TheTechGuide Forum

General Category => Tech Clinic => Topic started by: mrwoggle on December 11, 2009, 12:35:46 PM

Title: win32.agent.pz will not go away
Post by: mrwoggle on December 11, 2009, 12:35:46 PM

Hello all..I hope dearly that someone here can help me...

I have no idea where it came from, but last week my laptop got caught by that antivirus live fake scanner prog thats out and about...I managed to get shot of it, but its left both win32.zbot and win32.Agent.pz behind.. Spybot S&D detects them, but they come back on reboot..So I have run combofix and SD Fix, but the little blighters are still there... After running SDFix in Safe Mode,ad letting it finish in normal windows, I re-ran Spybot, and they are stil there, this time with more entries. Below is the log that SDfix came up with...Is there any solution other than a re-install?? Theres' nothing I cannot regain on the drive, so it won't break my back, but I haven't really the desire or time for a clean install at the mo...

(My specs BTW are 2.6 GHZ processor, 2GB SDIMM RAM on Asus L58L laptop, XP SP3, Kaspersky Internet Security 9.0 )

I eagerly await your reply !!!

Andy W

HERE'S THE LOG

SDFix: Version 1.240
Run by Mr Woggle on 11/12/2009 at 14:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\MRWOGG~1\LOCALS~1\Temp\tmp6.tmp - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net/\")
Rootkit scan 2009-12-11 15:16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe:*:Enabled:Football Manager 2010 Demo"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe:*:Enabled:Football Manager 2010"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed  4 Nov 2009     1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009     1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009     5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu  5 Mar 2009     2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 10 Dec 2009 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av1.tmp"
Fri 11 Dec 2009 18,442,529 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av4.tmp"

Finished!

Title: win32.agent.pz will not go away
Post by: guestolo on December 12, 2009, 01:13:35 PM

Hi mrwoggle, can you do the following

Download [color=\"#FF0000\"]OTL.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTL.exe\")[/url] by OldTimer to your Desktop.

• Close all windows and double click on OTL.exe to run it
• Click Run Scan and let the program run uninterrupted.
  
• It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  
• You may need to use two posts to get it all.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"