# Trojan-downloader.win32.Agent Variant - WoW detection



## kgf (Jun 30, 2007)

Just recently while logging into World of Warcraft, I've obtained a trojan of some sort named "trojan-downloader.win32.Agent Variant"

I've done quite a bit of research as to how to remove this, but it sounds like every case is just a tad bit different in files to delete and such, so I didn't want to remove stuff I shouldn't. To start off with, I used S&D, Adaware, and Anti-Trojan but I don't think much was detected from what I could see. Anti-Trojan detected a "Netspy" on port 1033, but I don't think it did anything to plug it up. I'm new with that program, so I'm not positive on how it works. After doing more research, I downloaded HJT and FixWareout and ran both only to find out the files being cleansed were completely different from what I was seeing, so I thought I'd try my own post.

This is what HJT popped up with:

Logfile of HijackThis v1.99.1
Scan saved at 4:47:04 AM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
F:\Symantec Antivirus\DefWatch.exe
D:\WINDOWS\system32\svchost.exe
F:\Symantec Antivirus\Rtvscan.exe
D:\WINDOWS\system32\notepad.exe
F:\Java SE 6\bin\jusched.exe
F:\SYMANT~1\VPTray.exe
D:\WINDOWS\system32\LVCOMSX.EXE
F:\Logitech\Video\LogiTray.exe
D:\Documents and Settings\Chang\Policies\catsrv.exe
F:\Anti-Trojan-55\ATWatch.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
F:\FRAPS\FRAPS.EXE
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
F:\DAEMON Tools\daemon.exe
F:\Spybot - Search & Destroy\TeaTimer.exe
F:\Pando Networks\Pando\Pando.exe
F:\Logitech\Video\FxSvr2.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
F:\Firefox\firefox.exe
F:\Hijackthis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - F:\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Java SE 6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Java SE 6\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] F:\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] F:\Logitech\Video\ISStart.exe 
O4 - HKLM\..\Run: [LogitechVideoTray] F:\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [catsrv] D:\Documents and Settings\Chang\Policies\catsrv.exe
O4 - HKLM\..\Run: [AT-Watch] F:\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Anti-Trojan-Watch] F:\Anti-Trojan-55\ATWatch.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "F:\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [StartCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Fraps] F:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [DAEMON Tools] "F:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Pando] "F:\Pando Networks\Pando\Pando.exe" /Minimized
O4 - HKCU\..\Run: [catsrv] D:\Documents and Settings\Chang\Policies\catsrv.exe -AutoStart
O4 - Global Startup: ATITool.lnk = F:\ATITool\ATITool.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = F:\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append to existing PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///F:\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java SE 6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Java SE 6\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - F:\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Symantec Antivirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - F:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Symantec Antivirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Symantec Antivirus\Rtvscan.exe

And this is what FixWareout came up with:

Fixwareout Last edited 6/27/2007
Post this report in the forums please 
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdkcg.exe"

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

»»»»» Postrun check 
HKLM\SOFTWARE\~\Winlogon\ "system"="" 
....
....
»»»»» Misc files. 
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur

rentVersion\Run]
"SunJavaUpdateSched"="\"F:\\Java SE

6\\bin\\jusched.exe\""
"ccApp"="\"D:\\Program Files\\Common

Files\\Symantec Shared\\ccApp.exe\""
"vptray"="F:\\SYMANT~1\\VPTray.exe"
"LVCOMSX"="D:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="F:\\Logitech\\Video\\ISStar

t.exe "
"LogitechVideoTray"="F:\\Logitech\\Video\\LogiTray

.exe"
"catsrv"="D:\\Documents and

Settings\\Chang\\Policies\\catsrv.exe"
"AT-Watch"="F:\\Anti-Trojan-55\\ATWatch.exe"
"Anti-Trojan-Watch"="F:\\Anti-Trojan-55\\ATWatch.e

xe"
"Adobe Reader Speed Launcher"="\"F:\\Adobe\\Reader

8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"D:\\Program Files\\Common

Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Acrobat Assistant 8.0"="\"F:\\Adobe\\Acrobat

