Trojan Downloader.Agent.awf -- more?

soem · Sep 3, 2008

(This post is for a different computer [my Laptop] than my prior post yesterday.) Logs being attached

After running the malware removal procedure, the Trojan Downloader.Agent.awf seems to be indicated in one of the MGTools logs I peeked into.

Starting out, this laptop was in bad shape. It had a bogus screensaver with the message Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. Then the bogus screensaver would log me out every 10-15 minutes. And it made 2 of my Display Property Tabs disappear, so I couldn't change the screensaver behavior.

The SUPERAntiSpyware followed by Spybot combo cleared up those problems -- saying it was Rogue.AntiVirus XP 2008, Trojan.FakeAlert/Desktop, and Rogue.AntiVirus.

My laptop is usable again, but I don't know if there are more malware indicated in the logs (beyond the Trojan Downloader.Agent.awf that I mentioned earlier). Please review when you can. Thanks.

soem · Sep 3, 2008

Last file from the Malware Removal procedure is attached.

TimW · Sep 4, 2008

If you haven't already, please disable the Guest account in User accounts.

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O15 - Trusted Zone: *.whataboutadog.com
Click to expand...

Now tell me what these are:
C:\Documents and Settings\David Scott\Desktop\STOPVirusImage
C:\FightV
C:\MayBeVirus
C:\SaveSDAT

If you didn't put them there ---> remove them!

Now tell me how things are running.

soem · Sep 4, 2008

Thank-you very much. Its nice to have my laptop back usable again.

I was able to complete successfully your follow-up instructions.

Yes, I put all 4 items you asked about there myself.

The laptop is running fine. No slowdowns or other *visible* malware symptoms that I can detect.

(Other notes and details are in the file attached)

TimW · Sep 4, 2008

The icon is for your connectivity program.....something you put on possibly for windows mobile?

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

soem · Sep 5, 2008

Completed the applicable final steps.
Details attached.

TimW · Sep 5, 2008

[QUESTION]
I see cleaning instructions for Win 98, ME, 2000, 2003, XP and Vista.
Which of those choices is best for cleaning Win NT 4.0?
Click to expand...

Your system is xp ....if you are referring to a different computer....start a new thread and follow the instructions for Win 2000.

soem · Sep 5, 2008

Thank-you again for all of your help.

(Yes, the NT is another computer that was on my network. I'll get to cleaning that one sometime later, in a separate thread.)

TimW · Sep 5, 2008

You are very welcome ...safe surfing.

Log in or Sign up

Trojan Downloader.Agent.awf -- more?

soem Private E-2

Attached Files:

SASlog.txt

mbam-log-2008-09-03 (06-32-40).txt

ComboFix.txt

soem Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

soem Private E-2

Attached Files:

MG-FollowupReport-Laptop-1.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

soem Private E-2

Attached Files:

MG-FollowupReport-Laptop-2.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

soem Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member