be a separate issue. I generally feel like I do ok with keeping viruses off my computer and Bitdefender has worked excellent for the most part (except this one file), which it does flag as a virus.

 

As I stated, I uninstalled its antivirus. Norton System Works is just a container for the Norton Antivirus, Ghosts, the Norton Firewall, etc... I didn't want Norton Antivirus anymore, so I uninstalled that part of Norton System Works and put Bitdefender on my computer. Therefore, Norton System Works does nothing in terms of antivirus... Believe me, I can tell. Removing that part of the program has increased the speed of my system quite a bit.

I'll get back to you on the other parts including the date, although I do know it is 2006... Strangely, I've used CCleaner quite a bit in the past, and that file has not been there until the past week.

I'll try the other program when I get home, but I know when I go to the Cmd prompt and try to manually delete the file (del *.* [it's the only file in that folder]), it does provide an error on that file stating the system is corrupt. I could probably try and put that into a text file if it will help.

Erik

 

I kept Norton System works for the Firewall and the other Recovery tools... In all honesty, I thought the inability to delete the file was due to the virus and that had something to do with my inability to get into Safe Mode.

I don't do drive images every day, but I did one recently because I actually upgraded a hard-drive 2 weeks ago. Interestingly, that hard-drive did have errors via chkdsk. This one does not (I checked it before I found this forum).

When I upgraded the drive, I ran a chkdsk on the old drive, imaged the disk, and then restored it onto the new disk using Ghost. The likely problem now is that a file on a corrupt sector got backed up into the image file and ended up on the hard-disk (which happens to be this file). Oddly, looking at the old Bitdefender logs, this file had shown up, but it was always stating that the virus was blocked, and I hadn't paid attention to the fact that it wasn't being deleted.

I'm not sure where to go from this point, and if you have any suggestions (even to another forum), I'd appreciate it. I'll try the Norton System Works restore disk too, as I actually forgot that I have that available.

 

Well, I'll fix the bitdefender settings... Of course, the fact that it can't quarantine the file (i.e. moving it fails) is related to it not being able to be deleted. I actually tried to manually delete because the moving wasn't working, which led to me finding that I couldn't get into Safe mode....

Anyway, I am confident at this point that the hardware itself isn't corrupted as the new drive is probably just reflecting a hardware corruption in the original hard-drive. If that is the case, the file is corrupt, but probably the system (at least I am optimistic about this). I'll try a few things, and then post in that forum if needed (and follow this up here if the ATF thing worked).

I'm trying to avoid a format as my system is getting quite old and the XP install disk I have predates SP1 even.

Thanks for all your advice.

 

Re: Help... Trojan.downloader and Spyware (fixed... thanks)

I just wanted to give a final update on my situation and thank Chaslang for the advice and patience with my problems..

As it turns out, the final problem was not a virus or malware as was pointed to me and eventually led me to look for drive problems. Well, upon looking at the file closer, I found the file was indeed corrupted by the file system. The hard-drive was fine as was the file system, etc...

I was able to remove it using the Norton Systemworks Recovery Console... i.e. outside of windows. For some reason even the Windows Recovery Console would not let me have access to that file.

Afterward, I had to turn off system restore as the corrupt file was also in the restore points. Once that was completed, I was able to run all the online scanners and my system scanners without any problems (and without any malware).

My computer is now working well although I am still having problem getting the system to boot into safe mode (seems to be related to the AGP440 driver, but that is for another forum).

Anyway, thank you again for the help (and for helping others). I actually installed a different firewall (I was using the standard XP firewall before) and now things are even running better for my LAN and my computer. This is a great site and great help.

Thank you,

Erik

 

Re: Help... Trojan.downloader and Spyware (fixed... thanks)

Yes... that link's suggestions didn't work, although upon some further looks it seems that the problem can be much worse than Microsoft will have one to believe. For some people, the only thing that works is uninstalling SP2 or buying a new video card. I'm not going to worry too much about it at this point as I don't want to uninstall SP2, and I don't feel like I should have to get a new video card... I might be able to roll back my current video card's driver to a previous point (which might explain why things have changed since it was upgraded not too long ago). Anyway, as I find more out, I'll probably post a thread on the software (or hardware if it seems to be video card specific) threads.

Again, I'm just happy to have that corrupted file (and its imbedded virus) off my computer. By the way, that file (perhaps due to the corrupt nature) would change file dates every time I tried to delete it. I was paying close attention after your suggestions and information about the file date. There were times when the file date would show 10 years back. It was all very random (sometimes 10 years, others a few months, etc.)... no obvious pattern or trend.

Erik