Win32:Agent-VGV [Wrm].........driving me nuts!!!! Please help...

Hi all - Good evening!

Running avast! 4.8 on XP Professional SP2. Don’t know how but picked up what avast! determines to be Win32:Agent-VGV and I cannot find very much helpful info online to help me get rid of it.

a) On reboot, avast! continually finds a new Win32:Agent-VGV [Wrm] and I move it to Chest after which, an (new to me) avast! icon appears on my taskbar every now and again and it appears to be running from SVCHOST to mail addresses and domain names and then disappears. When this happens, the laptop slows to a crawl.

b) On one reboot, I chose not to move to Chest and clcked on the ignore button at which time numerous/unending warnings and popups showing email addresses filled my screen. I assume now that the worm is using me as a relay point for spam. None of the email addresses/domains were known to me.

c) I have done numerous Boot Time Scans and nothing is found by avast!.

d) I have checked for Rootkits, Viruses, Malware, etc… using Trendmicro’s Rootkit Buster, F-Secure Blacklihght, Adaware, Spyware Terminator, Norman Malware Cleaner, SuperAntiSpyware, Spybot, Trendmicro Housecall and of course avast and nothing is getting rid of this problem. System Restore has been disabled for scans and I have deleted all temp files, Internet Temp Files and the Java Temp Cache. Scans have been done with XP started normally as well as in Safe Mode.

e) There is one temp file that I cannot delete of a size of 46kb under the Docs&Settings/for my profile.

Appreciate any help you can offer.

Thanks,
Koke

Yes, could be a spambot infection… Maybe a full computer on-line scanning detects something:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

Which is the file path and name?
Sometimes, only using Unlocker (http://ccollomb.free.fr/unlocker/) or KillBox (http://killbox.net/) or MoveOnBoot (http://www.snapfiles.com/get/moveonboot.html) or Delete FXP (http://www.jrtwine.com/) you can delete these files.

Tech - Many thanks - I will try all the above see what is discovered and whether or not the locked file can be deleted. Strange thing is that I cannot see any indication of where the root cause is hiding and nothing I Google gives me any ideas as to how to find it…

thanks
/koke

Tech - thanks a million.

The Kapsersky online scan found two files […WINDOWS\SYSTEM32\WINCTRL32.DLL and WINCTRL32.DL_].

Both were infected by Trojan Downloader.Win32.Mutant.yf…

I downloaded Kaspersky’s 30-Day Free Trial of Kaspersky Anti Virus 7.0, uninstalled avast! and installed the free trial. Their software has a great User Interface and very quickly found the infections that their Online Free Scan found.

When I hit the “disinfect” button a slew of different named variants were quickly uncovered and de-activated.

I then ran a full complete system scan with configuration set to “Maximum” and have since rebooted multiple times and used the computer with no evidence whatsoever of any further infection.

I have been happy with avast! but my confidence in their product is a bit shaken after the episode with this Trojan.

In anty event, all’s well that ends well, I guess…and I will keep this Kaspersky AV on my system for at least the next 30 days.

Thanks for your guidance and help - Very much appreciated.

Kind Regards,
/koke

Koke, next time, Kaspersky could fail… It’s hard to say but not a software is perfect 24/7…
Can you extract the files from Kaspersky quarantine and send to virus (at) avast (dot) com for analysis? Thanks.

Tech - Thanks comments - and sure, will send files to avast.

Rgds
/koke