Hidden File Csxya.exe, Downloader.Agent.UJ, Trojan.Small.FB

First: How do i get rid of this hidden file?

10/08/06 11:49:49 [Info]: BlackLight Engine 1.0.47 initialized
10/08/06 11:49:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/08/06 11:49:49 [Note]: 7019 4
10/08/06 11:49:49 [Note]: 7005 0
10/08/06 11:49:54 [Note]: 7006 0
10/08/06 11:49:54 [Note]: 7011 1752
10/08/06 11:49:54 [Note]: 7026 0
10/08/06 11:49:54 [Note]: 7026 0
10/08/06 11:49:58 [Note]: FSRAW library version 1.7.1020
10/08/06 11:52:26 [Info]: Hidden file: c:\WINDOWS\system32\csxya.exe
10/08/06 11:52:26 [Note]: 7002 32
10/08/06 11:52:26 [Note]: 7003 1
10/08/06 11:52:26 [Note]: 10002 1
10/08/06 11:53:44 [Note]: 7007 0

Second: Why didnt NOD32 pick up Downloader.Agent.UJ and Trojan.Small.FB but AVG/EWIDO spyware did?



UPDATE: Cant Delete Downloader.Agent.UJ from EWIDO/AVG ,, says 12 infected objects. I quaratine iit and ran a scan again and it still there..

 

Have you tried restarting your PC in safe mode and doing a scan (with either AVG or NOD32)?

Also, try to set your Windows Explorer to show hidden files, and if you do find the infected files, please upload them to either Jotti's malware scan, VirusTotal and/or Virus.Org.

EDIT: Since it seems you have a rootkit, it may be worth trying other rootkit scanners also (like f.ex. Sophos Anti-Rootkit tool).

 

That File is still hidden gonna try spware terminator and then safe mode, try AVG and NOD32 again

 

Ewido/AVG can't delete that rootkit, but they have a tool free to download that can:
This thread may help:
https://www.wilderssecurity.com/showthread.php?t=148920
and removal tool: http://fileserver.ewido.net/public.cgi?id=20844


You may want to post a Hijackthis log here: http://www.castlecops.com/forums.html or at another security forum for help, as I think (someone correct me if I'm wrong) that Downloader.Agent.uj is related to the ruins rootkit, and you may need to run fixwareout and correct entries with Hijackthis to completely fix the changes this has made.

 

Yeah i had some ruins and TCPIP entries in my hijack this and i deleted those and im all clean on that part,, gonna find out whats fixwareout tho.

P.S. found fixwareout and using it now..

 

Make sure you know what you're doing if you're going to run it, that's why I suggested it might be an idea to post in a forum where experts will analyse your logs and tell you exactly what you need to fix.

 

Yeah, i had 10 years of computer experience or more, and i used hijackthis numerous times and i know whats normal and whats now and i know how to use the backup feature. I thank for your advice..

Spyware Terminator found Sirius.Anhilator.272 ,, C:\windows\system32\ActiveScan\pskavs.dll

Kinda funny different virus, spyware, ect.. programs find different things.

P.S. gonna post in castlecops now and i let you guys know hows it going.

 

That has to be a false positive. I take it you have used Panda ActiveScan
That's where that file belongs to.

Also have a look here:
https://www.wilderssecurity.com/showthread.php?t=148920

Regards,

Pieter

 

yep false postive, thanks.