Home > General > Downloader.agent.awf

Downloader.agent.awf

Using the site is easy and fun. Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Yahoo! Attached Files AutoRuns_02.09.08_IE.VC.HSMS_2.txt 18.78KB 35 downloads crustylog_02.09.08.txt 13.3KB 2 downloads awf_log_02.09.08.txt 4.27KB 8 downloads Back to top #5 ken545 ken545 Malware Response Team Malware Response Team 1,685 posts OFFLINE Gender:Male A case like this could easily cost hundreds of thousands of dollars. http://libraryonlineweb.com/general/downloader-agent-uj.php

I really appreciate it - and so do my kids! It will probably be very different to the genuine file, although not necessarily 21504- 37388 has also been observed:http://forum.avast.com/index.php?topic=27121.msg221978#msg221978If this is Trojan.Zonebac/agent.AWF, it will be a question of restoring the backups I have been running TrendMicro PC-cillin and it did not stop/catch the awf or SBot . 3) Within PC-cillin, should I run its firewall or should I run the Windows firewall? Just a reminder that threads will be closed if no response in 3 days Back to top #12 EFS EFS Topic Starter Members 26 posts OFFLINE Local time:07:41 AM Posted http://www.bleepingcomputer.com/forums/t/130097/downloaderagentawf/

And also, what exactly is the point of this virus? Please copy/paste the following bolded text into the text file: C:\Program Files\AIM6\bakC:\Program Files\ATI Technologies\ATI Control Panel\bakC:\Program Files\Common Files\AOL\IPHSend\bakC:\Program Files\Creative\MediaSource\Detector\bakC:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bakC:\Program Files\Dell AIO Printer A960\bakC:\Program Files\QuickTime\bakC:\Program Files\Verizon Online\Help Anyway, attached are the logs you requested. I had trouble with the Windows firewall at one point (maybe that was part of one of these viruses) and could not get it to turn on so I just began

BLEEPINGCOMPUTER NEEDS YOUR HELP! Click here to Register a free account now! When I did an internet search on that name, I found bleepingcomputer listed it as a 023 entry on the HijackThis log - AND THERE IT WAS! Back to top #4 EFS EFS Topic Starter Members 26 posts OFFLINE Local time:07:41 AM Posted 09 February 2008 - 05:02 PM I downloaded and ran AUTORUNS and then re-ran

Just a reminder that threads will be closed if no response in 3 days Back to top #15 ken545 ken545 Malware Response Team Malware Response Team 1,685 posts OFFLINE Gender:Male For instance, the file %System%\bak\notepad.exe should be moved to: %System%\notepad.exe.--- End quote ---There's an alternative, but if you use this method back up the registry first. Sign In Sign In Remember me Not recommended on shared computers Sign in anonymously Sign In Forgot your password? http://www.techspot.com/community/topics/downloader-agent-awf-doginhispen.98659/ Privacy policy About Wikipedia Disclaimers Contact Wikipedia Developers Cookie statement Mobile view Please enable JavaScript in your browser viruses and worms > viruses and worms Need a bit of

Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search Use of tools like HijackThis that don't give the file size are completely useless as we cannot tell if the files relating to the entries are genuine or not.We understand that Close OTMoveItIf a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. I wouldn't rely on it exclusively.--- End quote ---This list is only the confirmed list at the date the article was written.

  • CONTRIBUTE TO OUR LEGAL DEFENSE All unused funds will be donated to the Electronic Frontier Foundation (EFF).
  • Sign In Now Sign in to follow this Followers 0 Go To Topic Listing Malware Removal All Activity Home Malware Removal Malware Removal Downloader.agent.awf And Others BestTechie Holdings, Inc.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy): C:\Program Files\Viewpoint Return to OTMoveIt, right
  • Your log is actually clean, and I don't see the tell-tale signs of AWF.
  • Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} -
  • After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.I need to see the FindAWF log, the new

Just a reminder that threads will be closed if no response in 3 days Back to top #6 EFS EFS Topic Starter Members 26 posts OFFLINE Local time:07:41 AM Posted http://www.wilderssecurity.com/threads/false-positive-report-downloader-agent-awf.149623/ To learn more and to read the lawsuit, click here. detects Win32:Trojan-gen. {UPX!}, not Win32:Agent-BVS, which the avast! It is also known to modify the Windows registry.[citation needed] Agent.AWF does not spread automatically: it needs an attacking user's intervention in order to reach the affected computer.

