Trojan downloader.agent.av

Unknown

I got a trojan downloader.agent.av when installing a downloaded program and the AVG antivirus anounced it. I did all I could but till the moment there are new windows with advertising opening when I am on line. I think I must delete a register key of the Windows XP Professional O.S. Can any friend help me to get rid of this annoying stuf?? I apreciate any answer. All the best.

shwaip

Check the links at the top of the page, and after updating and running adaware and spybot, download and run hijackthis, available from the first link in my sig, and post a log please.

Paulo

shwaip wrote:

Check the links at the top of the page, and after updating and running adaware and spybot, download and run hijackthis, available from the first link in my sig, and post a log please.

I did just like you said, but now when I clik a link, it open a new IE window minimized. Maybe a little step more is needed.

shwaip

try this link to get hijackthis:
http://www.short-media.com/getdownload.php?d=245

run it, and post a log. to do this, click "save log" and then copy and paste the text as a response to this thread.

Paulo

Logfile of HijackThis v1.97.7
Scan saved at 14:59:39, on 1/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe
D:\Arquivos de programas\ScannerU\KYESCAN.EXE
C:\ARQUIV~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
D:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.superig.com.br/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/pt-br/srchasst/srchcust.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/pt-br/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: KYESCAN.lnk = D:\Arquivos de programas\ScannerU\KYESCAN.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

shwaip

boot into safe mode, remove this entry with hijackthis:
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

then delete the file c:\windows\downloaded program files\gbieh.dll

reboot.

Paulo

Did just like you said. It's all right now! Many thanks!

Paulo

shwaip

glad to hear that. If you have additional problems, please start a new thread.