How to get rid of Malwarebytes identified malware called RISKWARE,AGENT.D

Hi jtd,

Suggest you go to <This Page> and on that page, Scroll Down to:

STEP 3: Remove Riskware.Agent! virus with Malwarebytes Anti-Malware Free

and follow the instructions there.  If no joy, please get back to me.

Cheers..

Andrew

I'm not familiar with this variant, however, I have found Spybot Search & Destroy very good in removal of this type of malware in the past.

Here is a removal guide for this. According to the guide it is not technically a virus.

https://malwaretips.com/blogs/riskware-agent-removal/

Please let us know.

Another solution on the same page as above should also work..

STEP 2: Remove Riskware.Agent! browser hijack with Junkware Removal Tool

Hope one of those work for you.

Best..

Be aware, you should always trust an anti-malware tool before using it, so do double check all scanners are legitimate before use.

All the scanners I've suggested I have used myself and can confirm that they are legitimate :)

Thanks everyone but I have tried the exact pages you are referring to.  This threat is identified by Malwarebytes as a WARNING and not a PUP so I have a more concerned approach on this one.

Also, I have followed all the steps many times from Andrew and John's answers (which are the same) before posting the question and the damn thing keeps coming back.

I might suggest you look at your network settings, it could be that DNS (or similar) settings have been changed and therefore you're being constantly infected by redirected services.

Once you've done that, maybe try to clean the machine again.

My favourite anti-virus is actually ESET Nod32, and I have never found anything that it hasn't been able to deal with.

BTW, I incorrectly identified it as RISKWARE, AGENT.D     It's    RISKWARE.AGENT.D  acording to the MWB scan

Thanks Chris but its a domain network so if DNS was manipulated, they would not be able to get on the DOMAIN.  Also, when I say it keeps coming back, I should have said "its still there" because I immediately rescan and its there still

Also try this guide below.

http://remove-malware-removal.com/post/Steps-To-Remove-MSILRiskware.HackTool.Agent.D_16_180248.html

As noted above, check the legitimacy of any scanners you might try to run.

ESET blocks fixtrojan.com so you may want to be very cautious about utilising this site.

Have you tried those steps while in Windows Safe Mode?  That's often necessary to get rid of persistant malware.

Also, do you have System Restore point available to the time before you became infected? That can often help to.

I do agree with these two points however.

It is a dangerous Trojan, so also give consideration to backing up completely and reinstalling Windows

Just a caution.. I just tried to check out the link provided by John Hurst above and Malwarebytes Premium immediately blocked it, reporting it as a potentially malicious website so be careful if you go there.

One should always use caution, yes. I did read through the link without incident, but one needs to check legitimacy of sub links.

My advice on all the above links is proceed with caution:
Andrew's post about fixtrojan, and John's last link particularly.

I take your point Chris, but I run Avast Web Security, MalwareBytes Premium and SuperAntiSpyware with real time protection enabled (all of which check for malicious web sites) and none of them alerted on the links I provided.  As you say though, always best to use caution.

Personally I have never been a fan of 3rd party "fix it" tools so I am always cautious about them.  That said, I have no issue whatsoever with ESET, MWB, TREND MICRO etc and if I cant get rid of it remotely I will try TM's Offline Rescue disk and perhaps the MS Process identifier.  Did anyone find any clear indication of this exact malware ?  I can only find descriptions that are close to RISKWARE.AGENT.D.

From your later comment and my reviewing, it is a dangerous product. Our very early posts were related to a different product. This one is dangerous indeed.

Riskware.Agent.D is Malwarebytes naming of this particular Trojan.  It's just a part of the Riskware family of Trojans.  There's many different variants and different Antivirus and Anti-Malware sites may well call it something else.

A good explanation of what this particular infection can do is given on the Kaspersky Labs site >Here<

I still think your best bets of getting rid of it are;

1. Try the removal in Windows Safe Mode
2. Use System Restore to go back to an uninfected time, reboot and then scan again to see if it's gone
3. Manual Removal of the Trojan - again while in Safe mode

Good luck.

Thanks folks - will try a combination of suggested option however machine is 100km away and will be a day trip tomorrow since SAFE MODE also means ROAD TRIP  :)

Make sure you have the ability to reinstall once you get there, should that be necessary.

jtd1,

Not necessarily.  If you have Remote Access to the machine, you could always re-boot into "Safe Mode with Networking" enabled.  That might save one heck of a long road trip.  Which remote access software have you been using to try and remove the Trojan remotely?  

I can point you to a couple that will give you a professional trial for no cost that could be installed to your machine and remotely to the affected machine and used to boot the machine into Safe Mode with Networking and reconnect you if that would be helpful?

I personally use "Logmein Rescue" to support my clients and I have that ability and actually use it quite frequently.  I have a yearly subscription, however a Free 14 day Trial can be arranged here..

https://www.logmeinrescue.com/free-trial/rescue-trial?ReDir=true&wt.srch=1&utpk=logmein%2Frescue&originid=36557&utm_source=Google&utm_medium=cpc&utm_source=Google&utm_medium=cpc&mcomb=sJ4qmtOla|189571852757|logmein%2Frescue|e|i8rbbhb5l0|c&cvosrc=ppc.google.logmein%2Frescue&cvo_campaign={campid}&cvo_crid=189571852757&Matchtype=e&gclid=CISC9cP2ytMCFYaWvQod-1ILnA

Hope hat helps..

Andrew

Was able to remove it by deleting hidden GOOGLEUPDATER folder in PROGRAMDATA.  Emptied recycling, reran scan - gone.  Rebooted, reran scan again - still gone.  The specific process file causing the issue was  /PROGRAMDATA/GOOGLEUPDATER/SCRSS.EXE (not CSRSS.EXE).  All good now thanks.

Thanks everyone

Thanks for reporting back on where the infection turned out to hiding jtd1

Thanks for the update and I am glad you got it resolved.