Where does Trojan-downloader.win32.Agent.bkd start up?

Where does Trojan-downloader.win32.Agent.bkd start up?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Where does Trojan-downloader.win32.Agent.bkd start up? ToddAndMargo 06-17-2007
Posted by ToddAndMargo on June 17, 2007, 9:33 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi All,

I was at a customer site who was infected with
what Kaspersky calls: Trojan-downloader.win32.Agent.bkd.
Kaspersky had no trouble removing it.

Before I let Kaspersky do its thing, I looked through
the registry for the DLL's (eeuydc.dll) start point.
I did not find it: not is Run; not is Winlogon.
I tried renaming the winlogin/notify keys and nothing
protected itself. (This, while the virus' icon in the task
bar kept flashing with fake security problems.)

Anyone have any idea where this thing starts up?

Many thanks,
-T

Posted by Leythos on June 17, 2007, 9:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ToddAndMargo@invalid.com says...
> Hi All,
>
> I was at a customer site who was infected with
> what Kaspersky calls: Trojan-downloader.win32.Agent.bkd.
> Kaspersky had no trouble removing it.
>
> Before I let Kaspersky do its thing, I looked through
> the registry for the DLL's (eeuydc.dll) start point.
> I did not find it: not is Run; not is Winlogon.
> I tried renaming the winlogin/notify keys and nothing
> protected itself. (This, while the virus' icon in the task
> bar kept flashing with fake security problems.)
>
> Anyone have any idea where this thing starts up?

Don't worry about where it starts, use Multi_AV and run all of the
scanners, then use SBS&D and AdAware and you'll be happy again

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Posted by ToddAndMargo on June 17, 2007, 10:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Leythos wrote:

> ToddAndMargo@invalid.com says...
>> Hi All,
>>
>> I was at a customer site who was infected with
>> what Kaspersky calls: Trojan-downloader.win32.Agent.bkd.
>> Kaspersky had no trouble removing it.
>>
>> Before I let Kaspersky do its thing, I looked through
>> the registry for the DLL's (eeuydc.dll) start point.
>> I did not find it: not is Run; not is Winlogon.
>> I tried renaming the winlogin/notify keys and nothing
>> protected itself. (This, while the virus' icon in the task
>> bar kept flashing with fake security problems.)
>>
>> Anyone have any idea where this thing starts up?
>
> Don't worry about where it starts, use Multi_AV and run all of the
> scanners, then use SBS&D and AdAware and you'll be happy again

I want to know where it starts because I just think it is
capital fun to defeat them by hand. Yes, I am easily amused.

Do you know where this virus is started?

Many thanks,
-T

p.s. The customer is no longer infected.
p.s.s. I am not infected (I run Linux with
XP and Vista as virtual machines. The Windows
instances have virtually no contact with the
Internet.)

Posted by Leythos on June 17, 2007, 10:34 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ToddAndMargo@invalid.com says...
> Leythos wrote:
>
> > ToddAndMargo@invalid.com says...
> >> Hi All,
> >>
> >> I was at a customer site who was infected with
> >> what Kaspersky calls: Trojan-downloader.win32.Agent.bkd.
> >> Kaspersky had no trouble removing it.
> >>
> >> Before I let Kaspersky do its thing, I looked through
> >> the registry for the DLL's (eeuydc.dll) start point.
> >> I did not find it: not is Run; not is Winlogon.
> >> I tried renaming the winlogin/notify keys and nothing
> >> protected itself. (This, while the virus' icon in the task
> >> bar kept flashing with fake security problems.)
> >>
> >> Anyone have any idea where this thing starts up?
> >
> > Don't worry about where it starts, use Multi_AV and run all of the
> > scanners, then use SBS&D and AdAware and you'll be happy again
>
> I want to know where it starts because I just think it is
> capital fun to defeat them by hand. Yes, I am easily amused.
>
> Do you know where this virus is started?

Sorry, I don't even try any more, it doesn't amuse me any more, use to a
long time ago, but now I just take an updated Multi-AV and start it
running and walk away :)

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Posted by David H. Lipman on June 18, 2007, 4:53 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


|
| I want to know where it starts because I just think it is
| capital fun to defeat them by hand. Yes, I am easily amused.
|
| Do you know where this virus is started?
|
| Many thanks,
| -T
|
| p.s. The customer is no longer infected.
| p.s.s. I am not infected (I run Linux with
| XP and Vista as virtual machines. The Windows
| instances have virtually no contact with the
| Internet.)

Unless we can Cross-Reference this and look theis infector in a library, we can
NOT tell
exactly.

It could start from various locations such as...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Use the Microsoft/Sysinternals AutoRuns utility or other such utility to find
where it
loads.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Similar ThreadsPosted
Win32:Agent-QC in pagefile.sys April 17, 2007, 1:12 am
trojan.win32.agent.xud August 11, 2008, 4:18 pm
Win32.Trojan.Spy.Agent.kb detected by ZoneAlarm Internet Security May 23, 2008, 3:13 pm
TrojanDownloader November 9, 2007, 10:23 am
Re: TrojanDownloader.ImLoad.100 June 26, 2005, 9:15 am
Please Help! Problem with Start Up!! August 27, 2005, 11:35 am
Fails to start August 2, 2006, 2:18 pm
start Page virus December 30, 2005, 9:11 pm
rundll error message at start up September 5, 2008, 9:11 am
Blue screens XP2 MS at start-up unknown after shutdown (flashes) October 13, 2006, 2:43 pm

The site map in XML format XML site map

Contact Us | Privacy Policy