Memory scan detected Trojan Horse

[Aria1206]

I do NOT understand all the techinical jargon which I have attempted to wade through here.  Bottom line is, I d/l the Avast Virus remover, ran it and still have the TH.  I am scared and do not know what to do.

The TH is:  "Win32:AgentGII(Trj).  It is in my log viewer listed as such under "Warning".  What do I do to get rid of it?  When I ran the virus remover it said that there are no infections.

I run WXP home; Zone Alarm; AdAware(free, but newly updated and a new System Restore set to that date). 

I would appreciate non-tech, step by step instructions on what to do, if anything.

Thank you very much for reading.   

Aria

[oldman]

The complete name and path of the detected file would be helpful.

[Aria1206]

The complete name and path of the detected file would be helpful.

I will give you what I read from the popup box that tells me there is a Trojan Horse:

FILE NAME: Process386,memory block 0X5010000, block size 8388608

MALWARE NAME:  Win32:AgentGTJ(RTJ)

If this is not what you are asking about, please me more specific.

Thank you for reading. 
Aria

[DavidR]

When avast detects a memory infection it usually offers the option of a boot-time scan, dit it, and did you choose it ?

Check in the windows Task Manager and see what the process is with the process Id (PID) of 386.

[Aria1206]

When avast detects a memory infection it usually offers the option of a boot-time scan, dit it, and did you choose it ?

Check in the windows Task Manager and see what the process is with the process Id (PID) of 386.

I was not offered the option of a boot-time scan when the icon that looked like a "radiation shelter here" popped up and began to twirl.  As for the Task Manager I do not know how to access what you ask for.  Where do I find this?

Thank you for responding........
Aria

[DavidR]

If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php

The three finger shuffle, press the control (Ctrl) + Alt + Delete keys together and that will display the Task Manager, click the Processes tab for Process information.

[Aria1206]

If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php

The three finger shuffle, press the control (Ctrl) + Alt + Delete keys together and that will display the Task Manager, click the Processes tab for Process information.

I can enable a boot scan, but when I do the three finger shuffle all I get is a long list of processes, among which is "taskmgr.exe".  I have no options to see what it is doing. 

Aria......off to enable.......(does this need to be permanent?)

[Aria1206]

I enabled a boot scan (which was done) but I had a difficult time finding "delete it"......duh!  There was a second option under "Advanced" and I chose "Ask for confirmation" which is what I chose.  Hope that was correct.  I find myself mired in confusion, helpless and lost.  I despise not being able to learn all the "ins and outs" of this technical stuff. 

It is also hard for me to sit/type for any length of time.

Thanks for all the help thus far.  I hope to get this resolved in a reasonable period of time.  I know guys don't particularly care to deal with ignorant females.  I apologize.

Aria......with gratitude

[DavidR]

Task Manager will also display the fact that taskmgr.exe is a running process in that list there are other processes. At the top of the Task Manager interface are column headings, you are looking for the PID column and for the 386 value, this will show the process name.

Notice how the names are in alphabetical order, if you click the column heading it will sort the column, you could click the PID column heading and that will sort the PIDs in order.

The important thing however is to be able to run the boot-time scan, have you done that and did it find anything ?
Ensure if anything is found that you 'move to the chest' (deletion shouldn't be used), so yes you should always have the ask for confirmation.

[sasin44]

davidr every time u post a pic taken thru snag it..
i am getting more impressed..u jus impressed me into getting it   

[DavidR]

It is a very good tool, very quick to work with, takes seconds to capture add effects, resize and save all in one operation. There are others, freeware, but I find this is worth it as I use it a lot and I'm only using a small part of its functionality

[Aria1206]

Task Manager will also display the fact that taskmgr.exe is a running process in that list there are other processes. At the top of the Task Manager interface are column headings, you are looking for the PID column and for the 386 value, this will show the process name.

Notice how the names are in alphabetical order, if you click the column heading it will sort the column, you could click the PID column heading and that will sort the PIDs in order.

The important thing however is to be able to run the boot-time scan, have you done that and did it find anything ?
Ensure if anything is found that you 'move to the chest' (deletion shouldn't be used), so yes you should always have the ask for confirmation.

First thing:  When I do the three finger shuffle there is absolutely nothing that is alphabetized!  Second:  I don't know what PID is (except a medical term) so I am unable to sort anything as I do not know what I am looking for.  I did run the boot-time scan (45 minutes) and it didn't tell me it found anything, prompt me for anything nor did it put anything in the "chest".  I am left at square one.  I also have no pictures to send you!  Sheesh!  I'm such a duh! 

Aria........who is grateful for such patience from enlightened folk.

[DavidR]

Do you see the image I posted, when you press the Ctrl+Alt+Delete together ?

Nothing is in order until you click the column heading to order it.

The PID, I thought I explained is the Process Identity number (as indicated in the arrowed column in the image), each process in the task manager list has a unique process identity number. We are looking for the "FILE NAME: Process386," mentioned in the pop-up information you gave, I'm hoping that it might be the PID I'm talking about and reveal something that may help us track down what it is.

It may be that avast blocked it when it was loaded into memory, but we are trying to find what tried to load it, that remains undetected. It is never at square 1 you have tried something that didn't work, we move on to the next step.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode (http://www.pchell.com/support/safemode.shtml).
1.  If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator.

Try downloading these one at a time (the blue text is a link) and running them to see if they find anything, what ever is found make notes and don't delete anything quarantine is the safest option. Try not to see it as a huge task, but see it as a series of steps, take one step, report your findings and if need be take the next step.

[Aria1206]

Do you see the image I posted, when you press the Ctrl+Alt+Delete together ?

Nothing is in order until you click the column heading to order it.

The PID, I thought I explained is the Process Identity number (as indicated in the arrowed column in the image), each process in the task manager list has a unique process identity number. We are looking for the "FILE NAME: Process386," mentioned in the pop-up information you gave, I'm hoping that it might be the PID I'm talking about and reveal something that may help us track down what it is.

It may be that avast blocked it when it was loaded into memory, but we are trying to find what tried to load it, that remains undetected. It is never at square 1 you have tried something that didn't work, we move on to the next step.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode (http://www.pchell.com/support/safemode.shtml).
1.  If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator.

Try downloading these one at a time (the blue text is a link) and running them to see if they find anything, what ever is found make notes and don't delete anything quarantine is the safest option. Try not to see it as a huge task, but see it as a series of steps, take one step, report your findings and if need be take the next step.

All I see when I hit Ctrl Alt Del is:  Applications; Processes; Performance; Networking; Users.  I clicked and alphabetized it.  Nothing said "FILE NAME: Process386". 

I am using dialup here and everything is painfully (in more ways than one) slow for me.  I will attempt the download but have no idea what "safe mode" is much less how to run anything in it.

I am terribly weary, but thanks so much for help thus far.

Aria

[Aria1206]

I d/l the AVG antispyware and when I tried to run it was told it was corrupted.  So.......I have done a system restore to five days ago and I am content with the way things are now.  If this thing crashes, I will holler for #1 daughter who is an IT (but knows zip about software - yet - as she is still in school). 

Thanks to all of you.

Aria