win32:Agent-QJ

[weedynes]

Had this trojan that kept spawning itself every time I rebooted and went on line. Avast did the right thing a dleted it but it unfortunately did not kill the source that was somewhere on my machine.
Found that going online caused a file to suddenly appear in root - "drsmartload.exe" and this in turn downloaded "ddsmart.exe" also in root.
The Hijackthis printout showed up an executable file called "winrestores.exe" (from Windows\system32 folder). And this seemed to bring up unusual "Microsoft Telecoms Center" items in my Hijackthis printout after each Spyware Doctor entry.
After much searching around found the culprit to be:
HKEY_LOCAL_USER\Software\Microsoft\drsmartload
I deleted this folder and successfully (so far) have stopped this pest re-occurring each time I go online.

[DavidR]

Files need some help (permissions) to be able to be placed into the system folders and to create registry entries.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Also to be able to download other stuff it would need to get past any firewall outbound checks for unauthorised connections. Do you have a firewall and if so what ?

[polonus]

Hi weedynes,

Here is a nice cleansing routine:
http://www.castlecops.com/print-1-160099.html

polonus