Over from SWI

Discussion in 'NOD32 version 2 Forum' started by PaulSWI, Jun 4, 2004.

Thread Status:
Not open for further replies.
  1. PaulSWI

    PaulSWI Guest

    Nod is giving me a Win32/Agent.AC trojan found on C:\windows\System32\ctlgm.dll

    is this a false positive or what ?
     
  2. PaulSWI

    PaulSWI Guest

  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    PaulSWI

    It is listed in NOD's definitions.

    NOD32 - v.1.767 (2004051:cool:--May 18th
    Virus signature database updates:
    IRC/SdBot.ARP, IRC/SdBot.ARQ, IRC/SdBot.ARR, VirTool.DOS.VLoader, Win32/Agent.AC, Win32/IRCBot.KG, Win32/Protoride.O, Win32/StartPage.GO, Win32/TrojanDownloader.IstBar.EO, Win32/TrojanDropper.Delf.NAA
     
  4. PaulSWI

    PaulSWI Guest

    Thank you, I have already seen that, but can't seem to clean it.

    Any suggestions ?
     
  5. PaulSWI

    PaulSWI Guest

    if you want to go IRC, I'm on irc.dixiesys.net 6667 #privacy.
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    What operating system are you using? XP?

    The infected files are still restoring themselves. What to do?

    You are most probably using one of the latter operating system - Windows ME or Windows XP on your machine. These systems are by default using the option for restoring the system files, which system automatically backups to the directory "_restore" on the system disk(normally to the directory "C:\_restore"). This way it is possible that the infected files join the backed-up files and become "undeletable".

    Solution

    The process depends on the operating system:

    Windows ME

    1. Right click on the "My Computer" icon on the Windows desktop and click "Properties"
    2. Click on "Performance">"File system"
    3. Click "Troubleshooting"
    4. Check "Disable system restore"
    5. Click on OK, Close and restart the system

    Note: It is recommended to return to the standard behaviour of the system after the removal of the infected files - by unchecking the "Disable system restore"

    Windows XP

    1. Right click on the "My Computer" icon on the Windows desktop and click "Properties"
    2. Click on the "System Restore"
    3. Check "Turn off System Restore on all Drives"
    4. Click OK, Close and restart the system

    Note: It is recommended to return to the standard behaviour of the system after removal of the infected files - by unchecking the "Disable system restore"
     
  7. PaulSWI

    PaulSWI Guest

    FYI

    I am used to "Cleaning" Machines, and have done most of this machine already.

    there is much more info in the link I posted, not just Hijack logs, but a written history of the problem.

    So system restore is already turned off for example.

    tyvm again...

    Paul.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Apologies. Looks like it is hard to get rid of. One of the Eset moderators will be along soon and can offer better suggestions.

    Did you try renaming that .dll by any chance?

    Link:http://www.computing.net/security/wwwboard/forum/11851.html
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Are you able to scan that drive by "Slaving" it off a clean virus free PC?

    This solution works really well.

    Hope this helps...

    Cheers :D
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Blackspear

    Good to see you back on the job! Getting any sleep these days? :D
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    LOL, well not really, my partner has just gone off to work so she can do a little overtime, it's 6.15am here in the land of Oz, so I'm going to head back to bed for another couple of hours :D

    Cheers :D
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    In addition to my above suggestion that we use, yesterday we tried for the first time a Barts PE boot CD with Nod installed, it worked like a charm :D

    More on Barts PE in this thread:

    https://www.wilderssecurity.com/showthread.php?t=33765

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  13. PaulSWI

    PaulSWI Guest

    Ok, here goes a few replies in one.

    1. Can't "slave" the drive off, in a laptop.

    2. I have a bootable Bart's PE disk aleady (Great Tool !) but don't know how to use plugins, read your links, however a little detailed instruction on using a plugin would be both gratefully accepted and a great time saver...:)

    3. I don't know if it is clear, but the nod scan under safe mode returns the system all clean, rather than not being able to remove the file.
    The file is created during normal boot up.
    What is doing this I don't know, but IT is not being detected by anything !

    bed time now...

    cya in a 4 hours or so.

    thnx for all the help btw peoples :)
     
  14. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since the trojan changes rights of its files, you may not see it on the disk with NTFS file system and also hides itself from the list of running processes. Please drop an email to support@nod32.com for removal instructions.
     
  16. PaulSWI

    PaulSWI Guest

    Oh, forgot to post, have emailed as suggested.
     
  17. cdeller

    cdeller Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    2
    Have the same problem as Paul on win32/agent.ac trojan. Need help!

    Thanks

    Clete
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Please follow Marcos' advice as posted above.

    regards.

    paul
     
  19. arrowsmithmidwest

    arrowsmithmidwest Registered Member

    Joined:
    May 12, 2004
    Posts:
    165
    Location:
    Midwest
    yeah that is what i always do, put the hard drive in a designated virus scanner PC, Scan it with /AH and clean it that way.

    But because i clean on average a couple of PC's with viruses every day, i don't have days to figure out ways to clean, so if i can't clean i often delete, if it is part of a system file or something i will repair/replace the windows system files. or whatever other program the virus attached to, it is quicker and works fine in the end.
     
  20. cdeller

    cdeller Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    2
    I tried Marco's solution, but did not find the "="path_to-Trojan" language, so I re-exported the windows registery file as detailed in step 6. and rebooted. No improvement.

    I also downloaded a demo copy of pccillian to check to see if it found the trojan too and sure enough, I got a message telling me that I have a trojan AC in "system32kdbpfng.dll".

    I am open for any ideas out there - right now I either have the trojan and need help getting rid of it, or I am getting false positives in NOD32, which are also very frustrating.

    This has been going on now for about a week, so I am looking for a genius to help solve this! I am happy to delete files as long as I have clear directions for how to rebuild them. If I knew how to rebuild the operating system, I might be inclinded to wipe everything out and start over. My knowledge is somewhat limited, so I am reluctant to take any major steps if I don't have to. Are there any other products that can help me solve this?

    I appreciate any help that I can get. This one is a real mystery!

    Clete
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Clete,
    I suggest you drop an email to support@nod32.com along with the registry file exported as well as information about the operating and file system you use (FAT32 or NTFS).
     
  22. Golfer

    Golfer Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    3
    I just came across the same infection. Nod32 detected the virus but couldn't do anything about it. I spent some time on this.

    The file infected on the machine I was working on was kbdnn.dll. I searched the registry and found a key that was used in invoking it.

    HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
    WINDOWS NT\WINDOWS\AppInit_DLL

    I couldn't delete the key without it generating back so I had to rename the windows folder to windows2. I then deleted the key and renamed the folder back to windows. The key no longer came back.

    Now the file was still there and was unable to be deleted. The file permissions were messed up. I had to take ownership of the file, add myself to the permission list & give myself full control. I then removed the readonly attribute and deleted the file. Upon reboot. The virus seemed to be history.

    Please note:
    1) You must turn off the system restore feature otherwise your work will
    have been in vain.

    2) You can recreate the registry key after your done, but I didn't find anything on the internet that suggested that it was useful, in fact it seemed to be a key that virus's like to piggy back to.

    Hope this helps...
     
Thread Status:
Not open for further replies.