Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
"" wrote:
> Hi Dave,
>
> Thanks so much for that information. I didn't realize there
> were
> options for AdAware. I downloaded the plugin and have added
> it to my
> aresenal of files that I bring around to clients with me.
>
> I am concerned that the writters of these things are getting
> nastier.
> 99% of Malware used to be relativeley simple to remove.
> Lately I've
> come across several (this VX2 / ABetterInternet was the worst)
> that took
> hours to trace and remove.
>
> Thanks again!
>
> Richard
>
> David H. Lipman wrote:
> > From: "RickMtl" <richard@compunetics.ca>
> >
> > | Hi Everyone,
> > |
> > | While I am new to google groups, I am a PC veteren with
> over 20 yrs
> > | experience. I've just come across the same 82k file in
> the ..system32
> > | folder. The symptoms are the same. The filename is
> random and can't
> > | be deleted unless you end the process that file starts.
> Once you use
> > | the task manager to kill the process, the 82k file renames
> itself and
> > | start a new process.
> > |
> > | Note the file is always 82k and always in the system32
> folder. The
> > | process too keeps renaming itself. The time stamp also
> changes
> > | randomly. This is the nastiest virus I've ever come
> across. I blew
> > | three hours trying to remove it. I ended up reformatting
> the C: drive
> > | (I always keep data on the D: partition)
> > |
> > | Other facts:
> > | - safe mode didn't help
> > | - the latest AdAware (1.06), Spybot (1.4) and Microsoft
> tools all
> > | detect it, but none can remove it, it always comes back
> > | - I tried disabling it in the startup control panel, no
> use, it comes
> > | back
> > | - I used several tools to 'delete on reboot', but it comes
> back
> > | - I even tried unplugging the A/C thinking it may rename
> itself on
> > | power down, still comes back
> > | - I checked the boot.ini and win.in file, nothing
> > | - norton finds it but can't fix, quarantine or delete it
> > |
> > | It must have a sister process/virus working in tandem. I
> suspect is
> > | works something like:
> > | say you have trojan A and B, everything ID's it, but when
> you kill A,
> > | B recreates it as C, then when you delete B, C recreates
> it as D and
> > | the lopp goes on.
> > |
> > | I've traced it to variants of VX2, abetterinternet, auroa
> and all
> > | research shows it is a bitch to remove.
> > |
> > | Even SAFE mode showed the expected 12 processes but I
> can't seem to
> > | trace the source of the reinfection.
> > |
> > | If anyone has more info, please email me directly
> > |
> > | Thanks
> > |
> > | Richard
> > | richard@compunetics.ca
> >
> > Start by downloading and using the Lavasoft VX2 plug-in for
> Ad-aware SE.
> >
This trojan is identified as several different names depending on what
program your using I.E.
AntiVir TR/Agent.AY.4.A
AVG Agent.AH
Avira TR/Agent.AY.4.A
BitDefender7.0 Trojan.Agent.AY
ClamAVdevel no virus found
DrWeb no virus found
eTrust-Iris Win32/BettInet.AN!Trojan
eTrust-Vet Win32.BettInet.AN
Fortinet W32/Agent.AY-tr
Ikarus no virus found
Kaspersky Trojan.Win32.Agent.ay
McAfee potentially unwanted program Downloader-KL
NOD32v2 Win32/Agent.AY
Norman no virus found
Panda Adware/Twain-Tech
Sybari Win32/BettInet.AN!Trojan
Symantec no virus found
TheHacker Trojan/Agent.ay
VBA32 Trojan.Win32.Agent.ay
If you want directions on removing this follow this link and follow
the instructions-its works-i know because it took me two months to
find this doc and it took me maybe 20 minutes to remove the
trojan/virus.
__________________________________________________
__________
www.hauri.com.sg/html/support/virus_read.html?code=TRW3000730
____________________________________________________________
I feel Your Pain :x -Destination- Good
Luck
--
Posted using the
http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Security-Admin-Identifying-trojan-ftopict545659.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1758125
Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com