Virus + HJT log

Status
Not open for further replies.
C

ColoradoGuy

I am finding more about the virus BKDR_AGENT.YWQ :

- The file that was the detected by the antivirus was the following: C:\Windows\system32\8cbf9856.dll
- Service running: BE812AAC = C:\Windows\System32\C5A3BFDE.EXE
- Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BE812AAC and few entries more.

I have removed the file and all the registry entries with that reference (BE812AAC) on Safe Mode (System Restore Off).

Anyway, the registry entries are created again. I cannot find the file C:\Windows\System32\C5A3BFDE.EXE that is supposed the service executes.

The trojan tries to send some info to a chinese webiste: http://alexa.veryinx.cn

I will keep finding but I hope someone can give me a hand ;-)

Thanks!!



*---------------------------------------------------------------------------------*
First post
*---------------------------------------------------------------------------------*

Hi,

My dear antivirus (Trend Micro's PC-Cillin) has found a virus once the computer was infected and now it cannot delete it. The virus is BKDR_AGENT.YWQ but I cannot find any information in Internet about it.

The file infected is C:\Windows\system32\8cbf9856.dll. I can delete it in safe mode but obviously it comes back when I restart the computer.

Any help?

Much appreciated!

HJT log attached.
 
you will need to read this - If your system is infected, read this before deciding whether to Clean or Format.

If after reading that, you wish to proceed with cleaning then read the following -
Viruses/Spyware/Malware, preliminary removal instructions Note: Follow every step exactly.

DO NOT FORGET TO attach the AVG Antispyware, and Combofix logs.

This thread is for the use of ColoradoGuy only. Please do not post your own virus/spyware problems in this thread. Instead open a new thread, in our Security and Web forum.


Regards Jase
 
For your information, found in a Google search:
September 28, 2007 Virus Alert - BKDR_AGENT.YWQ
BKDR_AGENT.YWQ
Virus type: Backdoor
Destructive: No
Aliases: No Alias Found
Pattern file needed: 4.721.00
Scan engine needed: 8.300
Overall risk rating: Low
Reported infections: Low
Damage Potential: High
Distribution Potential: Low

This backdoor may be dropped by other malware. It may arrive bundled with malware packages as a malware component. It is usually injected into running processes.

Using random TCP ports, it listens for commands from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the affected system. This routine compromises system security and opens the affected machine to further attacks.

It is a newly announced virus and would question whether your anti-virus program is updated and why it didn'tprevent this. Follow with the log help.

http://www.biz.netvigator.com/eng/vcc/virus_update.html#
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
784
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back