Virus + HJT log

By ColoradoGuy
Sep 28, 2007
  1. I am finding more about the virus BKDR_AGENT.YWQ :

    - The file that was the detected by the antivirus was the following: C:\Windows\system32\8cbf9856.dll
    - Service running: BE812AAC = C:\Windows\System32\C5A3BFDE.EXE
    - Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BE812AAC and few entries more.

    I have removed the file and all the registry entries with that reference (BE812AAC) on Safe Mode (System Restore Off).

    Anyway, the registry entries are created again. I cannot find the file C:\Windows\System32\C5A3BFDE.EXE that is supposed the service executes.

    The trojan tries to send some info to a chinese webiste:

    I will keep finding but I hope someone can give me a hand ;-)


    First post


    My dear antivirus (Trend Micro's PC-Cillin) has found a virus once the computer was infected and now it cannot delete it. The virus is BKDR_AGENT.YWQ but I cannot find any information in Internet about it.

    The file infected is C:\Windows\system32\8cbf9856.dll. I can delete it in safe mode but obviously it comes back when I restart the computer.

    Any help?

    Much appreciated!

    HJT log attached.
  2. Jase123

    Jase123 Banned Posts: 1,012

    you will need to read this - If your system is infected, read this before deciding whether to Clean or Format.

    If after reading that, you wish to proceed with cleaning then read the following -
    Viruses/Spyware/Malware, preliminary removal instructions Note: Follow every step exactly.

    DO NOT FORGET TO attach the AVG Antispyware, and Combofix logs.

    This thread is for the use of ColoradoGuy only. Please do not post your own virus/spyware problems in this thread. Instead open a new thread, in our Security and Web forum.

    Regards Jase
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    For your information, found in a Google search:
    September 28, 2007 Virus Alert - BKDR_AGENT.YWQ
    Virus type: Backdoor
    Destructive: No
    Aliases: No Alias Found
    Pattern file needed: 4.721.00
    Scan engine needed: 8.300
    Overall risk rating: Low
    Reported infections: Low
    Damage Potential: High
    Distribution Potential: Low

    This backdoor may be dropped by other malware. It may arrive bundled with malware packages as a malware component. It is usually injected into running processes.

    Using random TCP ports, it listens for commands from a remote malicious user. It executes these commands locally on an affected system, providing the remote user virtual control over the affected system. This routine compromises system security and opens the affected machine to further attacks.

    It is a newly announced virus and would question whether your anti-virus program is updated and why it didn'tprevent this. Follow with the log help.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...