Jump to content
Sign in to follow this  

Cannot remove trojan backdoor.agent.gen

Recommended Posts

Hi, I tried removing it several times and this trojan just keeps reappearing, even though SAS says that it was successfully removed:

backdoor.agent.gen in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Tried to remove it manually from registry, but it returns immediately. Tried to remove in safe mode, but it just comes back after scan and "removal".

I'm using win xp sp2. attached is a log created by dss dds.txt

thank you in advance for your assistance.

Share this post

Link to post
Share on other sites

ran the dds again, and the results are below:


DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20

Run by Spywriter at 13:53:26 on 2011-12-21

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1469 [GMT -5:00]


AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}


============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs



C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe




C:\Program Files\Symantec AntiVirus\DefWatch.exe



C:\Program Files\Common Files\LightScribe\LSSrvc.exe



C:\WINDOWS\system32\svchost.exe -k imgsvc


C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe



C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe



C:\Program Files\AutoTask\AutoTask.exe



============== Pseudo HJT Report ===============


uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

uWinlogon: Shell=c:\documents and settings\spywriter\local settings\application data\1cf6efbe\X

BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe

mRun: [RecGuard] c:\windows\sminst\RecGuard.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"

mRun: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

mRun: [AutoTask] "c:\program files\autotask\AutoTask.exe" /STARTUP

mRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [backupSoft] "\BackupSoft.exe" /STARTUP

mRun: [nwiz] nwiz.exe /install

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm

IE: Download with IDM - c:\program files\internet download manager\IEExt.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311873600413

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll


================= FIREFOX ===================


FF - ProfilePath - c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/

FF - component: c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\imtcp_xpcom.dll

FF - component: c:\documents and settings\spywriter\application data\mozilla\firefox\profiles\4qd8k0ov.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll



FF - user.js: capability.policy.policynames - allowclipboard

FF - user.js: capability.policy.allowclipboard.sites - hxxp://www.spywriter.com

FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess

FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess

============= SERVICES / DRIVERS ===============


R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2011-9-8 101616]

R1 SASDIFSV;SASDIFSV;c:\docume~1\spywri~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\docume~1\spywri~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-10-4 185968]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-10-4 177776]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-12-16 106104]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111216.002\naveng.sys [2011-12-16 86136]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111216.002\navex15.sys [2011-12-16 1576312]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-11-15 1756912]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-10-4 83568]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-10-1 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-10-1 8320]

S3 REFILERW;REFILERW;c:\windows\system32\drivers\REFILERW.SYS [2010-8-21 4224]

S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-8-22 550272]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-11-15 169200]


=============== Created Last 30 ================


2011-12-21 18:01:32 0 ----a-w- c:\documents and settings\spywriter\ntuser.tmp

2011-12-20 18:12:28 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-12-20 16:24:41 -------- d-sh--w- c:\documents and settings\spywriter\local settings\application data\1cf6efbe

2011-12-09 00:17:24 -------- d-----w- c:\documents and settings\spywriter\local settings\application data\Thinstall

2011-11-26 00:21:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl


==================== Find3M ====================


2011-12-21 17:18:59 53248 ----a-w- c:\windows\system32\MsPMSPSv.exe

2011-12-21 02:46:56 143427 ----a-w- c:\windows\system32\nvsvc32.exe


============= FINISH: 13:54:12.98 ===============

Share this post

Link to post
Share on other sites

Thank you for taking the time to help me I've signed up at the url provided, and included the following decription / recap:

Norton AV alerted me to the existence of a virus present on my system.

SAS discovered (but could not remove):

backdoor.agent.gen in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Tried to remove it several times to no avail - it just reappears.

Norton AV got corrupted - real time scan does not work, and virus defs are gone, and cannot be installed.

So, in safe mode I went to registry and changed the value of the above Shell string to: No Way Hackers

Ran a scan and the above virus did not show again, but two other appeared in System Restore files. So, I stopped the system restore process (which, I assume, cleared restore points), and then restarted it.

Ran another scan and found the following virus:

Rootkit.0Access in C:\Windows\Assembly\Gac_Msil\Desktop.ini

It does not go away using any of the available malware / spyware software. In fact SAS does not detect it anymore, but it is found using another malware prog.

Hopefully you can help me remove it! I appreciate your help!

Share this post

Link to post
Share on other sites

A quick update for everyone who might be following this: experts from SAS responded quickly and prompted me to download a diagnostic tool. While the tool was running Windows downloaded some updates, in the background, and began installing them / restarting the computer. At first notice I see that Norton AV came back alive (yay!), and is working again. The Win updates are still going: downloading / restarting, so I can't post much more on the virus, but am hopeful that things are looking up. Will keep you updated.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this