Hi,
One of my client's computer with Kaspersky Anti Virus 6.0 Workstation has detected Trojan.Win32.Agent.abix. I click on neutralize all, then delete Trojan.Win32.Agent.abix. Kaspersky asks me to restart the computer in order to remove that Trojan, but after a restart it still exists. Is there any way to remove this? The file is called svchost.exe, and Kaspersky says it is located in c:\recycler\s-1-5-21-1482476501-.....\svchost.exe, but it is not there after I inspect the folder.
Thanks,
Jag
Full Version: Trojan.Win32.Agent.abix removal
Please clear the Windows Recycler (default on desktop) and check it the malware is still found.
moved to virus issues
moved to virus issues
hello
post an avz log please: http://forum.kaspersky.com/index.php?showtopic=69276
use the standalone AVZ tool
post an avz log please: http://forum.kaspersky.com/index.php?showtopic=69276
use the standalone AVZ tool
QUOTE(Lucian Bara @ 8.09.2009 14:19) 
hello
post an avz log please: http://forum.kaspersky.com/index.php?showtopic=69276
use the standalone AVZ tool
post an avz log please: http://forum.kaspersky.com/index.php?showtopic=69276
use the standalone AVZ tool
Attached is the file you have asked for. I ran avz after I deleted all files in the recycling bin, as the first replier suggested.
run this script:
instructions: http://forum.kaspersky.com/index.php?showt...st&p=678328
----------
afterwards post a combofix log:
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
CODE
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteFile('{28ABC5C0-4FCG-11CF-AAX5-81CX5C625612} ');
QuarantineFile('G:\autorun.inf','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe','');
DeleteFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe');
DeleteFile('G:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteFile('{28ABC5C0-4FCG-11CF-AAX5-81CX5C625612} ');
QuarantineFile('G:\autorun.inf','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe','');
DeleteFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe');
DeleteFile('G:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
instructions: http://forum.kaspersky.com/index.php?showt...st&p=678328
----------
afterwards post a combofix log:
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
QUOTE(Lucian Bara @ 9.09.2009 02:21)
run this script:
instructions: http://forum.kaspersky.com/index.php?showt...st&p=678328
----------
afterwards post a combofix log:
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
CODE
begin
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteFile('{28ABC5C0-4FCG-11CF-AAX5-81CX5C625612} ');
QuarantineFile('G:\autorun.inf','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe','');
DeleteFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe');
DeleteFile('G:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
SetAVZPMStatus(True);
SetAVZGuardStatus(True);
SearchRootkit(true, true);
DeleteFile('{28ABC5C0-4FCG-11CF-AAX5-81CX5C625612} ');
QuarantineFile('G:\autorun.inf','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe','');
QuarantineFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe','');
DeleteFile('C:\RECYCLER\S-1-5-21-1758341543-2450335503-567945938-9563\czzi.exe');
DeleteFile('C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\svchost.exe');
DeleteFile('G:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
instructions: http://forum.kaspersky.com/index.php?showt...st&p=678328
----------
afterwards post a combofix log:
Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe . Save the file to your desktop.
Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.
Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.
You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.
Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.
I ran combofix.exe. Attached is the log file as requested.
Hey, when Kaspersky detects this file, it can now delete it. Although, the file has showed up once a day since I ran the script in post #5. Thanks for your help.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.