Trojan-Downloader.Win32.Agent.bc

He means, do a scan with HJT and find each of those lines and put a check on each of those items (the lines are checkabble in the little box) then after selecting each one, click Fix.

 

Let's try a couple things.

First from Control Panel, run Add/Remove Programs and uninstall Spy Sweeper because it could be blocking fixes. After uninstalling SpySweeper reboot your PC into normal mode and continue with below.


First download GetRunKey125b.zip to your PC someplace you can locate it. Then extract the files from the ZIP. Locate the getrunkey125b.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Upload the runkeys.txt file here as an attachment.

From the runkeys.txt log, I will try work up a fix that will be in the form of a registry patch.

Now I want you to download the attachment ( findHSA.bat) to your Desktop and unzip it to your Desktop too. This will create a file named findHSA.bat on your Desktop. Locate findHSA.bat and double click on it. You may see a command prompt window briefly open and close. You will not see anything else (unless there is some kind of error running this).

 

Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Now get a new runkeys.txt log and attach it you your message. Also attach a new HJT log.

 

No it did not! Did the registry patch add into the registry without giving any error messages?

Do you know how to shut down all the F-Secure stuff you have running? I think it is blocking the fixes from occurring. If you can shut all of it down first, then try to redo the registry patch and see if all those O4 lines go away. We also need to fix all the R0 & R1 lines while F-Secure is disabled. If you do not know how to do all of this or it does not work, we will have to use msconfig to disable all startups and all services. Then we will reboot and apply the patch again. After that we will renable the startups and services because while they are disabled, you cannot do very much on your PC and will have no internet access until they are enabled again.

I don't understand why F-Secure needs so much stuff running. It must be a tremendous resource hog. Look at all the stuff running:
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe
C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguiexe.exe

 

Yes! Try shutting down F-secure and then apply the registry patch also see message # 4 where D3 had you use HijackThis to fix lines from your log. That is how you would fix the R0 & R1 lines. But if F-secure is not shut down completely this still may not work.

Try it and let us know what happens. In fact, just attach another HJT log afterwards and we shall see what happens.

 

Okay let's try something different. Note that you will be very limited in things you can do while in the mode below. You will not have Internet access while in this mode so you may want to print or save any instructions locally. This is only a temporary configuration. It will not break or uninstall anything. We will go back to normal mode at the end.

• Click Start, Run and enter msconfig and click OK.
• Now on the General tab click the radio button labeled Selective Startup.
• Now uncheck the below check boxes
  • Process System.INI file
  • Process WIN.INI file
  • Load System Services
  • Load Startup Items
• Now reboot your PC
• Now add my registry patch into your system again
• Now run only the steps to fix lines with HJT from message # 4. You do not need to use PocketKillbox. Make sure you note which items from message # 4 still appear in HJT at this time. I'm assuming that only the R0 & R1 lines should show after the registry patch. Let me know later. Note that some of those lines from message # 4 are probably already gone anyway. Also add the below two items to the list of things to Fix with HJT in message # 4:
  • O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} - http://www.sunbelt-software.com/dell/CounterSpy.CAB
  • O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
• Now reboot your PC and save a new HJT log (give it a unique name like hjtpt1.txt)
• Now run msconfig and select the Normal Startup button
• Now reboot your PC and get a new HJT log (call it hjtpt2.txt)
• Come back here and tell me what you found at the point of running the message # 4 steps and also attach your two HJT logs.

 

Something was not unchecked in msconfig because your F-secure programs were running. Notice in the first HJT log the below:

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe"

If you do not stop this from running, you will not be able to fix your problems. If all items were selected not to run using msconfig, these should not be running. So either all items were not unchecked or these programs themselves did not allow the change to msconfig to take place. Can you tell me which it was?

It would seem that since you are not able to stop these from running, the only alternative is to uninstall them completely and then make the fixes. However one additional thing before uninstalling all the F-Secure software could be tried. Repeat the procedure with msconfig but this time after the first reboot and before trying to fix anything, kill the three running processes below:
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSGUI\FSSW.EXE
C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe

Then maybe the fixes can be applied and will work.

 

Okay! That's much better. I knew it was F-Secure that was blocking the fixes we were making. However, one item came back as seen in your second attached log. It was gone in the first log though.

O4 - HKLM\..\Run: [addnd32.exe] C:\WINDOWS\addnd32.exe

You need to use the same steps to make sure ALL F-secure programs are not loading and kill all processes from F-Secure. Then have HJT fix the above line again. Then make sure that you have viewing of hidden files enabled and look for and delete the below file if found:

C:\WINDOWS\addnd32.exe

DO NOT RESTART Ad-Monitor.exe or any other F-secure processes while working on this. After you have gotten the O4 line fix and the file deleted just reboot your PC. Then after reboot look to see if the O4 line is now gone. If it is, you can run msconfig to enable Normal Startup and then attach a new (hopefully final log). If the O4 line came back after that reboot, run start the process over again and after fixing the O4 line run About:Buster that D3 had you run earlier. Then see what happens.

Based on what I see here, I would suggest dumping all this F-secure stuff and using something else. It did absolutely nothing to protect you from getting any of this problem but it is making it very difficult to fix the problem. It is basically doing the opposite of what it should be doing. In addition, I would bet like Norton and McAfee that it is a massive resource hog.

 

All our protection recommendations are covered in another sticky thread:

How to Protect yourself from malware!

There are free antivirus, free antispyware, and free firewalls included in there.

 

Did you run about:Buster as indicated? Do you have the log you can attach from it?

Do you actually see the C:\WINDOWS\addnd32.exe file?

To get rid of Ad-Monitor, have HJT fix the below line and then delete the F-Secure folder:
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe"

 

Looks good now! I bet your PC is running a lot faster now without all the stuff from F-Secure.

Are you having any other malware problems?

 

You're welcome!

Protection does not come for free! PC performance is a price we all pay to insure our security on the internet.

 

Try the Software Forum for tweaking!

Overclocking is the process of forcing a computer component to run at a higher clock rate than designed or designated by the manufacturer.

Read the following before thinking about doing any overclocking:

http://en.wikipedia.org/wiki/Overclocking