# Forum in English  > Malware Removal Service  >  trojan-dropper.win32.agent.bixp

## rrosia

this virus comes repeatedly after scanning. it is removed and comes back again.

----------


## Rene-gad

Hello
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script  in Manual Cure


```
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 StopService('44c1239c');
 QuarantineFile('C:\WINDOWS\System32\drivers\44c1239c.sys','');
 DeleteFile('C:\WINDOWS\System32\drivers\44c1239c.sys');
 DeleteFileMask('C:\WINDOWS\system32\NZZZP2INPB','*.*',true);
 DeleteFileMask('C:\WINDOWS\system32\WKAYJFAF1E','*.*',true);
 DeleteDirectory('C:\WINDOWS\system32\NZZZP2INPB');
 DeleteDirectory('C:\WINDOWS\system32\WKAYJFAF1E');
 DeleteService('44c1239c');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.
```

After reboot execute following script in Manual Cure


```
begin
CreateQurantineArchive('C:\quarantine.zip');
end.
```

- Clean Temp-Maps, Cache of Browsers, Recycler.  Use Windows service tool cleanmgr  or CCleaner or ClearProg
- Upload the C:\quarantine.zip over the link *Upload quarantined files* on the top of this page.
- Repeat a log file.
- Attach a log to your new post..

----------


## rrosia

when i connect to internet via my USB internet wireless device , i find alerts from kaspersky. finding many trojans on my pc. 

refer to kaspersky report as well.

thanks

----------


## Aleksandra

1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVZ:



```
begin
DeleteFileMask(GetAVZDirectory+'Quarantine', '*.*', true);
ExecuteAutoQuarantine;
CreateQurantineArchive('C:\quarantine.zip');
end.
```

Upload file C:\quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=62611

3. Execute this script in AVZ:



```
var j:integer; NumStr:string;
begin
for j:=0 to 999 do
 begin
    if j=0 then
        NumStr:='CurrentControlSet' else 
        if j<10 then
            NumStr:='ControlSet00'+IntToStr(j) else
            if j<100 then
                NumStr:='ControlSet0'+IntToStr(j) else
                NumStr:='ControlSet'+IntToStr(j);
 if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS') then
  begin
  RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS');
  RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
  AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\BITS исправлено на оригинальное.');
  end;
 if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv') then
  begin 
  RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv');
  RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
  AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\wuauserv исправлено на оригинальное.');
  end;
 end;
SaveLog(GetAVZDirectory + 'fystemRoot.log');
end.
```

4. Make new logs.

----------


## rrosia

the script went well without any error. But still many trojan / virus. refer to attached log file from kaspersky.

----------


## Rene-gad

> Make new logs.


 :Rtfm:

----------


## rrosia

> 


win32.organ........ and many such trojans , always new trojans detected by kasperky but cannot be cleaned. they create file with P001.exe , E001.exe, D001.exe, G001.exe, A027.exe , A06.exe and many more. please find the solution. thanks.

----------


## Rene-gad

- Execute following script


```
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\WINDOWS\system32\msinclude.dll','')
QuarantineFile('C:\WINDOWS\system32\iSql\M001.exe','')
QuarantineFile('C:\WINDOWS\system32\iSql\H001.exe','')
QuarantineFile('C:\WINDOWS\system32\iSql\G001.exe','')
QuarantineFile('C:\WINDOWS\system32\iSql\E001.EXE','')
QuarantineFile('C:\WINDOWS\system32\iSql\A027.EXE','')
QuarantineFile('C:\WINDOWS\system32\iSql\111.exe','')
DeleteFile('C:\WINDOWS\system32\msinclude.dll');
DeleteFileMask('C:\WINDOWS\system32\iSql','*.*',true);
DeleteDirectory('C:\WINDOWS\system32\iSql');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
CreateQurantineArchive('C:\quarantine.zip');
SetAVZPMStatus(True);
RebootWindows(true);
end.
```

If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

After reboot:

execute following script


```
begin
CreateQurantineArchive('C:\quarantine.zip');
end.
```

- Clean Temp-Maps, Cache of Browsers, Recycler.  Use Windows service tool cleanmgr  or CCleaner or ClearProg
- Upload the C:\quarantine.zip over the link *Upload quarantined files* on the top of this page.
- Make new logs 'as done' + log of Malwarebytes Antimalware and attach them to the new posting.

----------

