how to remove trojan horse agent.4.E?

heidihoOctober 30, 2008

how to remove trojan horse agent.4.E?

does anyone know how to remove this trojan horse agent.4.E? My Avg didn't catch it and now it's monopolizing my pc. Thanks for your time.

Thank you for reporting this comment. Undo
zep516

Do you know where avg found it, the file path?

What symptoms are you having?

Please run the program in the link and post a log so we can see what is going on..

Please download Malwarebytes' Anti-Malware to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Here is a link that might be useful: Malwarebytes

    Bookmark   October 30, 2008 at 9:10PM
Thank you for reporting this comment. Undo
heidiho

I'm not sure if this is what you need but I copied this down from the details of the Threat Name: Trojan Horse Agent.4.E
C:\Documents and Settings\LocalService\LocalSettings\Temporary Internet Files\Content.1E5\CR"YBTB7\w"1>.bin

I also got
C:\WINDOWS\system32\tpszxyd.sys
and
AppName:udxfytw.sys
Mod Name:Flash9f.ocx
Threat Detected! Trojan Horse Agent.AEAR

This comes up as pop ups everytime I try to do anything on my computer.
Also if I don't turn the sound down or turn pc off during the night and day I hear music and commercials from my speakers but nothing on the screen pretaining to these sounds.
It's really weird.
Meanwhile I'll download Malwarebytes' Anti-Malware and will keep you posted.
I should've mentioned also that I've got WinXp and IE6
Thanks so much for your rapid response.
Wish I could figure these things out on my own but at this old age I guess I'll just have to depend on excellent helpers like you and hope that your kind never give up helping us that can't help ourselves.
Thanks again for taking the time to help.
I'll keep you posted.
Have a nice evening.

    Bookmark   October 30, 2008 at 9:54PM
Thank you for reporting this comment. Undo
zep516

It is important you try to post a log from malwarebytes in your next reply, take your time and follow all directions with the program.

I will look up some of the other files for you.

    Bookmark   October 30, 2008 at 10:14PM
Thank you for reporting this comment. Undo
zep516

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    Bookmark   October 30, 2008 at 10:20PM
Thank you for reporting this comment. Undo
heidiho

The first time I ran the scan I had 48 infected files. Below are the results of that scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/31/2008 12:35:40 AM
mbam-log-2008-10-31 (00-35-40).txt

Scan type: Full Scan (C:\:)
Objects scanned: 102474
Time elapsed: 2 hour(s), 39 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 38
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\"e4e3e0f8-cd30-4380-8ce9-b96904bdefca> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\"fe8a736f-4124-4d9c-b4b1-3b12381efabe> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\"c9c5deaf-0a1f-4660-8279-9edfad6fefe1> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\"1d4db7d2-6ec9-47a3-bd87-1e41684e07bb> (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\macidwe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nobicyt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfs (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sobicyt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdxdowkc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Outlook Express\wab.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore"86FA0783-B9F2-4690-B09B-2E6C03E185B4>\RP113\A0017080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) ->

Quarantined and deleted successfully.

///////////////////////////////////////////////////

So I quarantined them and re-booted and ran the scan again and it showed nothing infected but the same message window that said Resident Sheild Alert Threat name: Trojan Horse Agent.4.E was there above the results of the scan.
Below is the logged in results of that scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/31/2008 1:34:54 PM
mbam-log-2008-10-31 (13-34-54).txt

Scan type: Full Scan (C:\:)
Objects scanned: 102262
Time elapsed: 2 hour(s), 38 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Maybe this is the end of it. Maybe.
Thanks so much.

    Bookmark   October 31, 2008 at 3:04PM
Thank you for reporting this comment. Undo
zep516

As you can see Malwarebytes is good but with as many items you had I feel you need to run some other programs, I'm not talking about online scanners. The backdoor Trojans concern me even though malwarebytes removed them, I want you to visit the forum in the link provided you will need to join to be able to post, follow the instruction for hijackthis and post a log in the hijack this part of the forum along with a copy of the malwarebytes log you posted here and get further help all to make sure you are a 100% clean, do not want to fool around with some Trojans.

Thank you so much for following through here.

zep.

Here is a link that might be useful: Help

    Bookmark   October 31, 2008 at 3:53PM
Thank you for reporting this comment. Undo
heidiho

Thank you so very much for your help. I'll do as you suggested.
So far; so good today but I don't want to press my luck so I'll do as you say.
Thanks again and have a nice weekend.

    Bookmark   October 31, 2008 at 5:27PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

Heidiho definitely go to that forum and we will help you make sure you are fully clean, I agree with zep you have some nasty stuff on your pc and even though malwarebytes is exceptional sometimes there are things it can not get. We will be looking for you.

    Bookmark   October 31, 2008 at 6:01PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

for anyone following Heidiho has made excellent progress and her pc is in much better shape now.

This infection is spreading wildly, some of the infections we have seen include backdoor bots which are extremely serious and allow someone to have full access to your pc.

If you are seeing any sign of this infection please follow the link and start your own thread at the hijack this area, DO NOT try to simply follow the directions given to someone else each case is very different and following the wrong directions can make things worse. Corrine has put up a new post at the top of that area just with instructions for this infection please read them and start your own thread. It may take some time but you will get assisted. We are helping several people from here as well as many other locations. Our team is from all over the world so the timezones may affect when you get assistance.
HijackThis Logs

    Bookmark   November 10, 2008 at 12:58PM
Sign Up to comment
More Discussions
Change color of blinking cursor
When I am editing something I have just written and...
mudlady_gw
GW/Houzz page rendering on my browser
Weird question about GW/Houzz, over the last six months,...
dbarron
Need help turning old computer into HTPC
I have an old computer. c2001. Motherboard is a D865GBF,...
Pooh Bear
Adobe flash player and pdf reader installation on Win8
I have a new Win 8 touch screen laptop. I've been using...
hald
Basic Video Help Needed
I know almost nothing about getting videos from video...
chas045
People viewed this after searching for:
© 2015 Houzz Inc. Houzz® The new way to design your home™