Troj_Agent.fz

I've been trying to get rid of this file and have used all the instruction so far. Any help PLEASE. Win32.Trojan.Agent.cs is a hard booger to get rid of.

Thanks!

 

Please follow standard cleanup procedures as given below:

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Sorry it took so long to get back to you. After running all the scans, Adaware found two register keys and on register value infected. One of the others came up with the path windows/system/bindns.dll as the problem. I had found the file two times on HJT but did not want to do anything until was told. Hopefully I can get the HJT log to you. Thanks a lot for your help.

 

Download the following tools:

Pocket KillBox

L2MeFix Tool

Generic Detection Tool - NT/2000/XP


Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go crazy for a bit, but just let it run. It should eventually spit out a log in Notepad. Please attach that log along with a fresh HJT log.

Please don't run any other files in the L2MFix folder.

 

Here are the logs. Will check back tomorrow night, out of town. Thanks for all your help!

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Viewpoint

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\bindns.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O20 - Winlogon Notify: abrurl - C:\WINDOWS\
O20 - Winlogon Notify: bindns - C:\WINDOWS\system\bindns.dll

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Viewpoint ←–– Delete this whole folder if it exist!

C:\WINDOWS\system\bindns.dll

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.

 

Did per instructions, but could not delete the bindns.dll file, said was being used by another person of other program. Here is the log you asked for, think we're getting closer. Thanks again for all you help.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Just leave this for now!

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Now I want you to completely disconnect from the internet as in pulling the cable!!

NEXT:
Run CCleaner to clean up cookies and temp files.

After that, you must run a search for all bindns entries on your machine (.ini, .exe, .dat, .bak, etc. . . ) Use Windows Explorer to track them down if possible.

NEXT:
Double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!


Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\system\bindns.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

NOW:
After your machine reboots, Scan with HijackThis and FIX these entries:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\bindns.dll
O20 - Winlogon Notify: bindns - C:\WINDOWS\system\bindns.dll

NEXT:
Run the Symantec Vundo Removal Tools again and then run CCleaner again.

Finally, reboot and rescan with HJT and attach the log. Let me know how you fared with the above and whether you ran into any problems.

 

Been out of town all week, sorry for the long wait to reply. Followed instructions except not sure about the Symantec Vundo Removal Tools. Here is the next HJT log. Sorry for all the trouble. Thanks again for your help.

 

I've been wanting to try this, lets give it a shot!

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.

• Download VundoFix.zip to your desktop.
  
  
• Double-click VundoFix.zip and extract it to your C:\ directory.
  
  
• Copy the instructions below and paste them into Notepad for reference.
  
  • All other windows need to be closed while doing this fix!
  
  
• Navigate to the new folder C:\VundoFix
  
  
• Double click on KillVundo.bat
  
  • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
  
  
• Please press any key to continue.
  
  
• Wait for HiJackThis to open.
  
  
• When HiJackThis opens, click Do a system scan only. Place a check next to the following items, if found:
  
  • O20 - Winlogon Notify: bindns - C:\WINDOWS\system\bindns.dll
    [*]O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system\bindns.dll
  
  
• Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.

You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal!
Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix

 

I think that got it. Please check logs to confirm. If that fixed the problems, do I need to enable sytem restore? Thanks again for all your help, nice to have people like you around to bail us out.

 

It worked! I'm glad I know it works now!

Your log is now clean, are you having any further problems?

 

It did not give me too much trouble except showing up on all scans. Went ahead and enabled system restore. Hopefully will not have to come back here but it is good to know you are here. Thanks again for all your help and keep up the good work.

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!