Help required with TR/Agent.CS.1 trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by sam_stumble, May 22, 2005.

  1. sam_stumble

    sam_stumble Private E-2

    Hi Everyone,
    Here is part of the log from my AVGuard Trojan Scanner:


    "5/22/2005,18:49:55 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    Unable to overwrite and delete the file:
    0x00000020 - The process cannot access the file because it is being used by another process."


    So ive been infected by this trojan and AVguard cannot get rid of it. I have the HJT log file saved and can post if required.

    Im running windows XP pro and WAS using IE6 but have now switched to firefox.

    If anyone can help me or point me to a previous thread that addresses this problem I'd be very grateful.

    Thanks
    Sam
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow the steps below:


    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
  3. sam_stumble

    sam_stumble Private E-2

    Hi,

    Thanks, no adware or spyware found. Ive been running the mentioned programs for a while now so I wasnt expecting any new infections. Computer is CC cleaned, restore disabled etc.The online scans came up clean but a full scan with antiVir found new trojans. Here is part is the log from the scan:

    _________________________________________________________
    5/24/2005,0:59:37 WARNING: Is the Trojan horse TR/ClassLder.c.Java!
    C:\DOCUMENTS AND SETTINGS\SJ\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\JAVAPI\V1.0\JAR\CLASSLOAD.JAR-11FAA9ED-166FE794.ZIP
    5/24/2005,0:59:52 WARNING: Is the Trojan horse TR/ByteVerify.1.D!
    C:\DOCUMENTS AND SETTINGS\SJ\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\JAVAPI\V1.0\JAR\COUNT1.JAR-5E2DFF9F-66BCA0FD.ZIP
    5/24/2005,1:25:39 WARNING: Is the Trojan horse TR/Dldr.Delf.CL!
    C:\PROGRAM FILES\INTERNET EXPLORER\BZLTEA.EXE
    5/24/2005,9:21:30 WARNING: Is the Trojan horse TR/Dldr.Harnig.AM.2!
    C:\PROGRAM FILES\INTERNET EXPLORER\FMBUJIYJ.EXE
    5/24/2005,9:21:35 WARNING: Is the Trojan horse TR/Dldr.Agent.AY!
    C:\PROGRAM FILES\INTERNET EXPLORER\UJMVA.EXE
    5/24/2005,9:26:53 WARNING: Is the Trojan horse TR/StartPage.AU.2!
    C:\PROGRAM FILES\Q330994.EXE
    5/24/2005,9:28:35 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
    5/24/2005,9:33:08 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,9:42:24 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
    C:\WINDOWS\SYSTEM32\REQ.DLL
    5/24/2005,9:43:11 WARNING: Is the Trojan horse TR/Small.EP.1!
    C:\WINDOWS\SYSTEM32\TKSRV98.EXE
    5/24/2005,11:13:33 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
    C:\WINDOWS\SYSTEM32\REQ.DLL
    5/24/2005,11:16:04 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
    C:\WINDOWS\SYSTEM32\REQ.DLL
    5/24/2005,11:20:57 WARNING: Is the Trojan horse TR/Small.EP.1!
    C:\WINDOWS\SYSTEM32\TKSRV98.EXE
    5/24/2005,11:26:14 WARNING: Is the Trojan horse TR/Small.EP.1!
    C:\WINDOWS\SYSTEM32\TKSRV98.EXE
    5/24/2005,11:28:56 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,11:29:32 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,11:39:28 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,11:41:19 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,12:05:39 WARNING: Is the Trojan horse TR/Dldr.Delf.CL!
    C:\PROGRAM FILES\INTERNET EXPLORER\BZLTEA.EXE
    5/24/2005,12:06:32 WARNING: Is the Trojan horse TR/Dldr.Harnig.AM.2!
    C:\PROGRAM FILES\INTERNET EXPLORER\FMBUJIYJ.EXE
    5/24/2005,12:07:12 WARNING: Is the Trojan horse TR/Dldr.Agent.AY!
    C:\PROGRAM FILES\INTERNET EXPLORER\UJMVA.EXE
    5/24/2005,12:16:19 WARNING: Is the Trojan horse TR/StartPage.AU.2!
    C:\PROGRAM FILES\Q330994.EXE
    5/24/2005,12:17:48 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
    5/24/2005,12:18:17 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAY~1.TMP
    5/24/2005,12:18:20 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
    5/24/2005,12:18:23 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
    C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAY~1.TMP
    5/24/2005,12:24:22 WARNING: Is the Trojan horse TR/Agent.CS.1!
    C:\WINDOWS\SYSTEM\SYSWIN.DLL
    5/24/2005,12:29:56 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
    C:\WINDOWS\SYSTEM32\REQ.DLL
    5/24/2005,12:30:42 WARNING: Is the Trojan horse TR/Small.EP.1!
    C:\WINDOWS\SYSTEM32\TKSRV98.EXE

    _____________________________________________________________

    Ive attached the HJT log file. thanks for your help
    Sam
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! But did it fix what it found?
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run this while you are disconnected from the Internet

    Symantec Vundo.B removal tool: Symantec Trojan.Vundo.B Free Removal Tool


    Note: You did not install HJT where requested. You have it on your Desktop
    C:\Documents and Settings\SJ\Desktop\SPY SOFTWARE\HijackThis.exe
     
    Last edited: May 23, 2005
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  7. sam_stumble

    sam_stumble Private E-2

    Hi chaslang,

    I think its gone! Ive moved HJT to C root but dont think I need to do another scan as AntiVir isnt picking up anything....

    I ran the Symantec Vundo B first in normal mode without anything detected, then read the instructions as you posted and ran it Safe mode. It found and deleted the trojan only in safe mode.

    So far so good! Ill be using Firefox and Opera from now on with all the protection software running.

    Thanks you very much chaslang! :D
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. It would be a good idea to post the follow up HJT log as quite often these infections leave remnants around. It will not hurt to look.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds