Trojan.Agent.vp found

Discussion in 'ewido anti-spyware forum' started by dlg, Jul 13, 2006.

Thread Status:
Not open for further replies.
  1. dlg

    dlg Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    5
    Hi,
    I'm using the trial version of ewido.

    I attach the report with one trojan found: C:\WINDOWS\system32:lqaa.dll -> Trojan.Agent.vp : Cleaned.

    If I do a new scan I find again the same trojan that infects always the same file.
    Whyo_O

    I've tried to find the file lqaa.dll in the folder system32 but I did'nt succeed!!! Where is ito_O
    Please, help me......I don't know what else to do..........o_O o_O o_O

    Thanks to people will want to help me

    Bye bye
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Try to disable system restore:

    IMPORTANT NOTES:
    You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    Turning off System Restore will clear out all previous restore points.

    To turn off Windows XP System Restore:

    NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.


    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore"
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK, reboot into safemode and do a scan, delete what you find.

    Safemode:

    Windows XP

    If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.
    If the computer is running, shut down Windows, and then turn off the power
    Wait 30 seconds, and then turn the computer on.
    Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    Ensure that the Safe mode option is selected.
    Press Enter. The computer then begins to start in Safe mode.
    When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

    To use the System Configuration Utility method
    Close all open programs.
    Click Start, Run and type MSCONFIG in the box and click OK
    The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
    The computer restarts in Safe mode.
    Perform the troubleshooting steps for which you are using Safe Mode.
    When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer
     
  3. dlg

    dlg Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    5
    thanks,
    but I've already done what you told me and nothing!!!

    I made a scan with ewido in safe mode and the trojan is always there!!!

    o_O o_O o_O o_O o_O o_O o_O
     
  4. dlg

    dlg Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    5
    C:\WINDOWS\system32:lqaa.dll


    do you know what is this dll fileo_O
     
  5. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    This file is hiding inside an NTFS AlternateData-Stream... You could try the NFTS ADS tool included in HijackThis...
     
  6. dlg

    dlg Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    5
    i don't know very well HijackThis.
    please, may you explain the use of his NFTS ads?
    where can i find it?

    Bye
     
  7. dlg

    dlg Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    5
    it's ok,
    i've found what you told me and it works!!!
    i deleted the files infected!!!
    thank you very much
     
  8. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    I'm glad it worked (but also wondering why ewido failed to delete the file :))... Sorry for being so imprecise but I was a bit in a rush :(
     
Thread Status:
Not open for further replies.