Help required with TR/Agent.CS.1 trojan

sam_stumble · May 22, 2005

Hi Everyone,
Here is part of the log from my AVGuard Trojan Scanner:

"5/22/2005,18:49:55 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
Unable to overwrite and delete the file:
0x00000020 - The process cannot access the file because it is being used by another process."

So ive been infected by this trojan and AVguard cannot get rid of it. I have the HJT log file saved and can post if required.

Im running windows XP pro and WAS using IE6 but have now switched to firefox.

If anyone can help me or point me to a previous thread that addresses this problem I'd be very grateful.

Thanks
Sam

chaslang · May 22, 2005

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

sam_stumble · May 23, 2005

Hi,

Thanks, no adware or spyware found. Ive been running the mentioned programs for a while now so I wasnt expecting any new infections. Computer is CC cleaned, restore disabled etc.The online scans came up clean but a full scan with antiVir found new trojans. Here is part is the log from the scan:

_________________________________________________________
5/24/2005,0:59:37 WARNING: Is the Trojan horse TR/ClassLder.c.Java!
C:\DOCUMENTS AND SETTINGS\SJ\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\JAVAPI\V1.0\JAR\CLASSLOAD.JAR-11FAA9ED-166FE794.ZIP
5/24/2005,0:59:52 WARNING: Is the Trojan horse TR/ByteVerify.1.D!
C:\DOCUMENTS AND SETTINGS\SJ\APPLICATION DATA\SUN\JAVA\DEPLOYMENT\CACHE\JAVAPI\V1.0\JAR\COUNT1.JAR-5E2DFF9F-66BCA0FD.ZIP
5/24/2005,1:25:39 WARNING: Is the Trojan horse TR/Dldr.Delf.CL!
C:\PROGRAM FILES\INTERNET EXPLORER\BZLTEA.EXE
5/24/2005,9:21:30 WARNING: Is the Trojan horse TR/Dldr.Harnig.AM.2!
C:\PROGRAM FILES\INTERNET EXPLORER\FMBUJIYJ.EXE
5/24/2005,9:21:35 WARNING: Is the Trojan horse TR/Dldr.Agent.AY!
C:\PROGRAM FILES\INTERNET EXPLORER\UJMVA.EXE
5/24/2005,9:26:53 WARNING: Is the Trojan horse TR/StartPage.AU.2!
C:\PROGRAM FILES\Q330994.EXE
5/24/2005,9:28:35 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
5/24/2005,9:33:08 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,9:42:24 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
C:\WINDOWS\SYSTEM32\REQ.DLL
5/24/2005,9:43:11 WARNING: Is the Trojan horse TR/Small.EP.1!
C:\WINDOWS\SYSTEM32\TKSRV98.EXE
5/24/2005,11:13:33 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
C:\WINDOWS\SYSTEM32\REQ.DLL
5/24/2005,11:16:04 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
C:\WINDOWS\SYSTEM32\REQ.DLL
5/24/2005,11:20:57 WARNING: Is the Trojan horse TR/Small.EP.1!
C:\WINDOWS\SYSTEM32\TKSRV98.EXE
5/24/2005,11:26:14 WARNING: Is the Trojan horse TR/Small.EP.1!
C:\WINDOWS\SYSTEM32\TKSRV98.EXE
5/24/2005,11:28:56 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,11:29:32 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,11:39:28 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,11:41:19 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,12:05:39 WARNING: Is the Trojan horse TR/Dldr.Delf.CL!
C:\PROGRAM FILES\INTERNET EXPLORER\BZLTEA.EXE
5/24/2005,12:06:32 WARNING: Is the Trojan horse TR/Dldr.Harnig.AM.2!
C:\PROGRAM FILES\INTERNET EXPLORER\FMBUJIYJ.EXE
5/24/2005,12:07:12 WARNING: Is the Trojan horse TR/Dldr.Agent.AY!
C:\PROGRAM FILES\INTERNET EXPLORER\UJMVA.EXE
5/24/2005,12:16:19 WARNING: Is the Trojan horse TR/StartPage.AU.2!
C:\PROGRAM FILES\Q330994.EXE
5/24/2005,12:17:48 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
5/24/2005,12:18:17 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAY~1.TMP
5/24/2005,12:18:20 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE.TMP
5/24/2005,12:18:23 WARNING: Is the Trojan horse TR/Dldr.Agent.AY.1!
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAY~1.TMP
5/24/2005,12:24:22 WARNING: Is the Trojan horse TR/Agent.CS.1!
C:\WINDOWS\SYSTEM\SYSWIN.DLL
5/24/2005,12:29:56 WARNING: Is the Trojan horse TR/Dldr.ConHook.C!
C:\WINDOWS\SYSTEM32\REQ.DLL
5/24/2005,12:30:42 WARNING: Is the Trojan horse TR/Small.EP.1!
C:\WINDOWS\SYSTEM32\TKSRV98.EXE

_____________________________________________________________

Ive attached the HJT log file. thanks for your help
Sam

chaslang · May 23, 2005

Okay! But did it fix what it found?

chaslang · May 23, 2005

You need to run this while you are disconnected from the Internet

Symantec Vundo.B removal tool: Symantec Trojan.Vundo.B Free Removal Tool

Note: You did not install HJT where requested. You have it on your Desktop
C:\Documents and Settings\SJ\Desktop\SPY SOFTWARE\HijackThis.exe

chaslang · May 23, 2005

Just in case the removal tool does not work. Try again and look at the instructions on the Symantec Website for using the tool:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

If that does not work, I will give you some manual steps to try.

sam_stumble · May 24, 2005

Hi chaslang,

I think its gone! Ive moved HJT to C root but dont think I need to do another scan as AntiVir isnt picking up anything....

I ran the Symantec Vundo B first in normal mode without anything detected, then read the instructions as you posted and ran it Safe mode. It found and deleted the trojan only in safe mode.

So far so good! Ill be using Firefox and Opera from now on with all the protection software running.

Thanks you very much chaslang!

chaslang · May 24, 2005

You're welcome. It would be a good idea to post the follow up HJT log as quite often these infections leave remnants around. It will not hurt to look.

Log in or Sign up

Help required with TR/Agent.CS.1 trojan

sam_stumble Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sam_stumble Private E-2

Attached Files:

hijackthisLATEST.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

sam_stumble Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member