I o not believe you're crazy. However, after reading several threads from others experiencing that same AdAware: "Win32.Trojan.Agent 2" occurrence, Lavasoft support says this:
It appears to be a false positive. It has been found with a file iTunesIco.exe that is used at the installation of iTunes. The iTunesIco.exe has been removed from detection. But I couldn't find a date on that. The file is here: C:\WINDOWS\Installer\{EF6C4600-306D-4F6A-A119-C2A877D25B4A}\iTunesIco.exe.
The file is only used initially when iTunes is installed. Re move it and see if this handles the Win32.Trojan.Agent2.
Download and Windows Installer Cleanup Utility HERE and save it to your desktop.
Double click on the setup on the desktop to install. Then run. Look or this file and remove it. Reboot the computer. Run AdAware again and see if it's gone.
Adwatch Live still picks up Win32TrojanAgent2.
I would remind you that you were asked to temporarily disable AdWatch and given the instruction to do see. To have it running when scanning can cause inaccurate results. It is still running.
I see only one entry in the HijackThis log that might not be needed. It is a process if Client for Netware is installed. Most users do not have this installed and the process can be removed. IT is:
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
If you do not have Client for Netware:
[1] Click on the following link to download LSPFix to your desktop.http://www.cexx.org/lspfix.htm
OR
[2] Click on this link to download the exe file directly: http://www.cexx.org/LSPFix.exe
[3] Once the exe file is on your desktop, double-click on it to open
[4] In the left hand column, you should see the NWPROVAU.DLL file listed.
[5] Click on it to highlight, then click the arrow in the middle of the screen that points to the right
[6] This will move the filename to the right-hand column labeled Remove
[o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
[o]Of course, it should be stated that if you are unsure of any of these procedures, please do not complete them and ask for assistance from a local computer tech, family friend, or other knowledgeable person.
[7] Once the file has been transferred to the Remove column, click Finish at the bottom of the screen. You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
[8]Close the LSPFix program now.
Please download ComboFix
HERE:
- With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
- Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
- Run Combo-Fix.exe and follow the prompts.
(Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
- Wait for the scan to be completed.
- If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Run Hijackthis and the entry for NWPROVAU.DLL should now be gone from the list. Attach new log and Combofix report.
Edit: One issue with AdAware is that in order to let Ad-Aware 2008 quarantine objects before removal users may choose to press the Quarantine button instead of the Remove button at the Scan Results window. This way the quarantined item may be restored later if the user so chooses
