SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Windows Vista

(Solved) - TROJAN.AGENT VIRUS (how to remove)

(19 posts)
  • Started 6 years ago by FMZ
  • Latest reply from FMZ
  • Topic Viewed 37182 times

FMZ
FMZ
Posts: 142

Ran Spyware Doctor, detected Trojan.agent virus in HKEY_USERS\S-1-5-21-93465498-330590618-1224202275-1000\Software\Microsoft\rdfa

Windows Vista Home Premium

Window Restore is disabled

Removed and quarantined, deleted.

Restarted ran Spyware Doctor again and th Trojan re-appeared, this happens every time i restart.

I ran Norton, which does not detect anything.

But there is definitely something on the system, especially with IE 7

I need advise how to get rid of this.

Thanks in advance

Posted 6 years ago
Top
 
PalmTrees
PalmTrees
Posts: 53

Try this out. http://www.superantispyware.co.....vspro.html

Posted 6 years ago
Top
 
k9
k9
Posts: 129

Scan your computer with HiJackThis and paste the log file here.

Posted 6 years ago
Top
 
ScottW
ScottW
Posts: 6609

Did you get this report from Spyware Doctor? Trojan.agent is too vague. There should be a .<variant name> at the end of that. Also, Spyware Doctor is for Spyware, not viruses unless you have the AV version.

You probably do have an infection. Some of these spyware scams will create a false positive virus in order to try to get you to pay for a removal product. Here is an example of how such programs work from the support forums at Lavasoft, makers of Ad-Aware:
http://www.lavasoftsupport.com.....#38;start=

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

Scott,

I got a report from SP Doctor, and you are right it is some kind of infection. how do I post the report for your review?

Posted 6 years ago
Top
 
ScottW
ScottW
Posts: 6609

FMZ, if you can't get or generate a text mode log of the infection report, just look for the name, or variant, of the virus. But, don't worry too much about this virus report -- I'm pretty sure it's a false lead.

I googled up that registry key and got lots of hits for Virtumonde, Vundo, or Vundomonde. It may be one of these, but do try another scanner as PalmTrees suggested. If a scanner can't get it, we may need to see the HJT log, as k9 suggests.

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

All right, I got rid of the Trojan.Agent....bt now I have 4 screens popping up with a message saying:

RunDLL
Error loading C:Users\FERRY\AppData\Local\Temp\yayaaXoO.dll
and: nnnmmmMD.dll
and: mrwgsjio.dll

all seems to be working well but these screens pop-up after start up. any idea how to fix or remove?

Posted 6 years ago
Top
 
k9
k9
Posts: 129

Go to msconfig and check your startup items. Probably the trojan had modified the registry to run the dlls you have mentioned on startup. Just uncheck the boxes corresponding to these dlls. Since you got rid of the trojan and the associated dlls, RunDLL is unable to locate these dlls and execute them.

You can also use a program called Autoruns to help you deal with it.

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

Cool, txs k9, all 4 that where popping up where listed, I unchecked them. do I need to delete them from there or something?

Again, your help is appreciated!

Posted 6 years ago
Top
 
ScottW
ScottW
Posts: 6609

Aha! Made up jumbled letter filenames are certainly malware related. This still could be a Vundo variant -- see this article at bleepingcomputer.com:
http://www.bleepingcomputer.co.....18610.html

If those RunDLL errors are coming from Windows, you could use Windows Defender or autoruns to remove them from the startup list. Reboot and see that they don't come back. Even if this works, you should continue to test with other free scanners and/or post a HJT log.

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

ScottW,

After de-selecting them the pop-ups went away. I ran a full SW Doctor scan and Norton, nothing was found. Is it right to conclude that it is "all set now"?

Posted 6 years ago
Top
 
ScottW
ScottW
Posts: 6609

FMZ, I'm glad your pop-ups are gone. I would not be satisfied with just unchecking those startup items in msconfig. They need to be completely removed. Use Windows Defender or Autoruns and delete those bogus entries with extreme prejudice! If you need help with that, just ask.

Once that's done, then you can consider this incident to be done with. However, it never hurts to get a 2nd, 3rd or 4th opinion. There are lots of free online scanners and they might find leftovers from this infection or another one lying in wait. Finally, see this wiki article for general tips on preventing another infection from even getting on your system:
http://www.howtogeek.com/wiki/.....nd_Spyware

Posted 6 years ago
Top
 
Lighthouse
Lighthouse
Posts: 13598

Definitely try Superantispyware
http://filehippo.com/download_superantispyware/
Remember to get the very latest updates after you install it

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

Txs team, the system is running smooth as ever! One other question, I downloaded Autoruns as ScottW suggested, what do I do next with this program?

Posted 6 years ago
Top
 
Lighthouse
Lighthouse
Posts: 13598

Glad about that FMZ. But how did you fix it?

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

First I ran SmitFraudFix (for trojan.agent), this removed a good part of the problem, after that I ran FixIEDef.exe by ShadowPuterDude(for IEDefender), this website was suggested by ScottW (http://www.lavasoftsupport.com.....#38;start= ) and thats it. A note, all the time I had windows restore shut down. And scanning with PC Tools Spyware Doctor and Norton.

Posted 6 years ago
Top
 
Lighthouse
Lighthouse
Posts: 13598

Thanks ever so much for that FMZ :)

Posted 6 years ago
Top
 
ScottW
ScottW
Posts: 6609

FMZ, autoruns may look a little chaotic at first. Go to the Logon tab and here you will see all of the programs that are set to launch at startup time. They are presented as registry keys, with the programs underneath. Userinit and Shell (explorer.exe) are part of the OS and should not be altered. The keys that end CurrentVersion\Run RunOnce and Programs\Startup are where you will find the startup programs. If you see any leftovers from the infection, such as <jumbled letters>.dll, delete those.

As for the rest, you should look them over and be sure that you know what they all are and what they do. If there is something there you don't recognize, google it up and find out what it is. For things that you do recognize, you can decide if you want them to run or not. To try running without these extras, just uncheck them.

Posted 6 years ago
Top
 
FMZ
FMZ
Posts: 142

ScottW, txs for the brief explanation, all looks to be in order no funny/strange .dll's there.

Posted 6 years ago
Top
 



Topic Closed

This topic has been closed to new replies.