how do i remove psw.agent.g & psw.agent.h?
avg anti-virus detected them but cannot fix them.
thanks

---

Request for Question Clarification by sublime1-ga on 24 Apr 2004 21:14 PDT

stephen...

There's very little on the internet about these Trojans, 
except an indication that psw.agent.g is also known as
TR/PeKeyLog.147.B4, a keylogger - which my AV program 
identified in a file on the net which was supposedly
infected with psw.agent.g

Are you unable to simply delete the files that AVG identified?

sublime1-ga

---

Clarification of Question by stephenc_nyc-ga on 25 Apr 2004 04:15 PDT

i am unable to delete the files.

---

Request for Question Clarification by sublime1-ga on 25 Apr 2004 09:55 PDT

stephen...

gouki-ga is correct in that, if you are unable to delete
the files from Windows, you can very likely do so from
DOS. The information he provided is correct, as far as
it goes, but if you need more precise directions, you 
will need to communicate more specific details, such as
your Operating System and the location of the files, as
indicated by the AVG program, or when searched for in
Windows Explorer.

If your familiarity with computers is limited to the 
degree that we are unable to converse on these basic
topics, it may be more prudent to take the system to
a local shop that specializes in building and repairing
computers, or to seek assistance from a savvy friend.

sublime1-ga

---

Clarification of Question by stephenc_nyc-ga on 28 Apr 2004 04:06 PDT

I followed all the advice here and the virus kept returning.
Updated avg and still it could not remove what it found.
Then last night, when restarting the machine, it went through the boot
process right up to the windows blue screen and then turned itself
off.
I restarted, and that time it took itself through the process up to
the windows screen then restarted itself and repeated that three times
i think. When it finally went all the way through and I logged on and
ran avg, it was able to heal psw.agent.h and isolate psw,agent.i in
the vault, and now all seems ok.

The best thing for you to do write down the exact location of the 2 files on paper.
If you are using Win98

Put a blank floppy disk in the floppy drive.

  Click Start, Settings, Control Panel.

  Double click the Add/Remove Programs icon.

   Click the Create Disk button.
  
    make disk

If you are using WinXP

Restart your computer and immediately as soon as your computer begins
to start up. Keep hitting that F8 button Until you get a boot menu
Start your computer in MS-DOS from there

Naviagate to the 2 files location in question and delete each of the
files. You will need to know MS-DOS commands.

http://www.computerhope.com/msdos.htm#02 This site as an overview of the commands

The ones you need to know are 

dir
dir /p
cd
del
cd..

Go to the site and look up their usage. Go practice using these
commands while in windows and not in dos before you do anything.

windows98

go to start->run type 'command' without the quotation marks

in WinXP/Win2k

go to start->run type 'cmd'

Start practicing those commands I told you to look at previously.
Check the website for their usage. You can also type ' /?' after  any
command to get a help screen in dos on what the command does.

That will get rid of those 2 files for sure

hi, see i got the same pro down here:
i deleted the file which name is _update.dat bfore runnin windows, at
dos, with the comando del *.* and deleted all the Temp files, but as
soon as reboot the pc the file shows up again that's really trouble
what do i do?? icq # 122170360, thanks for any help, beijos!!!

Got the same problem here. Deleted the file _update.dat file and it's
back after the reboot. Is there another file associated with this that
needs to be deleted, too? My AVG scanner only detects this one.

BTW avg named the thing: PSW.Agent.H...
is that a spy...? =o(
any gud tool to remove them??
thanks again

Same problem. Located in C:\windows\temp\_update.dat. Op/Sys is Win98 2nd Ed.

Identified by AVG as "PSW.Agent.H" Trojan, but AVG cannot remove it
b/c it is being used by Windows and AVG-Grisoft has nothing about it
on their site. Very little info out here about this one.

Attempted delete, but it reappeared.

Oddly, the file was on the system 4 days before AVG caught it, on April 24, 2004. 

Any ideas anyone?

this link provides some info about it
http://www.pestpatrol.com/PestInfo/t/trojan_psw_hermanagent.asp

I found this on my Windows 2000 system today.....here is what I had to
do to get rid of it.

