TechSpot

Trojan.downlaoder.win32.agent

By kipperoo15
Nov 19, 2008
  1. I finally got around to fixing my laptop, got wow all installed on it, downloaded some stuff, and now my avg scans are showing all sorts of crazy stuff... and when I open wow, it says I have a "trojan.downloader.Win32.Agent varient. Please help!

    I attached the results from hijack this, superantipsyware, etc.
     
  2. Kazi

    Kazi TS Enthusiast Posts: 121

    in Mbam you did not do anything with the trojans
    When scan is done look at the file list or report and then remove everything
    did you remove everything in SAS?
    tell me whats happening with your comp
     
  3. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    I deleted the quarantined items in mbam and sas. It seems like it's better now, I'm not getting the WoW warning and nothings showing up in scans.
     
  4. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    When I try to open either of my harddrives (E and C) from My Computer, I get a Windows Popup saying "E:\resycled\boot.com is not a valid Win32 Application." I know enough to know this is not good. I don't really want to reformat my laptop because I don't have all the disks where I'm living right now, I've moved around a lot the past year. Any help, again, is quite appreciated.
     
  5. Kazi

    Kazi TS Enthusiast Posts: 121

    Ahh you need to delete Autorun.inf. Is Wow world of warcraft? i don't remember it giving pop ups

    If you can fix your comp i hope you know how to delete files through CMD.
    The autorun is just in the root of the drive.

    i'm very sorry but i'm kinda bad at CMDS
    Please post a new hijackthis log
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    hell kipperoo15

    When any cleaner is ran, it is possible that after one run that removes certain powerful Malware, then it exposes more that were not even seen on the first run.

    The goal is to get these to come up clean or find something it can not handle.

    So run both MBAM and SAS again and post the logs.

    I can tell from the quantity and the quality of what they did find that you in fact have much more.

    Good job so far.

    Mike
     
  7. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    I ran both mbam and Sas, the mbam log is attached, but this time Sas didn't come up with anything.

    Thanks for helping, this is a total life saver.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi kipperoo15

    Good job!

    Run MBAM again until it comes up clean or finds something it can not remove if clean let me know, post log if it does find something it can not handle.

    Then do the below

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.

    Copy and paste the Report.txt file to your next post.

    Mike
     
  9. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    I ram mbam a few more times, logs are attached. It keeps coming up with 4 results.
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok Kipper

    Sorry you took the time to run the third time. After these issues are fixed you should run these programs every 2 weeks or so, but if they come up twice with exactly the same thing no need to run it more.

    OK now do the SDFix above to get these we may need to run another tool to finish up.

    So do the SDFix it does not take nearly as long as the others.

    Mike
     
  11. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    Log Attached
     

    Attached Files:

  12. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good that was clear.

    Again this one doesn't take long either it should find and fix DNSCHanger.

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike

    Don't forget to Attach instead of pasting to the thread.
     
  13. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    :D I'm going to run Combofix right now. Thanks for your help :)
    -Katie
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    You are right sorry I must be tired!

    Thanks
    Mike
     
  15. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    Hehe I'm just trying to follow directions as clearly as possible :p

    Log attached.
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    And you are doing a fabulous job.

    Run SAS it had much found and removed but we need to see it clean then MBAM should finish all the rest.

    If they are clear then no need to post them but do get me a final HJT log.

    I hope we are close to finished I think so!

    Mike
     
  17. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    sas log is attached, it had some stuff on it. I'm running mbam now.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    OK Kipper

    We found one that needs special handling.


    Drag mouse copy each line one at a time
    Code:
    %System%\drivers\winsys.sys
    %System%\wincom.exe
    Then

    Open MBAM click and update it (new update today)

    Then More Tools-Run Tool

    In the File name: paste it click ok chose delete on boot an the paste the second line same way.

    Reboot to remove file run SAS again to confirm it gone!

    Mike
     
  19. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    I can't get the first line to work, it gives an error that says
    %System%\drivers\winsys.sys
    Path Does not exist
    Please verify the correct path was given.

    Thanks :)
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    That just means the file is not there that is good.

    What about the 2nd?

    Mike
     
  21. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    Same with the second one, I'm going to reboot and rerun Sas now.
     
  22. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    SaS came up clean! Anything else to do or is it fixed?

    Thank youuuuuuuuu! :)
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    Hit me with a HJT log before logging off.

    Use the computer but when you go to bed or work update mbam leave it in a scan. Post log in morning.

    Good job.

    I will leave a thread closing for you tomorrow .

    Good job!

    Night,
    Mike
     
  24. kipperoo15

    kipperoo15 TS Rookie Topic Starter Posts: 18

    Yay!! here's the hijack this log. will post the other scan tomorrow morning. Thanks for your help.
     
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    HJT log clean also!:grinthumb

    Talk tomorrow,

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...