Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Agent.pz : Trying to determine if infection is gone

  • Please log in to reply
1 reply to this topic

#1 jcompton


  • Members
  • 2 posts
  • Local time:06:30 AM

Posted 03 February 2009 - 02:18 PM

I am hoping to get some expert insight about a recent infection--specifically, whether or not I have truly once-and-for-all removed it, and if not, what my next step should be.

OS: XP Professional SP2 (5.1.2600)

Two days ago, I noticed my computer running significantly slower than usual. After poking around a bit and noticing that attempts to visit antivirus research destinations were being blocked or redirected, I concluded that there was obviously a problem. I saw a twex.exe entry in HijackThis and went to work.

My attempts to run Spybot were being blocked by the infection. I do not recall the precise sequence of events, but I believe it was something like this:


1. ComboFix (identified and claimed to remove rootkit infection, c:\windows\system32\drivers\TDSSghdi.sys and various other files)
2. Spybot (identified and claimed to remove agent.pz and banker.xe)
3. AVG Antivirus scan (identified and claimed to remove Cryptor, c:\program files\mozilla firefox\a.exe)

After that, I ran Spybot and MBAM and both came up clean.

AVG scan ran again overnight. It located and quarantined twex.exe and other files stored in ComboFix's C:\Qoobox directory, as well as various trojan files in C:\System Volume Information\_restore*.

This morning I ran Spybot again and it came up with one instance of agent.pz again.


4. Spybot (identified and claimed to remove agent.pz)
5. SDFix (didn't claim to find any infections or remove anything, but there are a few files identified in the "Files with Hidden Attributes" section which look suspicious--but searches tell me they may just be Divx related.)

As of this moment, MBAM Quick Scan returns no problems, and Spybot's only complaints are cookies. But unfortunately, that's exactly where I was at last night. I am hoping to go through a process to ensure that the system is firmed up so that I can proceed with an SP3 install and hopefully put this problem behind me. Please advise.

Edited by jcompton, 03 February 2009 - 02:19 PM.

BC AdBot (Login to Remove)


#2 jcompton

  • Topic Starter

  • Members
  • 2 posts
  • Local time:06:30 AM

Posted 03 February 2009 - 10:36 PM

I got the answer to my own question the hard way--yes, my system was still infected, and it became reinfected. So an answer to this initial query won't help me. I will open a new thread if need be.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users