The How-To Geek Forums Have Migrated to Discourse


How-To Geek Forums / Windows Vista

(Solved) - TROJAN.AGENT VIRUS (how to remove)

(19 posts)
  • Started 11 years ago by FMZ
  • Latest reply from FMZ
  • Topic Viewed 37182 times

FMZ
Posts: 0

Ran Spyware Doctor, detected Trojan.agent virus in HKEY_USERS\S-1-5-21-93465498-330590618-1224202275-1000\Software\Microsoft\rdfa

Windows Vista Home Premium

Window Restore is disabled

Removed and quarantined, deleted.

Restarted ran Spyware Doctor again and th Trojan re-appeared, this happens every time i restart.

I ran Norton, which does not detect anything.

But there is definitely something on the system, especially with IE 7

I need advise how to get rid of this.

Thanks in advance

Posted 11 years ago
Top
 
PalmTrees
Posts: 0

Try this out. http://www.superantispyware.com/superantispywarefreevspro.html

Posted 11 years ago
Top
 
k9
Posts: 0

Scan your computer with HiJackThis and paste the log file here.

Posted 11 years ago
Top
 
ScottW
Posts: 0

Did you get this report from Spyware Doctor? Trojan.agent is too vague. There should be a .<variant name> at the end of that. Also, Spyware Doctor is for Spyware, not viruses unless you have the AV version.

You probably do have an infection. Some of these spyware scams will create a false positive virus in order to try to get you to pay for a removal product. Here is an example of how such programs work from the support forums at Lavasoft, makers of Ad-Aware:
http://www.lavasoftsupport.com/index.php?showtopic=13521&pid=74655&mode=threaded&start=

Posted 11 years ago
Top
 
FMZ
Posts: 0

Scott,

I got a report from SP Doctor, and you are right it is some kind of infection. how do I post the report for your review?

Posted 11 years ago
Top
 
ScottW
Posts: 0

FMZ, if you can't get or generate a text mode log of the infection report, just look for the name, or variant, of the virus. But, don't worry too much about this virus report -- I'm pretty sure it's a false lead.

I googled up that registry key and got lots of hits for Virtumonde, Vundo, or Vundomonde. It may be one of these, but do try another scanner as PalmTrees suggested. If a scanner can't get it, we may need to see the HJT log, as k9 suggests.

Posted 11 years ago
Top
 
FMZ
Posts: 0

All right, I got rid of the Trojan.Agent....bt now I have 4 screens popping up with a message saying:

RunDLL
Error loading C:Users\FERRY\AppData\Local\Temp\yayaaXoO.dll
and: nnnmmmMD.dll
and: mrwgsjio.dll

all seems to be working well but these screens pop-up after start up. any idea how to fix or remove?

Posted 11 years ago
Top
 
k9
Posts: 0

Go to msconfig and check your startup items. Probably the trojan had modified the registry to run the dlls you have mentioned on startup. Just uncheck the boxes corresponding to these dlls. Since you got rid of the trojan and the associated dlls, RunDLL is unable to locate these dlls and execute them.

You can also use a program called Autoruns to help you deal with it.

Posted 11 years ago
Top
 
FMZ
Posts: 0

Cool, txs k9, all 4 that where popping up where listed, I unchecked them. do I need to delete them from there or something?

Again, your help is appreciated!

Posted 11 years ago
Top
 
ScottW
Posts: 0

Aha! Made up jumbled letter filenames are certainly malware related. This still could be a Vundo variant -- see this article at bleepingcomputer.com:
http://www.bleepingcomputer.com/forums/topic18610.html

If those RunDLL errors are coming from Windows, you could use Windows Defender or autoruns to remove them from the startup list. Reboot and see that they don't come back. Even if this works, you should continue to test with other free scanners and/or post a HJT log.

Posted 11 years ago
Top
 
FMZ
Posts: 0

ScottW,

After de-selecting them the pop-ups went away. I ran a full SW Doctor scan and Norton, nothing was found. Is it right to conclude that it is "all set now"?

Posted 11 years ago
Top
 
ScottW
Posts: 0

FMZ, I'm glad your pop-ups are gone. I would not be satisfied with just unchecking those startup items in msconfig. They need to be completely removed. Use Windows Defender or Autoruns and delete those bogus entries with extreme prejudice! If you need help with that, just ask.

Once that's done, then you can consider this incident to be done with. However, it never hurts to get a 2nd, 3rd or 4th opinion. There are lots of free online scanners and they might find leftovers from this infection or another one lying in wait. Finally, see this wiki article for general tips on preventing another infection from even getting on your system:
https://www.howtogeek.com/wiki/Prevent_Infection_from_Viruses_and_Spyware

Posted 11 years ago
Top
 
Lighthouse
Posts: 0

Definitely try Superantispyware
http://filehippo.com/download_superantispyware/
Remember to get the very latest updates after you install it

Posted 11 years ago
Top
 
FMZ
Posts: 0

Txs team, the system is running smooth as ever! One other question, I downloaded Autoruns as ScottW suggested, what do I do next with this program?

Posted 11 years ago
Top
 
Lighthouse
Posts: 0

Glad about that FMZ. But how did you fix it?

Posted 11 years ago
Top
 
FMZ
Posts: 0

First I ran SmitFraudFix (for trojan.agent), this removed a good part of the problem, after that I ran FixIEDef.exe by ShadowPuterDude(for IEDefender), this website was suggested by ScottW (http://www.lavasoftsupport.com.....#38;start= ) and thats it. A note, all the time I had windows restore shut down. And scanning with PC Tools Spyware Doctor and Norton.

Posted 11 years ago
Top
 
Lighthouse
Posts: 0

Thanks ever so much for that FMZ :)

Posted 11 years ago
Top
 
ScottW
Posts: 0

FMZ, autoruns may look a little chaotic at first. Go to the Logon tab and here you will see all of the programs that are set to launch at startup time. They are presented as registry keys, with the programs underneath. Userinit and Shell (explorer.exe) are part of the OS and should not be altered. The keys that end CurrentVersion\Run RunOnce and Programs\Startup are where you will find the startup programs. If you see any leftovers from the infection, such as <jumbled letters>.dll, delete those.

As for the rest, you should look them over and be sure that you know what they all are and what they do. If there is something there you don't recognize, google it up and find out what it is. For things that you do recognize, you can decide if you want them to run or not. To try running without these extras, just uncheck them.

Posted 11 years ago
Top
 
FMZ
Posts: 0

ScottW, txs for the brief explanation, all looks to be in order no funny/strange .dll's there.

Posted 11 years ago
Top
 



Topic Closed

This topic has been closed to new replies.

The Best Tech Newsletter Anywhere

Join 250,000 subscribers and get a daily digest of news, geek trivia, and our feature articles.