Help to get rid of a Trojan!!

Forums › Microsoft Windows › Help to get rid of a Trojan!!

MurrayC

79 posts

Master Geek

#61413 17-May-2010 01:25

I'm running XP Pro.

Trend Micro has identified TROJ_AGENT.AVMT on my computer in the following location:

C:\systemvolumeinformation\_restore{FDBAD8EO-41CC-9442-935C73850B21}\RP7\AOOO1649.dll

I cannot find this file on my computer.

The Trojan will not allow access to any Microsoft, Trend Micro websites or Google searches on it's name or on trojans generally. It has also unhooked the Microsoft Fire Wall. It has also deleted Restore Points prior to 8 May (presumably the date it infected my laptop).

Trend Micro cannot clean or delete this trojan.

Where to from here? Your advice would be most welcome!!

Ragnor

8223 posts

Uber Geek

Trusted

#330773 17-May-2010 01:41

Firstly unplug the pc from the internet immediately if you haven't already (don't plug it back in until it's clean.

Secondly using another clean machine change every password for any sites/accounts/logins you've used on the machine since this infection.

Thirdly it sound pretty far compromised, I would probably advise backing up all important data/documents/favourites/email/etc off it (via booting into safe mode or using linux live bootable cd to) on to an external USB drive.

Reformat and do clean new install of windows.

heavenlywild

5067 posts

Uber Geek

Trusted

#330774 17-May-2010 01:48

Very good advice, that's what I would recommend doing too.

Don't try fixing the issue, best to do a format. Make sure you scan your backed up files before loading them back to a "clean" system.

MurrayC

79 posts

Master Geek

#331393 18-May-2010 14:33

Thanks for the advice guys. I'm enlisting some assistance to do a clean install.

Just goes to show you that no matter how diligent you are with maintaining updates that nasty stuff can still sneak under the radar...

Cheers
Murray

ZollyMonsta

3009 posts

Uber Geek

ID Verified

Trusted

#331416 18-May-2010 15:21

Looks like a system restore file.

Turn off System Restore (this will delete all previous restore points). Click Apply
Turn back on System Restore and apply.

Do another scan then.

Check out my LPFM Radio Station at www.thecheese.co.nz - Now on iHeart Radio, TuneIn and Radio Garden

As per the usual std disclaimer.. "All thoughts typed here are my own."

MackinNZ

450 posts

Ultimate Geek

Lifetime subscriber

#331432 18-May-2010 16:06

All the above plus download and install Malwarebytes.

Scan the machine with a quick scan, if it finds any malware allow MWB to remove it, reboot and scan again. Once the quick scan has retuned a clean result, reconnect to the internet and update MWB and run a full scan. Keep running scan's until you get a clean result.

Ragnor

8223 posts

Uber Geek

Trusted

#331438 18-May-2010 16:15

ZollyMonsta: Looks like a system restore file.

Turn off System Restore (this will delete all previous restore points). Click Apply
Turn back on System Restore and apply.

Do another scan then.

Hmm his other statements make it sounds like the trojan has compromised his machine disabling the firewall, av and not allowing him to go to websites that would help him fix the issue.

Potentially the virus has compromised the AV program too.

xpd

Geek @ Coastguard NZ
13771 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#331444 18-May-2010 16:25

AVG has a rescue CD available - downlaod that on a another PC and run it and see if that helps....havent used it myself yet but a copy is handy just in case :)

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

MurrayC

79 posts

Master Geek

#331467 18-May-2010 17:06

UPDATE

Thanks ZollyMonster - I did the turn off and then turn on Restore Point routine and it worked!

Thanks MackinNZ - I was able to download Malwarebytes and it detected 6 objects including one trojan and cleaned the lot.

Whew!!!

Microsoft updates have come through so working like it should do.

Thanks again for all responses...

trig42

5816 posts

Uber Geek

ID Verified

#331881 19-May-2010 14:56

MBAM (Malware Bytes) usually fixes those, and fixes the turned off firewall and notifications too (they are just registry keys).

If it doesn't clean everything off (or it comes back pretty quickly), then ComboFix is another handy tool, as is removing the Hard Drive and scanning it using a clean PCs antivirus.

Formatting should only ever be a last resort.