8.0\\Acrobat\\Acrotray.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr

entVersion\Run]
"StartCCC"="D:\\Program Files\\ATI

Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"Fraps"="F:\\FRAPS\\FRAPS.EXE"
"DAEMON Tools"="\"F:\\DAEMON Tools\\daemon.exe\"

-lang 1033"
"SpybotSD TeaTimer"="F:\\Spybot - Search &

Destroy\\TeaTimer.exe"
"catsrv"="D:\\Documents and

Settings\\Chang\\Policies\\catsrv.exe -AutoStart"
"Pando"="\"F:\\Pando Networks\\Pando\\Pando.exe\"

/Minimized"
....
Hosts file was reset, If you use a custom hosts

file please replace it
»»»»» End report »»»»»

As for now I haven't run into any problems, but I've heard a lot of people getting their accounts hacked as of recently, and I'd love for this not to happen to me. If you could help, it would be much appreciated. Thanks a lot.

-kgf


----------



## kgf (Jun 30, 2007)

Disregard this post. I updated S&D and reran it. Apparently it picked it up this time. *cheer*


----------



## ACA529 (Nov 16, 2005)

I have had the EXACT same problem when using the Blizzard Updater to update WoW to the newest version. It's annyoing. 


You have to manually patch the game.


----------



## Super-D-38 (Apr 25, 2002)

I read about that.. 
WoW sent an in-game mail about that kind of thing.
Said the Updater.exe has a checker/scanner built in to not allow keylogers or other malicious software from executing when WoW starts. 

If your getting the error, chances are high you have an add-on or something that WoW has deemed bad. For the safety of your account it would be best to fix the problem rather than ignore it. 

As for Hijack logs.. we may need this moved to security. Those experts there can get ya fixed right up. :up:


----------



## kgf (Jun 30, 2007)

I had previously fixed the problem as noted in Post #2. As mentioned, I had run an update through S&D and there were updates to be made. I downloaded them and re-ran S&D. Problem was fixed when I logged back into WoW to check. This update in S&D was done after I had run FixWareout first, and then HJT. When FixWareout rebooted my computer, a file named "kdkcg.exe" was detected and I believe removed. I'm not positive if this is a startup file hidden w/in the windows folders, or if this was the culprit behind the trojan. In any case, after the logs were made from FixWareout and HJT (which I then posted on here), I did the S&D update and re-run, and vuala. Problem was fixed. Hope this helps you guys out some. If you value your WoW account as much as I do, I wish the best of luck to you in fixing this problem. Cheers and happy gaming.

-kgf


----------



## moo cow (Aug 3, 2007)

I'm having the same problem and from what I read S&D worked and I wanted to know if you guys can tell me what S&D is and where i can get it so i can be back on wow


----------



## kgf (Jun 30, 2007)

It's called "Spybot - Search & Destroy." Here is a link to where you can download it.

http://www-spybot.net/

Hope your problems gets solved, and happy gaming.


----------



## klavier (Aug 27, 2007)

you forgot to mention it wasn't free. 
"you have 1675 infections but we can't do anything because you have no money "
grawr....


----------



## Super-D-38 (Apr 25, 2002)

Because thats the wrong link and program.
SpyBot S&D is free.. 
http://www.safer-networking.org/en/index.html


----------



## klavier (Aug 27, 2007)

ok, i got the free one and it got rid of a lot of things, but i still get the "trojan-downloader.win32 agent variant" warning thing. 
there are still fake-o things on the quicklaunch bar, and i can't get to the control panel or the add/remove programs. 
there is something seriously wrong with my computer and i can't do anythng about it.


----------



## kgf (Jun 30, 2007)

Super-D-38 has the correct link to Spybot. I have no idea why I posted that. Sorry. 

Klavier - it sounds like you have a greater issue with spy/adware and I'd recommend posting a new thread specifying what you're experiencing. Before doing so, look through a few threads on how to obtain "HijackThis" as that seems to be the first diagnostic test of what's running on your computer. G'luck to ya.


----------