Reboot to Safe Mode. 
Delete _update.dat
On my windows 2000 system in C:\winnt there was a file called
sysupd.exe I noticed that it was getting a new file date and time
every time I rebooted so I renamed it. After this the _update.dat
stopped re-appearing. So you may check your Windows directory and try
this....on a side note after I did this my windows media player
stopped functioning....I am still looking into that.

Good Luck.

-X

Ok....setupd.exe is being called by wmplayer.exe. When I ran windows
media player again it tried to rewrite the setupd.exe file, AVG caught
this and denied access. so WMP seems to be the program that is pulling
the trojan horse in, I just dont know how it got infected, or where
the file is comming from yet.

hey guys
Im using win 2000 ADV Server and have this same problem.
would deleting all these mentined files and re-installing win media player work?
what are the things I should not do while this virus is still in my computer?
best regards
José

try this I spent a good part of the day messing with it and I had it
in 2 locations 1st in windows\sysupd.exe, and under C:\documents and
settings\pete\local settings\temp\_update.dat
In command prompt I removed both, rebooted and ran avg again and it
still showed up, I tried to find it and didn't see it anymore. I
uninstalled avg and reinstalled it I downloaded the updates again and
ran avg and there is now no trace of it. I ran highjack this and found
a trace of it, and removed it. I've run windows media player and run
avg once more and now it is completely removed...

I have this virus on my computer, but having looked for it just
through my "search" as well as in DOS mode, the _update.dat I have
does not exist/ show up... or I can't find it for some reason. What
can I do?

Please read everthing before you take my steps

hey i think it is about time i found a forum on this virus i am having
the same troubles with this virus as everyone else!
after reading this forum i learnt that sysupd.exe is the cause of the
problem every time i tried deleting _update.dat it said it was being
used by another program therefore not deleting so i ran my comp in
safe mode and delete and when i reboot it comes up again so i kept
searching the web and low and behold this forum answers my question i
run processes and force shutdown (shutdown process tree by right mouse
clicking) and _update.dat deletes without safe mode. now dont be
stupid and try to reboot and expect it not to come back because you
have done that before you have to go to the source of the problem wich
we have learnt is sysupd.exe
so follow these steps to delete the virus psw.agent.h fully! i am
running winXP proffesional and i am using avg but if you are running
another OS then steps should be quite similar it is all the same
theory!
{if you dont understand what i just wrote 
(it would probably be a good idea to unistall msxml... if you want at
this point i am not sure if it did any good everything seems to be
working fine)
1.) press: ctrl + alt + del
2.) go to processes
3.) find sysupd.exe and right mouse click
4.) click end process tree and select YES
5.) run start, search and select select all files and folders
6.) by the all part of file name bar type in SYSUPD 
7.) by 'look in' make sure it is going to search all hard drives (this
shouldn't matter as long as it is searching your main drive eg: c:\
but just let it search all drives just in case)
8.) once search is complete you should ahve 2 files show up one is sysupd.exe
in c:\windows (or if not c:\ it should be in d:\ etc) and the other
file should be sysupd.exe-3b2af10b.pf
9.) delete these files by highlighting them and then right mouse
clicking and clicking delete or hit the del key
10.)if the files or one of the files dont delete go to step 1 until 4
(try work quickly otherwise sysupd.exe will run again)
11.) next we want to empty recycle bin go to your desktop and find the
recycle bin right mouse click on it and click empty recycle bin
12.) reboot your computer (it is always best to reboot your comp after
doing changes to your computer)
13.)run your virus scan and see for your self it has worked!

if it comes back that the virus is still on your comp it is because
_update.dat or other virus files have not yet been deleted on your
profile or from another users files avg should be able to delete it
without a hastle reboot and run avg again


after doing all this i had another problem virus psw.agent.I was found
on my comp i dont how it happened to me but i let avg remove the files
but only one file deleted and that was the virus psw.agent.h
_update.dat it was the there because of the reason explained above the
other file was psw.agent.i virus file in c:\system volume information

so i just rebooted my comp ran in safe mode networking b/c i am on a
network and ran avg.exe this is the dos avg b/c the windows one
couldnt open and after letting it run it didnt find the other file i
presume this is so becaus it was on the system volume information
folder and a restore file so when i restarted my comp and ran in safe
mode it deleted automatically i then rebooted and ran avg in windows
just to be sure but after doing this psw.agent.i came up again in
c:\system volume information and it managed to delete it this time
(weird) so again i rebooted and ran avg again and this time it didn't
find the virus
  

