Help with AGENT.NCO Trojan

Hi there i seem to be infected with a trojan which i am unable to get rid of.
I get this message popup on every application i try to start.
But the file cannot be deleted or quarantined - i get the message that it is lock up.
Additionaly the file AUX.YZR does not seem to exist in the specified folder even after unhiding "protected operating system files" in folders option.
I have searched for this file on my computer and have not been able to find it.

The only trace i could find for this was in the registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Name: AppInts_Dlls
Type: REG_SZ
Data: \\?\C:\windows\system32\aux.yzr

AUX.YZR seems to run before each applicaton launch.

Help really needed...what should i do?

Thanks in advance
Nim

http://www.putfile.com/pic.php?img=3715782

 

1. Make sure you have NOD32 configured as in Blackspear's guide. And save the profile.
2. Restart your pc in safe mode.
3. Run the scan (with the profile that you created earlier).

 

Hello and Welcome to Wilders !

Pop-up , what is poping up , is it AMON ?

What is this file , does NOD32 tell you it is infected , too ?

Read Blackspear's tutorial here and configure your NOD32 as shown there .

Boot into Safe Mode (learn how here )

Goto Start -> Programs -> ESET -> NOD32
Click on "Profiles" tab and make sure you use Control Center profile
Mark your hard drives and push full Scan&Clean

NOD will take care of everything . Restart after finished scanning .

Download Ewido Micro Scanner from here , run it and perform full scan . Remove if any infections found .

If this couldn't help , you can use Avenger http://swandog46.geekstogo.com/avenger.zip
Extract it into a newly created folder , run it , choose Input script manually
Then choose the button with the lens , Write the following in the window that will appear

Files to delete:the full path to the infected file that should be deleted
where the one in red should be infected file that should be deleted
Example :
Files to delete:
C:\Windows\system32\evilfileexample.com
Be careful with Avenger while typing because you might accidentically delete something essential

 

Thank you for the warm welocom.

It is Amon Poping up...i gave a link above to show a screen capture of it.
http://www.putfile.com/pic.php?img=3715782

No - this is just an entery in the registry i found...which might be related to the infected file.

Already done these 3 steps...but NOD32 did not find the file or any other signs of this trojan while in safe mode.

Still have not tried Avenger or Ewido. Will do.

I find it strange that i cannot find the file infected but it runs just before the launch of each application. And NOD32 cannot delete rename or copy it.

Still need help
Nims

 

Ok , I understood .
Perform full scan in Normal mode this time.

Reboot and report the results .
If you still have this infection , run Avenger which should be able to eliminate that file .

Avenger http://swandog46.geekstogo.com/avenger.zip
Extract it into a newly created folder , run it , choose Input script manually
Then choose the button with the lens , Write the following in the window that will appear

Files to delete:
C:\windows\system32\aux.yzr
Be careful with Avenger while typing because you might accidentically delete something essential

Restart

 

I have tried EWIDO - nothing related to this.

I tried Avenger....seems to have work! I am no longer getting the threat reported or logged.
Thank you so much HiTech_boy!

I used the following script:
Files to delete:
C:\Windows\system32\AUX.YZR
and it was run after reboot.
I got the following in the blck command box which i do not understand (if you would like to clarify the text the i would be happy. link to screen capture)
http://www.putfile.com/pic.php?img=3718217

I also recieved this text on the avenger log file (which seems to indicate everything was excuted):


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\spfnqhid

*******************

Script file located at: \??\C:\windows\system32\bhqfcwn^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Windows\system32\AUX.YZR deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Now I want to ask what i should do with the backupfile of AUX.YZR in the Avenger folder? (By the way it is still locked!!!)
I would also like to say that Kaspersky never managed to detect this....go NOD32!

Again thanks alot
Nims

 

Congratulations . It seems you successfully killed that trojan .

This file , send it to support@eset.com or samples@eset.com with a link to this thread so that ESET can check it for further usage .

After that you can delete it . Do you have AMON alerts telling you you are infected ? What do you mean it is locked ? Perform full scan for maximum sure

 

Thanks again. =)
Locked- cannot be deleted or renamed or copied or even scanned for that matter.
No More Amon alerts!

 

You are most welcome !

Yeah , I know , but asked because it is very strange . It is locked however AMON detects an infiltration in it , very strange in my opinion . Anyway , send it to the emails so that they (ESET) can look at it , just in case .

That's good !

 

Thank you for your advice, I removed the trojan in my PC using Avenger...
But I may have an answer to one thing...
AUX is a reserved device name, you can´t name, rename or erase a file with that name, that´s why the trojan uses it.
I had that trojan, but it´s name in my PC was COM6.OCJ, another reserved name.
COM AUX NULL PRN LPT are all reserved names, try to name a file COM1.TXT and see what happens...
These names are reserved since the days of IBM-DOS...
Greetings fron Argentina

 

Thanks for the information