Trouble getting rid of Troj_Agent.fz

Please read the Announcement at the top of the every page. Please do not post HijackThis logs unless they are requested.

The c:\!submit folder is a backup folder created by Pocket Killbox to protect you against improper deletes an also it is used to save file for submission to people to look at.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Click Start, and then click Run. (The Run dialog box appears.)
Type, or copy and paste, the following text:

regsvr32 /u C:\WINDOWS\inf\binras.dll

then click OK. If a dialog box confirming this action appears, click OK. If you get an error message, just OK it and continue.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - (no file)
O20 - Winlogon Notify: binras - C:\WINDOWS\inf\binras.dll

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\inf\binras.dll

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

I'm don't understand what you mean by the above.

Are you saying you cannot click Start and select Explore to run Windows Explorer.

What happened when you tried to unregister the file.

Try booting into safe mode and just try a rename of the file. Rename binras.dll to binras.ddd (that is if it let's you).

 

Okay! I think I understand now. But when you boot in normal mode (not safe mode) everything works okay...right?

Please run in normal mode and locate the c:\windows\inf\binras.dll file and right click on it from Windows Explorer. Then select Properties and then the Version tab (if it has one) and if it has a Version tab work you way thru the Item name list and let's see what other info we can get on this file. Also tell me how big it is.

Download ProcessExplorer from: http://www.sysinternals.com/files/procexpnt.zip
Unzip it to its own folder like c:\SysInternals and now run ProcessExplorer and lets configure some options first:
Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked. Now click on explorer.exe. Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
Now click on File and then Save As. And save the process list. Post it back here as an attachment.

Now with one Internet Explorer window open, go back and repeat the above but instead of select explorer.exe, select iexplore.exe and save a second process list. Post that back here too as an attachment.

Now repeat the above a third time but select winlogon.exe. This third process list will need to be posted in a second message (only two attachments per message are allowed).

 

Hmm! binras.dll has hook itself into all three of the programs check against. It may be hooked into everything.

I'm not sure if the below will work but let's give it a try.

Make sure you exit ALL Internet Explorer sessions before continuing so print or save these instructions locally.

Please run Pocket KillBox (you said you already have it)

Below you will be entering items into Pocket KillBox. Please read thru all of the instructions so that you understand the steps and do not do something we do not want. Okay! Now select the “Delete on Reboot” and “End Explorer Shell While Killing File ” Options. Now Copy&Paste this filename C:\WINDOWS\inf\binras.dll into the box, making sure Delete on Reboot and End Explorer Shell While Killing File are checked. Click the Red X to Delete the file, but and then answer yes to allow your machine to Reboot.

If you get a Pending File operations type error message, just reboot your PC yourself.

 

Boot into safe mode (with no network connectivity - unplug cable to be sure) and do not run anything else. Then repeat the steps using Pocket Killbox. When it reboots, let your system reboot to normal mode.

Tell me the results.

 

Now download the following tool: L2MeFix Tool

Please move the L2MeFix Tool to your Desktop and DoubleClick l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix Folder on your Desktop. DoubleClick l2mfix.bat and Type 1 and ENTER to select Option #1 for Run Find Log . Allow it as much time as it needs to run until NotePad opens with a log.

NOTE: Please do not run any other options or files in the l2mfix Folder!

Get a new HijackThis log.
Now come back here and post the l2mfix log and the new HJT log as attachments.

Please DO NOT REBOOT after scanning for these logs!! Otherwise problems may mutate and spread. Wait for me to get back to you with the next steps.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbad.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixbad.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Print or save these instructions locally now because you will have to be disconnected with no browsers open in the next step.

Please make sure ALL Browser Windows are Closed and also you should physically disconnect from the Internet by unplugging your cable.

Go to the L2MFix Folder on your Desktop and DoubleClick l2mfix.bat and type 2 and ENTER to select option #2 for Run Fix. Then, press any key to Reboot your machine.
Your computer will go bazonkers (now there's a great technical term!) for a bit, but just let it run. It should eventually spit out another log in Notepad. Please attach that log later when the remaining steps are completed.

Again, don't run any other files in the L2MFix folder.

 

Is the below entry still in your HJT log?
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\inf\binras.dll

If so, can it be fixed now. Does that file still exist? If so, is it deletable now?

If not, do the below again:

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixbad.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixbad.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge say yes.

Then pull the power plug to your PC. Yes, that's what I said. I do not want a graceful shutdown. Then wait 2 minutes and power backup into safe mode. Look for the C:\WINDOWS\inf\binras.dll file and see if you can delete it.
Now reboot in normal mode and tell me what happened. Is the log clean now.

 

One other question. Look in the C:\WINDOWS\inf folder for other similar named files. Like binras.exe or binras.ini or binras.dat.

Do you see any? Are there any other files which similar dates to binras.dll

 

If the other steps do not work (probably will not), try this.

Reboot in Safe Mode (do not open any other processes)
- Run Process Explorer

In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of binras.dll once and then click the kill button.

After you have killed all of the binras.dll's under winlogon click ok.
Next double click on explorer.exe and again click once on each instance of binras.dll then click the kill button. Once you have done that click ok again.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\inf\binras.dll
O20 - Winlogon Notify: binras - C:\WINDOWS\inf\binras.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad.
Save it as fix.reg to your desktop.
Ensure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.
In Killbox - put a check next to "Delete on Reboot"
Copy & paste the following line in bold into the "Full Path of File To Delete" box:
C:\WINDOWS\inf\binras.dll
Then click the red button with the X and allow Killbox to reboot then post a new HijackThis log.

 

You're welcome.

Looks like it is gone to me! Are you still clean? If so, let try to stay that way by following all steps not yet completed that are given in the below link:

How to Protect yourself from malware!