Downloader.Agent.3.com

[Terry D]

Unfortunately I recently acquired about five trojans although I'm using AVG
and Zonealarm. I think I've now managed to eliminate all except one.
According to AVG. it's "Downloader.Agent.3.com" and is present in
C\Windows\Scanregw.exe. Unfortunately, when AVG detects it, it won't heal
the file and then I just get a black screen and have to reboot.

I've temporarily uninstalled AVG and can now access my computer. Trend
Housecall doesn't detect any problems.

Can I just delete Scanregw.exe and then replace it with a clean file, and if
so, where can I find a clean version? Presumably in my CAB files or on the
Windows Disk, but where? I can't reinstall AVG unless I can achieve this.

I'm running an Athlon 2000+ with Windows 98SE.

Thanks in advance

Terry D.

 

[null]

Unfortunately I recently acquired about five trojans although I'm using AVG
and Zonealarm. I think I've now managed to eliminate all except one.
According to AVG. it's "Downloader.Agent.3.com" and is present in
C\Windows\Scanregw.exe. Unfortunately, when AVG detects it, it won't heal
the file and then I just get a black screen and have to reboot.

I've temporarily uninstalled AVG and can now access my computer. Trend
Housecall doesn't detect any problems.

Can I just delete Scanregw.exe and then replace it with a clean file, and if
so, where can I find a clean version? Presumably in my CAB files or on the
Windows Disk, but where? I can't reinstall AVG unless I can achieve this.

I'm running an Athlon 2000+ with Windows 98SE.

On Windows SE the legitimate SCANREGW.EXE file is located in
C:\WINDOWS. It 86,016 bytes dated 4-23-99

Upload the suspect file for av scanning here:

http://www.virustotal.com/flash/index_en.html

and see what the various av products say about it.

Depending on the actual malware(s) involved, your legit file may be
intact. Take a look at some of the malwares that use that file name:

http://securityresponse.symantec.com/avcenter/venc/data/winnuke.trojan.html
http://vil.nai.com/vil/content/v_99404.htm
http://www.sophos.com/virusinfo/analyses/trojopwin11.html

If you cannot either find descriptions that match what's on your
machine or you are incapable of doing a manual removal, there are
other options, of course. Perhaps my F-Pup download might be a help if
you have access to a clean Win 9x/ME PC to create a set of emergency
disks on. However, F-Prot has a habit of not pinpointing many Trojans
by name. It may be that other on-line scans, such as McAfee, may be of
some help.

If you aren't using a firewall, you should be. See my web site for
some safe hex suggestions. And remember that AVG is a very weak Trojan
detector compared to several other products. You should also be using
AdAware and Spybot.


Art
http://www.epix.net/~artnpeg

 

[Terry D]

On Windows SE the legitimate SCANREGW.EXE file is located in
C:\WINDOWS. It 86,016 bytes dated 4-23-99

Upload the suspect file for av scanning here:

http://www.virustotal.com/flash/index_en.html

and see what the various av products say about it.

Depending on the actual malware(s) involved, your legit file may be
intact. Take a look at some of the malwares that use that file name:

http://securityresponse.symantec.com/avcenter/venc/data/winnuke.trojan.html
http://vil.nai.com/vil/content/v_99404.htm
http://www.sophos.com/virusinfo/analyses/trojopwin11.html

If you cannot either find descriptions that match what's on your
machine or you are incapable of doing a manual removal, there are
other options, of course. Perhaps my F-Pup download might be a help if
you have access to a clean Win 9x/ME PC to create a set of emergency
disks on. However, F-Prot has a habit of not pinpointing many Trojans
by name. It may be that other on-line scans, such as McAfee, may be of
some help.

If you aren't using a firewall, you should be. See my web site for
some safe hex suggestions. And remember that AVG is a very weak Trojan
detector compared to several other products. You should also be using
AdAware and Spybot.


Art
http://www.epix.net/~artnpeg

Thanks for the reply. I'm using ZoneAlarm, AdAware and Spybot. The
Scanregw.exe file is 108KB created 21 June 2003, which was when I first
installed Windows 98SE. It addition, it says 'modified 22 October 2004'.
I've tried copying the file to a floppy and scanning it with AVG on my other
machine. The trojan is definitely present. My older computer (running
Windows 98 1st edition) has a Scanregw.exe file of 84KB dated 11 Maay 1998.
Would it be advisable to copy this file over? I'm very worried about not
having a virus checker at present.

Terry D.

 

[null]

Thanks for the reply. I'm using ZoneAlarm, AdAware and Spybot. The
Scanregw.exe file is 108KB created 21 June 2003, which was when I first
installed Windows 98SE. It addition, it says 'modified 22 October 2004'.
I've tried copying the file to a floppy and scanning it with AVG on my other
machine. The trojan is definitely present. My older computer (running
Windows 98 1st edition) has a Scanregw.exe file of 84KB dated 11 Maay 1998.
Would it be advisable to copy this file over? I'm very worried about not
having a virus checker at present.

I'd replace the Win 98SE version file since the registry checker is so
important. This should help:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;129605

You'll have to make sure no malware is in control or you may be
jumping through hoops. I hope you've checked the registry Run entries,
etc., in addition to other startup axis points such as Win.ini and
System.ini. Boot up into Safe mode to do this.

Insofar as having a (free) antivirus product on hand, I suggest the
use of the Escan av toolkit utility which you can download with help
via my web site. It doesn't offer cleaning but since it uses the
powerful KAV scan engine it should be very helpful to you in finding
other malware. Since Trend's av didn't help you, I won't suggest the
Sysclean product also available (indirectly) via my web site in the
form of the Sys-Up download.

Incidently, I suggested uploading the suspect file for av scanning by
other products because of not only false alarm possibilities but also
misidentification. In order to clean up the mess, it's best to have a
accurate ID of the malware and a description that matches what you
have on your PC in the way of registry entries, other Trojan files,
etc. Misidentification of Trojans by av products is a very real
problem.


Art
http://www.epix.net/~artnpeg

 

[Terry D]

I'd replace the Win 98SE version file since the registry checker is so
important. This should help:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;129605

You'll have to make sure no malware is in control or you may be
jumping through hoops. I hope you've checked the registry Run entries,
etc., in addition to other startup axis points such as Win.ini and
System.ini. Boot up into Safe mode to do this.

Insofar as having a (free) antivirus product on hand, I suggest the
use of the Escan av toolkit utility which you can download with help
via my web site. It doesn't offer cleaning but since it uses the
powerful KAV scan engine it should be very helpful to you in finding
other malware. Since Trend's av didn't help you, I won't suggest the
Sysclean product also available (indirectly) via my web site in the
form of the Sys-Up download.

Incidently, I suggested uploading the suspect file for av scanning by
other products because of not only false alarm possibilities but also
misidentification. In order to clean up the mess, it's best to have a
accurate ID of the malware and a description that matches what you
have on your PC in the way of registry entries, other Trojan files,
etc. Misidentification of Trojans by av products is a very real
problem.


Art
http://www.epix.net/~artnpeg

Thanks for your help Art. Using the link you supplied I successfully
replaced the corrupt Scanregw.exe file. It's now only about 84KB and
checked out on my other computer as clean. I also replaced 5 or 6 other
corrupt files at the time, all from my original Windows 98 disk. I've now
reinstalled AVG and all seems to be working fine.

Terry D.