Win32:Agent-YQ [trj]

system · July 25, 2006, 12:53pm

avast finds this trojan in systemfolders but failed to remove it.

Message comes at least any three hours. Full check doesn’t find anything.

Search had no results inside this forum.

thks.

Lisandro · July 25, 2006, 1:03pm

If a virus is replicant (coming and coming again), you should:

Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
Clean your temporary files.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
Use a-squared or ewido (trojan removers).

system · July 25, 2006, 1:11pm

Win 2K

The location of the infections is (always?) C:\WINNT\system32\wins\l0l.exe

Lisandro · July 25, 2006, 1:17pm

Ok, skip step 1.

DavidR · July 25, 2006, 1:18pm

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

system · July 25, 2006, 11:20pm

Did anything except Nr 1 (false OS)

a² found something and removed it.

ewido
hijack
tuneup failed

Problem remains

Lisandro · July 26, 2006, 1:40am

Please, give us a little more description…
ewido failed? or just tuneup? Which tool of tuneup failed?
Did you receive ewido error messages?
Did you send your Hijack log for analysis? And so?..
What is ‘the problem remains’…? avast still detect a replicant virus?

polonus · July 26, 2006, 6:10am

Hallo Pappnase,

For more info of this malware look here:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437

And consider this technical info, and the changes to the registry (backup registry before altering):
Description

Win32.Rbot.DVU is an IRC controlled backdoor (or “bot”) that can be used to gain unauthorized access to a victim’s machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

This particular variant of Rbot is distributed as a 111,424 byte, Win32 executable that exhibits the following specific characteristics:

When executed this variant copies itself to the %System% directory as MSAOLdrv.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS Windows AOL Driver = “msaoldrv.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS Windows AOL Driver = “msaoldrv.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MS Windows AOL Driver = “msaoldrv.exe”

Note: ‘%System%’ and ‘%Windows%’ are variable locations. The Trojan determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

You should also upgrade your OS and the programs you use, so that this malware cannot exploit vuilnerabilities to infect again, see the link I gave you for known holes this Rbot uses to infect.

Guten Erfolg beim bekaemfen,
polonus

system · July 26, 2006, 8:22am

ewido found nothing

Hijack found nothing launched what should not (could somebody post the updatelink)

tuneup was used to clear the system. Tuneup repair failed to find something related to the problem

a² removed 2 things and found something in autostart (what I removed)

All programs (incl the OS) but highjack are up to date

The problem persists but less often.

Second scan with a² finds nothing.

ad-aware SE found and removed a trojan loader that was not found by the other programs.

Continuing my scan-tour. 8)

No further messages. Looks like the Problem was solved.

thks

Win32:Agent-YQ [trj]

Announcements