win32.agent.pz will not go away

December 11, 2009 at 09:19:28
Specs: Windows XP, 2.6Ghz 2GB RAM
Hello all..I hope dearly that someone here can help me...

I have no idea where it came from, but last week my laptop got caught by that antivirus live fake scanner prog thats out and about...I managed to get shot of it, but its left both win32.zbot and win32.Agent.pz behind.. Spybot S&D detects them, but they come back on reboot..So I have run combofix and SD Fix, but the little blighters are still there... Below is the log that SDfix came up with...Is there any solution other than a re-install?? Theres' nothing I cannot regain on the drive, so it won't break my balls, but I haven't really the desire or time for a clean install at the mo...

I eagerly await your reply !!!

Andy W


SDFix: Version 1.240
Run by Mr Woggle on 11/12/2009 at 14:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File


Checking Files :

Trojan Files Found:

C:\DOCUME~1\MRWOGG~1\LOCALS~1\Temp\tmp6.tmp - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
Rootkit scan 2009-12-11 15:16:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010 Demo\\fm.exe:*:Enabled:Football Manager 2010 Demo"
"C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe:*:Enabled:Football Manager 2010"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\

Files with Hidden Attributes :

Wed 4 Nov 2009 1,168,216 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Thu 10 Dec 2009 0 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av1.tmp"
Fri 11 Dec 2009 18,442,529 A..H. --- "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP9\Bases\Cache\av4.tmp"


See More: win32.agent.pz will not go away

Report •

December 11, 2009 at 20:16:36
Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix is needed)> then press ok. This will uninstall Combofix, we will reinstall it later.

Then delete SDfix.Just boot in safe mode (use only F8 method) and delete the files saved under the SDFIX folders. Then delete the folders. Example: First delete crypts.dll and anything else in the backups folder, then delete the backups folder. Then delete all files in the SDFIX folder. Then delete the SDFIX folder.

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.


1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.


1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
10. Exit GMER and re-enable all active protection when done.

Report •
Related Solutions

Ask Question