So, i went to go log into wow this morning and world of warcraft gave me an alert that says the following:

The trojan "Trojan-Downloader.Win32.Agent variant" has been found on your computer. Please remove it before continuing to play. This trojan may be used to steal your personal account information.

I researched it a bit and alot of people have said they cannot find it when doing a scan. I scanned and did not find it either. any and all help is greatly appreciated. Thanks in advance!

-Skahr

try

http://www.f-secure.com/v-descs/agent_bao.shtml

Ok, so i got a new anti virus scanner and sncanned EVERYTHING and found a couple of trojans with the above name, deleted them (Along with some other trash i found) and restarted my comp after a full scan. I am still getting the alert though

Uninstall and reinstall WoW?

That wont work i dont think. as far as i know its not a direct attack towards WoW, there is just a trojan on my comp and WoW is aware of it. :(

I have 2 trojans on my work computer...both wow related. 0.o No admin privelidges so I am screwed. Skahr...if nothing else, re-install your OS.

Skahr (edit) you didn't by any chance venture to one of the sites that got posted here and deleted rather quickly did you?

Stigg: Thanks bud, and no i havent clicked any links from this site in quite some time. TBH i know exactly where i got the damn thing (or so i think).

I was browsing a few "Adult Sites" last night and realized this morning my firewall wasnt on. Doh! idiot i tell ya, idiot. I must have forgotten to put it back on after DLing a patch or something.

Haha pwnt by pron. Darn...I was hoping I was going to find out where I got mine from.

LOL...You are getting the same alert?

Nah...mine has just shut down my clip art for Word and deleted my email client....which is semi important to my profession. Unfortunatly my admin is out of town until monday...so I can't do anything with it. And I don't know how to configure my email on a new computer...so im SOL.

ahh that kinda sucks.

I wonder how much risk i am at if i log into wow? kek, the wait is killing me already!

Note to self: No more porn browsing

Alot of your trojan/Virus/Rootkit programs run either under the system layer these days or bound to an executable that usually starts when windows starts. Your trojans/rootkits usually contain a keylogger which allows for it to collect data such as your wow account info. The easiest way to determine if you are really virus free is to continually keep your firewall up an anti-virus programs running and up to date at all times. As far as disableing your firewall you would be much better off if you went to the wow home site I believe there is a section for router setup. It will help you in port forwarding so you dont have to disable your firewall when you download a patch or update. I am at work and cant access the site or ide post the link. If ya cant find ill grab it tonight. As far as detecting and removing the easiest way around all of this is to use a DOS based virus scanner. This allows the scanner to load pre windows an detect alot more. This will also help with the no admin privledges Tigs. You can find a safe DOS AV @ http://www.claymania.com/f-prot.html Hope I dont get in trouble for posting the link kinda new here. Anyways download it burn to a cd then reboot an boot to cdrom. It will allow you to scan your harddrive without the virus/trojan being able to load and hide itself. Also make sure that the trojan hasnt replaced your wow icon and your not loading the trojan thinking its wow.

Good luck hope ive helped.

Wow, thanks for the help man, i will try that out. As far as the link to wow home site, I know about that, but was just lazy :(. Thanks again and i will let you all know how it turns out.

Well, I followed the instructions from a blue on the Official forums, and it worked. Trojan gone! All of the virus scan software did nothing for the trojan, but it did clean up some other stuff i had on my comp. Thanks for all the input guys.

i have the trojan messege and iv check links that have been posted but i dont understand what to do. can someone explane the simplest way to remove the trojan. thank you.

I need this as well, I have already been compromised and have lots of time as my account has been suspended until they figure out what happened. AVG keeps reporting it but it must still be around somewhere.
Well, I followed the instructions from a blue on the Official forums, and it worked.
Skahr could you please link or tell us where exactly this is? Thx

edit: Did you use Kaspersky to locate the trojan? Which is the first one mentioned on WoWforum regarding "Unable to Verify version"

TrojanDownloader.Win32.Agent variant

The Blizzard Launcher has detected the Trojan-Downloader.Win32.Agent variant Trojan on your machine which may be used to steal your World of Warcraft account name and password.

Trojans are a "back door" in to your machine which can allow hackers to obtain sensitive data as well as cause harm to your machine. Trojans differ from Viruses as Viruses replicate themselves and are designed to purely cause damage to the "host" machine. Each Trojan functions differently, however most are designed to obtain information through use of keyloggers or allow remote functions for the hacker to literally use your computer. Trojans pose a serious threat to all computer users and it is extremely important that they are removed immediately before information can be gathered. Some Trojans are also used to allow further infection, installing additional Trojan functions as well as Viruses.

Follow these steps to remove the Trojan and protect yourself from future infection:

1. Close the Blizzard Launcher. You are still allowed to log in and play, however playing the game with a Trojan installed puts your account at serious risk of being compromised as the hacker can easily obtain your World of Warcraft account name and password.
2. Ensure that all programs are closed. If you have recently downloaded any executable (.exe) files meant for use with the game, delete them so that they are not accidentally used in the future.
3. Use one or more of the below programs to help remove the Trojan and provide future protection against them. After installing the program, ensure that you update its "definitions". Definitions are used as a dictionary of sorts for the program to help it detect new Trojans. This is usually prompted to be done shortly after install by the program itself. If not, the process to do so should be available within the program options.
4. Make sure you run a thorough scan of your entire system. After removing the Trojan, use the Blizzard Launcher again to start the game and see if any additional threats are detected.