i had a program called msxml i am not sure what it is so i just
uninstalled it (i hope it didnt screw up any of my computer files i
have


i recommend if you booted your comp to floppy disk run it ill tell you
the truth i didnt boot my comp to floppy but i have done it before and
i would have no idea how to run it this could help get rid of
psw.agent.i if it didnt go away before but i dont know

the only reason i wrote everything explicitly is because i dont know
how computer litterate some of you are

i also recommend you download a program called ADAWARE go to
downloads.com and search for adaware download it and run it if you are
unable to figure out how to work it let me know and ill help you make
sure you go thru the settings before hand so it doesnt just do a
registry search rather a full system scan

this is actually quite funny all these steps and writing i did while
doing the steps myself i wrote in notepad and then copied it all to
the forum lol so you can probably imagine how much time it took yes, 3
- 3 and a half hours and there was a lot of deleting and putting
everything i order so you will be able to refer to it and not have to
hastle with putting everything in order

DO NOT DELETE MSXML

please give feedback of my "letter" which i wrote

my computer infected this trojan horse psw.agent.h too. i able using
lavasoft ad-ware6.0 to removed the virus. hope can help you

Thanks you so much for taking the time to put such great detailed
instructions on this forum. I was able to walk through the step by
step method and successfully remove the trojan horse PSW. Agent H
I greatly appreciate it!!!!
I have tried to figure this out all day and happened to stumble upon this site.
Your good Karma will repay itself 2 fold
Thanks again

Would anyone happen to know what I could do to look into finding out a
speed problem on my cable connection. The cable provider said it was a
hacker using me as a server. I am running
zone alarm pro firewall
AVG antivirus (free edition)
Ad- aware ( I scan every week or so)
Just purchased Pest patrol and removed a buch of Kazaa and Limewire leftovers
I have removed kazaa and limewire programs

I am running windows XP pro
Any help greatly appreciated

I found my pc infested today with the PSW.Agent.H. and this is the
easiest and fasted way to get rid of it. I'm using Windows Me but I
think that is applicable to any OS.

For those infested files in _RESTORE\TEMP - right click on My Computer
icon, Properties, Performance tab, in Advanced settings click on File
System..., Troubleshooting tab, check the last option "Disable System
Restore". Click Apply and Restart your computer. This should be enough
to clean those files. You would be able to uncheck the "Disable System
Restore" once you clean all your disk from virus.

In order to heal the file C:\WINDOWS\TEMP\_UPDATE.DAT - you have first
to create a StartUp disk - go to Control Panel, Add/Remove
Program,last tab StartUp Disk, Create Disk. You will need a floppy
disk... no s...! LOL

You also need to run a Search for a file named sysupd.exe and take
note of its localization (it should be C:\WINDOWS) if you don't get
rid of this file you wont be able to eliminate de _update.dat.

With this two things (startup disk & path to the sysupd.exe) insert
the StartUp disk on its drive and Restart your computer. As soon as
the DOS prompt appears click "Shift + F5"
in seconds you will see A:\>_

Follow this one by one, between " " explanations, not to be typed:

C:\ "will change dir from A to C, hit Enter"

DEL C:\WINDOWS\SYSUPD.EXE /P "Enter"
Y "confirm your disires to delete it"

"with this you got rid of sysupd, but is not enough"

DEL C:\WINDOWS\TEMP\_UPDATE.DAT /P "Enter"
Y

"that will be more than enough, take your floppy disk from its drive
and hitting "Ctrl + Alt + Del" should restart your computer in normal
mode and you should rerun the antivirus just to be sure.

Good luck!!

hey
thanx for the praise but it is not good for my very small ego, lol,
there is always more than one way of solving a problem it just has to be found
B'hatzlacha 
Kol tuv
(hebrew)

Recently infected with Trojan Horse PSW.Agent.H running Windows ME.
Lava softs free version of ad-aware fixed it for me. I downloaded
ad-aware and ran it.  The first run it found the problem, but could
not remove it.  Choosing the option to allow ad-aware to remove it
after reboot and then rebooting the problem was resolved.  The
sysupd.exe is gone and the _UPDATE.DAT is gone.  After rebooting I ran
AVG and ad-aware again and came up clean.