Help with AGENT.NCO Trojan

Discussion in 'NOD32 version 2 Forum' started by nimrod_o, Oct 16, 2006.

Thread Status:
Not open for further replies.
  1. nimrod_o

    nimrod_o Registered Member

    Joined:
    Oct 16, 2006
    Posts:
    4
    Hi there i seem to be infected with a trojan which i am unable to get rid of.
    I get this message popup on every application i try to start.
    But the file cannot be deleted or quarantined - i get the message that it is lock up.
    Additionaly the file AUX.YZR does not seem to exist in the specified folder even after unhiding "protected operating system files" in folders option.
    I have searched for this file on my computer and have not been able to find it.

    The only trace i could find for this was in the registry under:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Name: AppInts_Dlls
    Type: REG_SZ
    Data: \\?\C:\windows\system32\aux.yzr

    AUX.YZR seems to run before each applicaton launch.

    Help really needed...what should i do? o_O

    Thanks in advance
    Nim

    http://www.putfile.com/pic.php?img=3715782
     

    Attached Files:

    Last edited by a moderator: Oct 16, 2006
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
  3. ASpace

    ASpace Guest

    Hello and Welcome to Wilders ! :thumb:

    Pop-up , what is poping up , is it AMON ?

    What is this file , does NOD32 tell you it is infected , too ?


    Read Blackspear's tutorial here and configure your NOD32 as shown there .

    Boot into Safe Mode (learn how here )

    Goto Start -> Programs -> ESET -> NOD32
    Click on "Profiles" tab and make sure you use Control Center profile
    Mark your hard drives and push full Scan&Clean

    NOD will take care of everything . Restart after finished scanning .

    Download Ewido Micro Scanner from here , run it and perform full scan . Remove if any infections found .

    If this couldn't help , you can use Avenger http://swandog46.geekstogo.com/avenger.zip
    Extract it into a newly created folder , run it , choose Input script manually
    Then choose the button with the lens , Write the following in the window that will appear

    Files to delete:the full path to the infected file that should be deleted
    where the one in red should be infected file that should be deleted
    Example :
    Files to delete:
    C:\Windows\system32\evilfileexample.com
    Be careful with Avenger while typing because you might accidentically delete something essential
     
    Last edited by a moderator: Oct 16, 2006
  4. nimrod_o

    nimrod_o Registered Member

    Joined:
    Oct 16, 2006
    Posts:
    4
    Thank you for the warm welocom.

    It is Amon Poping up...i gave a link above to show a screen capture of it.
    http://www.putfile.com/pic.php?img=3715782

    No - this is just an entery in the registry i found...which might be related to the infected file.

    Already done these 3 steps...but NOD32 did not find the file or any other signs of this trojan while in safe mode.

    Still have not tried Avenger or Ewido. Will do.

    I find it strange that i cannot find the file infected but it runs just before the launch of each application. And NOD32 cannot delete rename or copy it.

    Still need help
    Nims
     
  5. ASpace

    ASpace Guest

    Ok , I understood .
    Perform full scan in Normal mode this time.

    Reboot and report the results .
    If you still have this infection , run Avenger which should be able to eliminate that file .

    Avenger http://swandog46.geekstogo.com/avenger.zip
    Extract it into a newly created folder , run it , choose Input script manually
    Then choose the button with the lens , Write the following in the window that will appear

    Files to delete:
    C:\windows\system32\aux.yzr

    Be careful with Avenger while typing because you might accidentically delete something essential

    Restart
     
  6. nimrod_o

    nimrod_o Registered Member

    Joined:
    Oct 16, 2006
    Posts:
    4
    I have tried EWIDO - nothing related to this.

    I tried Avenger....seems to have work! I am no longer getting the threat reported or logged.
    Thank you so much HiTech_boy! :rolleyes: :D

    I used the following script:
    Files to delete:
    C:\Windows\system32\AUX.YZR
    and it was run after reboot.
    I got the following in the blck command box which i do not understand (if you would like to clarify the text the i would be happy. link to screen capture)
    http://www.putfile.com/pic.php?img=3718217

    I also recieved this text on the avenger log file (which seems to indicate everything was excuted):


    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\spfnqhid

    *******************

    Script file located at: \??\C:\windows\system32\bhqfcwn^.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    File C:\Windows\system32\AUX.YZR deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.



    Now I want to ask what i should do with the backupfile of AUX.YZR in the Avenger folder? (By the way it is still locked!!!)
    I would also like to say that Kaspersky never managed to detect this....go NOD32!

    Again thanks alot :D
    Nims
     
  7. ASpace

    ASpace Guest


    Congratulations . It seems you successfully killed that trojan .;) :thumb:

    This file , send it to support@eset.com or samples@eset.com with a link to this thread so that ESET can check it for further usage .

    After that you can delete it . Do you have AMON alerts telling you you are infected ? What do you mean it is locked ? Perform full scan for maximum sure
    :thumb:
     
  8. nimrod_o

    nimrod_o Registered Member

    Joined:
    Oct 16, 2006
    Posts:
    4
    Thanks again. =)
    Locked- cannot be deleted or renamed or copied or even scanned for that matter.
    No More Amon alerts! :D
     
  9. ASpace

    ASpace Guest

    You are most welcome !

    Yeah , I know , but asked because it is very strange . It is locked however AMON detects an infiltration in it , very strange in my opinion . Anyway , send it to the emails so that they (ESET) can look at it , just in case .

    That's good ! :thumb:
     
  10. Romulo767

    Romulo767 Registered Member

    Joined:
    Oct 28, 2006
    Posts:
    1
    Thank you for your advice, I removed the trojan in my PC using Avenger...
    But I may have an answer to one thing...
    AUX is a reserved device name, you can´t name, rename or erase a file with that name, that´s why the trojan uses it.
    I had that trojan, but it´s name in my PC was COM6.OCJ, another reserved name.
    COM AUX NULL PRN LPT are all reserved names, try to name a file COM1.TXT and see what happens...
    These names are reserved since the days of IBM-DOS...
    Greetings fron Argentina
     
    Last edited: Oct 28, 2006
  11. ASpace

    ASpace Guest

    Thanks for the information :)
     
Thread Status:
Not open for further replies.