Hidden File Csxya.exe, Downloader.Agent.UJ, Trojan.Small.FB

Discussion in 'malware problems & news' started by saweetnesstrev, Oct 8, 2006.

Thread Status:
Not open for further replies.
  1. saweetnesstrev

    saweetnesstrev Registered Member

    Joined:
    Oct 8, 2006
    Posts:
    5
    First: How do i get rid of this hidden file?

    10/08/06 11:49:49 [Info]: BlackLight Engine 1.0.47 initialized
    10/08/06 11:49:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    10/08/06 11:49:49 [Note]: 7019 4
    10/08/06 11:49:49 [Note]: 7005 0
    10/08/06 11:49:54 [Note]: 7006 0
    10/08/06 11:49:54 [Note]: 7011 1752
    10/08/06 11:49:54 [Note]: 7026 0
    10/08/06 11:49:54 [Note]: 7026 0
    10/08/06 11:49:58 [Note]: FSRAW library version 1.7.1020
    10/08/06 11:52:26 [Info]: Hidden file: c:\WINDOWS\system32\csxya.exe
    10/08/06 11:52:26 [Note]: 7002 32
    10/08/06 11:52:26 [Note]: 7003 1
    10/08/06 11:52:26 [Note]: 10002 1
    10/08/06 11:53:44 [Note]: 7007 0

    Second: Why didnt NOD32 pick up Downloader.Agent.UJ and Trojan.Small.FB but AVG/EWIDO spyware did?



    UPDATE: Cant Delete Downloader.Agent.UJ from EWIDO/AVG ,, says 12 infected objects. I quaratine iit and ran a scan again and it still there..
     
    Last edited: Oct 8, 2006
  2. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
  3. saweetnesstrev

    saweetnesstrev Registered Member

    Joined:
    Oct 8, 2006
    Posts:
    5
    That File is still hidden gonna try spware terminator and then safe mode, try AVG and NOD32 again
     
  4. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Ewido/AVG can't delete that rootkit, but they have a tool free to download that can:
    This thread may help:
    https://www.wilderssecurity.com/showthread.php?t=148920
    and removal tool: http://fileserver.ewido.net/public.cgi?id=20844


    You may want to post a Hijackthis log here: http://www.castlecops.com/forums.html or at another security forum for help, as I think (someone correct me if I'm wrong) that Downloader.Agent.uj is related to the ruins rootkit, and you may need to run fixwareout and correct entries with Hijackthis to completely fix the changes this has made.
     
    Last edited: Oct 8, 2006
  5. saweetnesstrev

    saweetnesstrev Registered Member

    Joined:
    Oct 8, 2006
    Posts:
    5
    Yeah i had some ruins and TCPIP entries in my hijack this and i deleted those and im all clean on that part,, gonna find out whats fixwareout tho.

    P.S. found fixwareout and using it now..
     
  6. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    Make sure you know what you're doing if you're going to run it, that's why I suggested it might be an idea to post in a forum where experts will analyse your logs and tell you exactly what you need to fix.
     
  7. saweetnesstrev

    saweetnesstrev Registered Member

    Joined:
    Oct 8, 2006
    Posts:
    5
    Yeah, i had 10 years of computer experience or more, and i used hijackthis numerous times and i know whats normal and whats now and i know how to use the backup feature. I thank for your advice..

    Spyware Terminator found Sirius.Anhilator.272 ,, C:\windows\system32\ActiveScan\pskavs.dll

    Kinda funny different virus, spyware, ect.. programs find different things.

    P.S. gonna post in castlecops now and i let you guys know hows it going.
     
    Last edited: Oct 8, 2006
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That has to be a false positive. I take it you have used Panda ActiveScan
    That's where that file belongs to.

    Also have a look here:
    https://www.wilderssecurity.com/showthread.php?t=148920

    Regards,

    Pieter
     
  9. saweetnesstrev

    saweetnesstrev Registered Member

    Joined:
    Oct 8, 2006
    Posts:
    5
    yep false postive, thanks.
     
Loading...
Thread Status:
Not open for further replies.