Removal Programs

The below programs can all be used to detect and remove the Trojan found on your system. Programs with trial or free versions are marked as such. Trial programs are basic versions of the program that can be used for a limited amount of time, after which you can either choose to purchase the full product or uninstall the program.

The "Version used" field notates what version of that program was used by Blizzard to confirm its ability to find this specific Trojan. The version you download should be the newest available and does not necessarily have to match the one listed.

Program Version used Identifies this Trojan as Notes
Fix Wareout (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41) (Free) 1.0.0.5 N/A Number 18 on the list of programs
Kaspersky (http://www.kaspersky.com/) (Trial) 4.0.2.24 Trojan-PSW.Win32.WOW.ps or possibly Trojan.Win32.DNSChanger.in none

Account Recovery

If your account has already been compromised please make sure the Trojan is removed by following the steps above. After the Trojan has been successfully removed follow the steps below for help with recovery.

* If your account has been compromised and you are unable to login please attempt to recover your password by clicking here (https://www.wow-europe.com/login-support/).
* If you are unable to recover your account password or are having difficulty with the hacker changing it again after recovery; please first make sure the Trojan is fully removed by following the steps at the top of this page as well as running a thorough system scan. If the Trojan has been removed please contact our Billing & Account department by phone (http://wow-europe.com/en/support/accountbilling.html).
* If you have successfully recovered the account and the hacker has not been able to login but you are missing items or characters; please contact our In-Game Support department (http://wow-europe.com/en/support/gamemasters.html) by creating an in-game petition.


Source (http://faq.wow-europe.com/en/article.php?id=1051).
This ought to do the trick.

Side note: the WoW Launcher, and that means with the small advertising box, which tells you what the latest news is etc, will also warn you about this trojan. Once you proceed, towards the log-in screen, it will add a Goblin voice screaming danger danger as well.

I advise all to use the "Fix Wareout" to get rid of the problem, as Kaspersky did NOT get rid of the trojan for me. Fix Wareout did the trick.

Viruses and Trojans are always a problem, but from experience i can say that the best Anti-virus/Anti-Trojan program out there is NoD32, http://www.nod32-anti-virus.com , and it updates all the time, whenever a new threat comes out. No more pesky mass virus-definition Downloads. Im not trying to sell you something here, but it works.

yes thanks all who posted the "Fix Wareout" it worked. yes!! much appreciated

Stigg: Thanks bud, and no i havent clicked any links from this site in quite some time. TBH i know exactly where i got the damn thing (or so i think).

I was browsing a few "Adult Sites" last night and realized this morning my firewall wasnt on. Doh! idiot i tell ya, idiot. I must have forgotten to put it back on after DLing a patch or something.

Damn...Tahnks for reminding me to turn my firewall back on....I just did a whole system restore and firewall and anti-virus are off. Good thing i didnt go to my usual sites...lol...before i read this.

Kapersky came up with win32.Downloader and cleansed it. I guess thats the same as fixed? Launcher never warned me, I guess it did not pick up on it... oh well I hope Blizzard will give me back my stuff. Do they have a way of tracking what i had or how do they do that? I had a couple of greens and a Blue which were all bop, all my herbs (I had a lot), a clefthide leg armor unused and some primals. Plus all the stuff I cant remember i had! Shoot...

What firewall does everyone use? Is the windows one good enough? Obviously not...

...ive tried to use FixWireout, and it says it has been successful... but the thing says it is still there...and my Anti-Virus program cant find it. Here is what i have so far
-My anti virus program is always on
-my firewall is up
-system restore is active
-do i turn of system restore??
-right before my computer restarts when doing FixWireout my AV program lists a warning of dangerous software/program... do i hit "Rmove program" and let the thing finnish?
-do i shut off my AV program to let fixwire out do its thing?

Remember that an anti-virus program is only as good as it's definitions (list of things to hunt for). Try a variety of anti-virus scanners and don't stop until you find one that finds that trojan.

Another critical thing.

Stop using Internet Explorer and start using Firefox or Opera. Internet Explorer has ActiveX enabled and that alone is a huge vulnerability open.

You guys all probably always use the computer under the Administrator account, or your own user account has admin privileges, like almost everyone I know. That too is a huge security hole as any old grizzled Unix admin would tell you. Try running the machine as a crippled user account so even if you did come across a trojan website or otherwise, the trojan wouldn't be able to install itself as the logged-in user has no install privileges.

Another critical thing.

Stop using Internet Explorer and start using Firefox or Opera. Internet Explorer has ActiveX enabled and that alone is a huge vulnerability open.

Of course, it is easily turned off....But, I use firefox for other reasons...



You guys all probably always use the computer under the Administrator account, or your own user account has admin privileges, like almost everyone I know. That too is a huge security hole as any old grizzled Unix admin would tell you. Try running the machine as a crippled user account so even if you did come across a trojan website or otherwise, the trojan wouldn't be able to install itself as the logged-in user has no install privileges.


This is a key point...If you don't know how to create such a crippled account, ask.

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdyyj.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdyyj.ren 65970 04/08/2004

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"workflow"="D:\\installs\\workflow.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"PSPVideo9"="C:\\Program Files\\pspvideo9\\pspVideo9.exe -t"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdyyj.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdyyj.ren 65970 04/08/2004

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"workflow"="D:\\installs\\workflow.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
@=""
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"PSPVideo9"="C:\\Program Files\\pspvideo9\\pspVideo9.exe -t"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Are you sure where it said "Please post this report in the forums please" it was referring to this one? It's little more than garbage to me, most of the things it reports are completely normal.

exactly what i had...had to wipe everything...which sucked but now its all gravy baby