Here is the result of #1 Scan for bak folders: Find AWF report by noahdfear 2006 Version 1.40The current date is: Fri 02/08/2008 The current time is: 12:02:00.50 bak folders found http://libraryonlineweb.com/general/dropper-agent-dgo.php it got cut off!)located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunIn "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" there is only one entry: "(Predeterminado)"I mean, I can restore the usurped files just using explorer, but I'm guessing we're in the regedit for lsasss.exe and more! :) << < (4/8) > >> FreewheelinFrank: --- Quote ---Just notice the "extract this file" part. or read our Welcome Guide to learn how to use this site.

Sign in here. Register now! Register a new account Sign in Already have an account? get redirected here v t e Retrieved from "https://en.wikipedia.org/w/index.php?title=Agent.AWF&oldid=758964485" Categories: Windows trojansMalware stubsHidden categories: Articles needing additional references from May 2015All articles needing additional referencesAll articles with unsourced statementsArticles with unsourced statements from January

So what should I do? That may cause it to stall or freeze 2. Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply.

C:\Program Files\Viewpoint <-- Delete this folderDownload: DelDomains and save it to the desktop.Close all open windows and your browserRight Click DelDomains.inf and select > InstallReboot your computerInternet Explorer is needed to

Just to be on the safe side, though, I'd like you to repeat the scan in safemode using the following directions, and then post the log from the AVG Anti-Spyware scan Analysts are sure there will be more and they all have the same file size of 21504 bytes (20k) and identical checksums. Open the extracted SDFix folder and double click RunThis.bat to start the script. Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your

detection of agent.AWF, which is why I'd like to see a confirmation at VirusTotal that this is agent.AWF or a new variant or Trojan with the same behaviour.Please not that the I have also attached the latest AWF log. Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel useful reference Music Engine\ymetray.exeS2 Ca536av;DV 5900(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 13:47]S3 USBCamera;DV 5900(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 17:28][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b19726d-d645-11dc-b80a-001111536897}]\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69935cd-b9ea-11dc-b7f4-001111536897}]\Shell\AutoRun\command - F:\LaunchU3.exe -a[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc6cebd5-168d-11dc-b76d-001111536897}]\Shell\AutoRun\command - F:\LaunchU3.exe -a.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-02-11 20:00:23Windows 5.1.2600

BleepingComputer is being sued by Enigma Software because of a negative post of SpyHunter. Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: AOL Toolbar button. The crustylog 02.11.08a was run after the SDFix but before the ComboFix.

Type Y to begin the cleanup process. For instance, the file %System%\bak\notepad.exe should be moved to: %System%\notepad.exe.--- End quote ---http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99&tabid=3 mauserme: Frank,I think that list of "Confirmed compromised filenames and locations:" is a couple months old. Click the red Moveit! Do not mouseclick combofix's window while it's running.

scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2008-02-11 20:06:31ComboFix-quarantined-files.txt 2008-02-12 01:06:26ComboFix2.txt 2008-02-11 21:28:38HijackThis log : Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:09:27 PM, on 2/11/2008Platform: Windows XP SP2 Please re-enable javascript to access full functionality. Back to top BC AdBot (Login to Remove) BleepingComputer.com Register to remove ads #2 EFS EFS Topic Starter Members 26 posts OFFLINE Local time:07:41 AM Posted 09 February 2008 As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged

Ellen Attached Files ComboFix.txt 15.44KB 10 downloads Report.txt 5.83KB 10 downloads crustylog_02.11.08a.txt 11.8KB 8 downloads crustylog_02.11.08b.log 11.45KB 8 downloads Edited by EFS, 11 February 2008 - 04:55 PM. The file that is missing we can address also when where done.ViewPoint is foistware, it installed without your knowledge or consent, you can uninstall it via the Add Remove Programs in Ellen Back to top #7 EFS EFS Topic Starter Members 26 posts OFFLINE Local time:07:41 AM Posted 11 February 2008 - 04:44 PM Ken, Wow what a process - kinda Just confirms to me what I am dealing with.....

It said I could NOT delete ViewMgr.exe : Access denied.....file may be in use I will download DelDomains to my desktop now and run it. Pager]C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]--a------ 2006-10-03 13:04 54776 C:\Program Files\Yahoo!\Yahoo! Save it to your desktop. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

To restore the backup fileUsing the following registry subkeys:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runfind all files referenced in entries that have the folder bak in the path e.g. "1" = "%System%\bak\notepad.exe". Several functions may not work. Finally paste the contents of the Report.txt back on the forum with a new HijackThis logDownload ComboFix from Here to your Desktop.**Note: In the event you already have Combofix, please delete