Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
hello to everyone,
I have this horrid problem with a trojan and AVG free edition..I have used Spybot and AdAware and e-wido and clean up and ccleaner, phew!!! and i regulary update and use these tools anyway..
but still
when i turn on my computer the AVG Resident Shield pops up and says "virus detected!"When I click "Heal" and "Move to vault" it says it is successful but the Resident Shield window pops up again with the same virus/infection name.
It says
"While opening file: C:\WINDOWS\system32\orans.sys
Trojan horse Agent.CX"
please help please
thanks
gemgem
You may have to remove it after disabling system restore.
If you disable system restore, I would suggest to reboot and then scan, then turn your system restore back on.
I use Avast! and I ONLY click on move it to the vault. Works better for me than trying to heal it.Big Bob, I didn't see any removal instructions from that link you gave?
Hopefully my advice will help you...Please post back with your results....thanks
0 
hi bob, thanks
i am not using sopho antivirus...
it seems the removal instructions are only ofr those using sopho??what would happen if i totally deleted the win/sys32/orans file that is infected..would that be any good???
i really need to get rid of this trojan.
i can not find a trojan remover that is free..and unfortunately at the moment i can not buy one??
any other suggestions..
thanks XpUser4Real, but avg wont do any action other than delete it evertime i try to use the other actions it just comes back..help
0
Try this one free trial for 30days, it should work with xp also
Trojan Remover
Or try a online scan
Trojan Scan" You're only as safe as your last update "
0
I am having the same Problem with Trojan Horse Agent.cx and AVG 7.0 Edition.
Pl. do revert to me if you able to find any solution.
0 0
Try one of the trojan scanner/remover programs above , these are free to try
" You're only as safe as your last update "
0
thanx all
i have tried the scans that you have sugested unfortunately none of them have picked up the agent.cx or the isearchtech.bar..
spy bot brings up the isearchtech.sidefind, but cant get rid of it??
any ideas i desperately need to be rid of these..here is my hjt log
Logfile of HijackThis v1.99.1
Scan saved at 5:05:28 p.m., on 22/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Windows\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
C:\PROGRA~1\GoGoData.com\GOGODA~1\ADBUST~1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.exe
C:\programexes\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=1409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:/www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iefreeemail&c=3C01&lc=1409
O2 - BHO: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O3 - Toolbar: GoGoData AdBuster - {3EB9C349-7473-48AC-A59B-42F31751974B} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GoGoTray.exe] C:\Program Files\GoGoData.com\GoGoData Toolbar\GoGoTray.exe
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - C:\PROGRA~1\GoGoData.com\GOGODA~1\TOMAHA~1.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=1409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE40FB83-33C7-43BA-A417-D98120807018}: NameServer = 202.27.158.40 202.27.156.72
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINDOWS\System32\mousebm.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
O23 - Service: tsecure - Unknown owner - C:\WINDOWS\tsecure.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\Windows\system32\ZoneLabs\vsmon.exehope someone can help
thanks
gemgem
0
Copy and paste this log here ;
HiJack This Log Analyzer
It will; tell you what you have for nastys
" You're only as safe as your last update "
0
thanks all i am still working it all,
agent.cx has gone when i uninstalled avg7??
hasnt turned up agian..hope that means it has disappeared..for good..
thanks again for the links and help
gemma
0
Hello reinstall AVG...
You say you removed AVG 7. So you think virus is gone. You are mistaken the virus is still there but only the alert message is gone. I had the same problem. Read below for the exact solution :
This is the solution:
1) Click Start >> Run
2) Type services.msc and press enter
3) In the list of services find the service
named 'netinfo'
Right Click it Click Properties
(Or double click it)
4) Change the startup type to Disabled.
5) Restart your computer
6) After restarting Click Start >> Run
7) Type "sc delete netinfo" (without quotes)
and press Enter
8) Now open My Computer Go to
C:\WINDOWS\system32 and delete the file
orans.sys if it still exists.Your problem is solved.
0
thanks Sufiyan Ansari!
i had the same problem with agent.cx and AVG. i tried many solutions and couldn´t remove it, but yours worked for real and it´s not showing up any more. i recommend everyone to try this.
0
Great great great !!!
thanks Sufiyan Ansari! thanks Sufiyan Ansari! thanks Sufiyan Ansari!Really, i should have found this thread way long ago. I've tried so many stuff just like lanita...
It's a gift to have users like you Sufiyan.
;)
share the knowledge...
0
I am currently having a problem with Agent.cx
The responses above are nice and all, but I can not seem to get them to work on my computer. For instance, Netinfo is not listed as a service running on my computer. I tried to delete it anyways, won't work, but Orans.sys is the file causing me problems.Is there anything else that I can try? Other than reformating my computer of course.
Danny
0
Turn on Netinfo in services.Go to system32 & rename orans.sys to bad.Reboot your system
Then follow the steps above (Sufiyan )
AVG will then pick up Agent.CX & the other file renamed Bad & remove them. Just done it myself. Works a treat.
System Builder
0
I have the same problem as Danny - I do not have a "netinfo" in the list of services. How do you "Turn on Netinfo in services" if you dont have it?
0
HI.
I did exactly what Sufiyan Ansari has posted. And it went well. But after a few moments, AVG pops up again - the same Trojan horse agent.
And also, I noticed that my IE got corrupted.
Has it something to do with the deletion of netinfo service?Thank you and hope to hear from you soon.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
