PSW Agent H Trojan found

losinsusan · #1 04-27-2004, 04:28 PM

This is my last ditch effort before resorting to a reformat. AVG found PSW Agent H in a document and settings file. It can't be moved to the vault. It is basically just there. The computer runs perfectly. Took me hours to find any information on this trojan. Its a keystroker that seems to only be found by people with AVG. I did a trojanscan and tried several other programs. They all say I am clean. I installed Mcafee and its also found nothing. AVG has no information on this. The files can't be deleted after shutting down all running programs with the task master because you can't find the files needed. They gave me the names and they aren't there!! I tried to shut down system restore already and scan and remove, but to no avail. Won't work. I have tried to just do a system restore and it blocks it with a pop up from AVG saying this virus is in the volume information. Its my son's computer. Fairly new. He only uses his AOL messanger to chat with friend at school. He doesn't even have email. So it didn't come from an attachment. Its so strange. We keep all our virus protection up to date, but I have sinced learned that in not enough. I think a reformat is the easiest option. Any ideas??? I have spent two full days on this!

snowmonkey · #2 04-27-2004, 04:33 PM

Give this software a try, it is called Spy Sweeper, you can use the trail version and make sure you allow the software to do a live update before scanning:
http://downloads-zdnet.com.com/3000-2144-10200144.html
Install the software first, then disable system restore, reboot the system and the scan it for pest and Trojan, I'm perrty sure it will get rid of your that problem.

cheers

Azn_tweaker · #3 04-27-2004, 06:53 PM

try using this free online scanner here: http://housecall.antivirus.com/

losinsusan · #4 04-27-2004, 07:28 PM

Thanks so much for your help. I will try both of these tonight. I don't hold much hope after trying so many other scanners. I just don't know why only AVG finds this particular one and no one else can. Strange.....

Azn_tweaker · #5 04-27-2004, 07:36 PM

do u have ad-aware and spybot 1.2 on ur PC? if not download and install them. also rememeber to update both reference files.

Azn_tweaker · #6 04-27-2004, 07:40 PM

also post an Hijackthis log

How To post a HijackThis Log:

Download 'Hijack This!'. http://www.computercops.biz/downloads-file-328.html

Unzip (extract) it to a folder of its own , doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, then Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

techgarfield · #7 04-29-2004, 03:23 AM

I had a pc that i worked on yesterday. It had win xp on and avg 7.
I symptoms it had was it would not disconnect from the dial up account. I removed the offending file by booting to safe mode, turning off system restore, doing a search for the infected file and manually deleting it. after restarting the pc in normal mode i redone scan with avg and the infected file was not found. Reinstated system restore, and connected to the internet and all was fine. hope this helps.

PC Master · #8 04-29-2004, 03:48 AM

I had the same Trojan on my computer, booting the OS in safe mode, and disabling system restore did not work for me. I also tried almost every Anti-Virus, Ad-ware, and Trojan software out there but nothing did it. The way to remove this PSW.Agent.H is simple, the only catch is there is a process running called sysupd.exe running witch protects the Trojan source file in Documents and Settings (_UPDATE.DAT ) from being removed. So here is what you do.

Read all the steps below before you start.

1. Run a search on the computer for a file called sysupd.exe .

2. Open My Computer, and browse to the folder that contains the file.

3. Press Ctrl+Alt+Del, and click on Task Manager.

4. Look on the bottom of the Task Manager window to see how many process are running, ex (Process:15)

5. Find sysupd.exe and stop it. most likely it will keep starting it self over.

4. Keep looking for it and stopping it, until the number of process' go down by one. Once you reach this point you only have a few second until it restarts, so be quick.

5. Switch to the window where sysupd.exe is located and quickly remove it.

6. Once sysupd.exe have been removed, then you can remove the main file _UPDATE.DAT which will be found somewhere in Documents and Settings. (If you cannot find it run a search for it)

7. Run AVG again to make sure the Trojan is gone.

I do not use this web site at all, i only found it while I was searching on Google for what people are saying about this Trojan. So if you need any help, or if you do not understand any of the steps, the best way to contact me is though my email address (princeofegypt03@yahoo.com). Feel free to email me if you need to.

virusviv · #9 04-29-2004, 09:24 AM

I too had this trojan on my PC and tried for three days to remove it. Just when I was about to buy some software to do the job, I tried one more time and AVG found it and aked if I wanted to heal.
I did and it got rid. Why I don't know except that I must have tried 20 virus scans.

losinsusan · #10 04-29-2004, 04:48 PM

wow thanks both of you for your reply. I will try to do what you suggest once again. Hope I have the ability to do it. I wasn't able before to find any _update.dat files in my search. But I will try again. That is my son's computer. Now on mine today some moron sent me three infected emails which Nortons very kindly took care of. It's just a piss off that people have nothing better to do then create this havoc. Some of us need our computers for work! And play!

losinsusan · #11 04-29-2004, 05:44 PM

A big hug and thanks to prince of egypt for his help. It worked. I hope that anyone who searches google for help with Agent H will find this thread and get help also. I have seen nothing that worked yet till now. Follow his instructions and be patient. It takes quite a few tries for the processes in task manager to drop one, and in my case the sysupd.exe file modified itself before my eyes. That tricky trojan....but I just repeated the steps and deleted them both eventually. Unfortunately I couldn't find that update.dat file with searches. So once you delete the sysupd.exe file and/or files (in moves around on the task manager list, keep looking for it) run your AVG again and it will be able to heal it this time. I am ready now to tackle another virus...let me at them!

fucked · #12 04-29-2004, 06:59 PM

thanks to all
I`ll give it a whirl too
anyone know what this one does?
f

MikeAngelastro · #13 05-05-2004, 07:07 PM

Hi,

I tried PC Master's procedure but I was just not fast enough. The sysupd.exe process stopped for only a quarter of a second - not long enough to delete it.

But I managed to delete it anyway and I followed the steps below:

Search for sysupd.exe to make sure you know where it is.

Restart the machine in safe mode with the command line.

Go to c:\Windows ( assuming that is where your search found it )

Type "dir s*.exe" [Enter] just to make sure that the file is there.

Type "del sysupd.exe" [Enter]. This will erase it.

Restart the machine in normal mode.

Search for and delete every instance of _UPDATE.DAT. There will probably one for all users of the system.

DONE!

I hope this works for you too.

Thanks,

Mike

jgregg · #14 05-06-2004, 01:58 PM

You all rock the house!!! thanks so much...I have been trying to get rid of that virus for 3 weeks now. The last solution about going into safe mode & manual deletion worked for me...I was just not fast enough otherwise....many thanks!

Julie

losinsusan · #15 05-06-2004, 02:14 PM

I have read from several you aren't fast enough. It takes at least in my case, 10 or 15 tries before you see the processes number drop, then you do have time to switch over and delete the file. You don't want to delete it till you see the processes number on the bottom of the window drop by one.