How-To Geek Forums » Windows XP
(Solved) - i cant get rid of a trojan.agent
(29 posts)- Remove Solved Status
MBAM is specific to malware, spyware and those lightweights. You need a good Antivirus solution such as McAfee or better. You could get a little more technical and download sysinternals tools and and there is one which you can run that will show you all the dlls associated with that trojan. You can write them down, reboot in safe mode and delete them. Then search the registry for the mention of them and delete them. Can you actually look and see the executable in windows explorer? If not, go into safe mode and open a dos prompt, and change directories to the location and then type dir to see if it shows up.
here is the log from the last scan of malwarebytes.
Malwarebytes' Anti-Malware 1.41
Database version: 3015
Windows 5.1.2600 Service Pack 2
10/23/2009 8:12:37 PM
mbam-log-2009-10-23 (20-12-37).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 159167
Time elapsed: 19 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xml10 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
also, i got this from the quarantine list with the program:
RUNDLL32.exe C:\window\system32\xml_incdll,i
im assuming thats the location of it. so is it just easy enough to boot up in safe mode and go into that file and delete it?
i also have run my anitvirus program (mcafee) a couple of times and it cant even detect the Trojan at all.
does this RunnDLL error prompt when you start your PC?
do you have a program called autoruns? well if not then download it, something similar happened to me, its probably a left over from a deleted virus, run autoruns and see if its in the start up tab, if it is then turn it off, then save, restart and see if the system runs normally for a few hours without this, if so then go back into autoruns and delete the entry.
my computer doesnt run slow and i dont get any pop ups or error messages. i just ran this malware program to make sure everything was clear and this was the only thing i cant get rid of. other than it not being able to delete the infection everything is normal.
do you have a link for this autorun thing, and what exaclty does it do?
im still unsure why autoruns would help me in this situation as i am not getting any error messages when i boot or at all.
i have located the file on my C: drive, but i am afraid to just try to delete it because i know there are sensitive files in the system32 folder.
when i highlight this file that i suspect is the infection it says that the company is "inte". and every other file that i highlight in the system32 folder's company name is "microsoft coporation"
you can go to the process library and look these up, if they don;t have the information they will find it for you, go to the home page type in the the search bar,I have rundill32.exe running also in small letters the process library is looking them up for me,
here is the link, free to use.. http://www.processlibrary.com/
i ran a registry scan and it came up with a bunch of errors, but it wont get rid of all of them without me buying something which im not. the actually file in the system32 folder that i am talking about is xml_inc.dll
i put that into that process library and it didnt come up with anything.
i am looking into the cd idea but i dont have a blank one at the moment. so i copy the xml_inc.dll file onto a cd. then take the cd out and delete the file from the system32 folder?
I agree with podie. Go to the 9th item down on this link to Major Geeks, where I just got help to get rid of a VERY bad virus infection on my machine from them. You'll see that on that page they want you to disable AutoRuns. This article was written by the Co-owner of the site, and he personally helps alot of people rid their machines of Viruses, and the like. The article is about how NOT to get Malware in the 1st place. It's pretty helpful.
Here is a link to show how they helped me get rid of the bug that was in my machine.
Good Luck......
If you think you have malware, you should run a HijackThis log and post it on one of the forums I've listed below.
To download HijackThis go to the following link:
http://free.antivirus.com/hijackthis/
1. Click on the "Installer" link next to the icon of the guy with the spyglass.
2. Save HJTInstall.exe to your desktop.
3. Doubleclick on the HJTInstall.exe icon on your desktop. You may get the "open file - security warning" window asking you if you want to run the file. If so, just click "Run".
4. Click "Install". By default it will install HJT to C:\Program Files\Trend Micro\HijackThis and create a HJT icon on your desktop and launch HJT.
5. Click on the "Do a system scan and save a log file" button. It will scan and then save the log to Notepad.
6. Close HJT by clicking on the "X".
7. At the top of the Notepad HJT log screen, hit Edit then Select All then click Edit and then click Copy (doing that copies the text to the clipboard, you won't see it yet....)
8. Go to any of the the Malware Removal forums listed below and Paste the log in a new thread. (To paste - if you use IE as your browser - just click on the "Edit" menu selection, and then "Paste" in the drop down menu)
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required. WAIT until a security expert AT ONE OF THE SITES LISTED BELOW looks at your log and interprets it and posts a reply.
Aumha forum: http://forum.aumha.org/viewfor.....7782f68c4c
Bleeping Computer: http://www.bleepingcomputer.co.....rum22.html
Geeks to Go: http://www.geekstogo.com/forum.....l-f37.html
Major Geeks: http://forums.majorgeeks.com/forumdisplay.php?f=35
Malware removal: http://malwareremoval.com/foru.....66edf36e99
Spyware Info: http://www.spywareinfoforum.co.....owforum=18
Tech Support Guy: http://forums.techguy.org/54-m.....this-logs/
What the Tech (formerly Tom Coyote forum): http://forums.whatthetech.com/.....l_f27.html
Be sure to read all the sticky announcements/instructions at the top of each malware forum!
You will probably have to register to post.
(BTW, the reason I've listed so many malware removal forums is so that you can post your HJT long on each one . . . some respond faster than others, so if you post on each one you are likely to get an answer within 24 hours from one of them . . . sort of like a shotgun approach.)
Great post Bobjam, I would add at the end though, about the part about posting to several sites, re: your HJT log. Once you've started getting help from one of these helpers, STICK WITH THAT ONE! If you start mixing help from one site to the next, a) you might screw something up horribly bad, and b) some of these guys are VERY proprietary about helping people, (which they attribute to reason "a"). So just a heads up. Don't mix and match advice once you've decided on one of these helpers........
Reply »
You must log in to post.