Return to the Computer Help Forum | Post a Follow-Up

 o
how to remove trojan horse agent.4.E?

Posted by heidiho (My Page) on
Thu, Oct 30, 08 at 20:49

how to remove trojan horse agent.4.E?
does anyone know how to remove this trojan horse agent.4.E? My Avg didn't catch it and now it's monopolizing my pc. Thanks for your time.


Follow-Up Postings:

 o
RE: how to remove trojan horse agent.4.E?

Do you know where avg found it, the file path?

What symptoms are you having?

Please run the program in the link and post a log so we can see what is going on..

Please download Malwarebytes' Anti-Malware to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Here is a link that might be useful: Malwarebytes


 o
RE: how to remove trojan horse agent.4.E?

I'm not sure if this is what you need but I copied this down from the details of the Threat Name: Trojan Horse Agent.4.E
C:\Documents and Settings\LocalService\LocalSettings\Temporary Internet Files\Content.1E5\CR"YBTB7\w"1>.bin

I also got
C:\WINDOWS\system32\tpszxyd.sys
and
AppName:udxfytw.sys
Mod Name:Flash9f.ocx
Threat Detected! Trojan Horse Agent.AEAR

This comes up as pop ups everytime I try to do anything on my computer.
Also if I don't turn the sound down or turn pc off during the night and day I hear music and commercials from my speakers but nothing on the screen pretaining to these sounds.
It's really weird.
Meanwhile I'll download Malwarebytes' Anti-Malware and will keep you posted.
I should've mentioned also that I've got WinXp and IE6
Thanks so much for your rapid response.
Wish I could figure these things out on my own but at this old age I guess I'll just have to depend on excellent helpers like you and hope that your kind never give up helping us that can't help ourselves.
Thanks again for taking the time to help.
I'll keep you posted.
Have a nice evening.


 o
more

It is important you try to post a log from malwarebytes in your next reply, take your time and follow all directions with the program.

I will look up some of the other files for you.


 o
more2

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


 o
RE: how to remove trojan horse agent.4.E?

The first time I ran the scan I had 48 infected files. Below are the results of that scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/31/2008 12:35:40 AM
mbam-log-2008-10-31 (00-35-40).txt

Scan type: Full Scan (C:\:)
Objects scanned: 102474
Time elapsed: 2 hour(s), 39 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 38
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\"e4e3e0f8-cd30-4380-8ce9-b96904bdefca> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\"fe8a736f-4124-4d9c-b4b1-3b12381efabe> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\"c9c5deaf-0a1f-4660-8279-9edfad6fefe1> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\"1d4db7d2-6ec9-47a3-bd87-1e41684e07bb> (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\"df780f87-ff2b-4df8-92d0-73db16a1543a> (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AFinding (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WServing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\macidwe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nobicyt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfs (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sobicyt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdxdowkc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Outlook Express\wab.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore"86FA0783-B9F2-4690-B09B-2E6C03E185B4>\RP113\A0017080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) ->

Quarantined and deleted successfully.

///////////////////////////////////////////////////

So I quarantined them and re-booted and ran the scan again and it showed nothing infected but the same message window that said Resident Sheild Alert Threat name: Trojan Horse Agent.4.E was there above the results of the scan.
Below is the logged in results of that scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1341
Windows 5.1.2600 Service Pack 3

10/31/2008 1:34:54 PM
mbam-log-2008-10-31 (13-34-54).txt

Scan type: Full Scan (C:\:)
Objects scanned: 102262
Time elapsed: 2 hour(s), 38 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Maybe this is the end of it. Maybe.
Thanks so much.


 o
RE: how to remove trojan horse agent.4.E?

As you can see Malwarebytes is good but with as many items you had I feel you need to run some other programs, I'm not talking about online scanners. The backdoor Trojans concern me even though malwarebytes removed them, I want you to visit the forum in the link provided you will need to join to be able to post, follow the instruction for hijackthis and post a log in the hijack this part of the forum along with a copy of the malwarebytes log you posted here and get further help all to make sure you are a 100% clean, do not want to fool around with some Trojans.

Thank you so much for following through here.

zep.

Here is a link that might be useful: Help


 o
RE: how to remove trojan horse agent.4.E?

Thank you so very much for your help. I'll do as you suggested.
So far; so good today but I don't want to press my luck so I'll do as you say.
Thanks again and have a nice weekend.


 o
RE: how to remove trojan horse agent.4.E?

Heidiho definitely go to that forum and we will help you make sure you are fully clean, I agree with zep you have some nasty stuff on your pc and even though malwarebytes is exceptional sometimes there are things it can not get. We will be looking for you.


 o
RE: how to remove trojan horse agent.4.E?

for anyone following Heidiho has made excellent progress and her pc is in much better shape now.

This infection is spreading wildly, some of the infections we have seen include backdoor bots which are extremely serious and allow someone to have full access to your pc.

If you are seeing any sign of this infection please follow the link and start your own thread at the hijack this area, DO NOT try to simply follow the directions given to someone else each case is very different and following the wrong directions can make things worse. Corrine has put up a new post at the top of that area just with instructions for this infection please read them and start your own thread. It may take some time but you will get assisted. We are helping several people from here as well as many other locations. Our team is from all over the world so the timezones may affect when you get assistance.
HijackThis Logs


 o Post a Follow-Up

Please Note: Only registered members are able to post messages to this forum.

    If you are a member, please log in.

    If you aren't yet a member, join now!


Return to the Computer Help Forum

Information about Posting

  • You must be logged in to post a message. Once you are logged in, a posting window will appear at the bottom of the messages. If you are not a member, please register for an account.
  • Please review our Rules of Play before posting.
  • Posting is a two-step process. Once you have composed your message, you will be taken to the preview page. You will then have a chance to review your post, make changes and upload photos.
  • After posting your message, you may need to refresh the forum page in order to see it.
  • Before posting copyrighted material, please read about Copyright and Fair Use.
  • We have a strict no-advertising policy!
  • If you would like to practice posting or uploading photos, please visit our Test forum.
  • If you need assistance, please Contact Us and we will be happy to help.


Learn more about in-text links on this page here