|
Posted by =?Utf-8?B?RGVuc2hhMTg4?= on May 23, 2008, 3:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On one of my computers running WinXP Sp2 with Zone Alarm Internet Security
Suite Ver. 7.0.470.000 and ver. 7.0.473.000
Anti-virus engine version 3, DAT file version 9551551049
Anti-spyware engine version 5.0.189.0, DAT file version 01.200805.3945
AntiSpam version 5.0.6.8903
After doing a scan with ZA Anti-spyware, it detected
Win32.Trojan.Spy.Agent.kb as a medium level threat trojan. It detected in the
Windows Registry file.
RegistryKey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\05
After Quarantine and deleting it and doing another scan just to amke sure,
ZA reports no more trojan. But when I shutdown the computer and turn off the
power supply for a few minutes and then turn it back on. Rebooted the
computer and login in. I did another anti-spyware scan and it found that
trojan again in the registry. It seems to come back when it detects an
interent connection. Since I'm on a LAN and it's always connected to the net
via router.
So how do I fully get rid of that trojan. I already tried an older backup
image of WinXP I had made back in Dec.2007, but that didn't help. The only
other way I can think of is re-formate to entire computer.
Also do you guys think that my other files on the other drives maybe infected?
|
|
Posted by David H. Lipman on May 23, 2008, 3:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| On one of my computers running WinXP Sp2 with Zone Alarm Internet Security
| Suite Ver. 7.0.470.000 and ver. 7.0.473.000
| Anti-virus engine version 3, DAT file version 9551551049
| Anti-spyware engine version 5.0.189.0, DAT file version 01.200805.3945
| AntiSpam version 5.0.6.8903
|
| After doing a scan with ZA Anti-spyware, it detected
| Win32.Trojan.Spy.Agent.kb as a medium level threat trojan. It detected in the
| Windows Registry file.
|
| RegistryKey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\
05
|
| After Quarantine and deleting it and doing another scan just to amke sure,
| ZA reports no more trojan. But when I shutdown the computer and turn off the
| power supply for a few minutes and then turn it back on. Rebooted the
| computer and login in. I did another anti-spyware scan and it found that
| trojan again in the registry. It seems to come back when it detects an
| interent connection. Since I'm on a LAN and it's always connected to the net
| via router.
|
| So how do I fully get rid of that trojan. I already tried an older backup
| image of WinXP I had made back in Dec.2007, but that didn't help. The only
| other way I can think of is re-formate to entire computer.
|
| Also do you guys think that my other files on the other drives maybe infected?
The below is incomplete..
HKLM\SYSTEM\ControlSet001\Control\Class\05
There must be MORE to the malware infection. Either this is a False Positive or
the ZA ant
malware utility is failing to detect the rest of this Trojan,
Win32.Trojan.Spy.Agent.kb .
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
|
|
Posted by on May 26, 2008, 9:17 am
If you were Registered and logged in, you could reply and use other advanced thread options
problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with absolutely no
practical removal instructions that can be understood.Although it could just be
my computer,many anti-malware sites and their forums are inaccessible,as well as
Notepad.exe and msnmsgr.exe failing on activation,immediately.AntiSpywareMaster
is advertised continuously while surfing FireFox,even when in Safe Mode.
I'll help in any ways I can,but please help me get this infection off of my
computer.
Just as well,I am running a Vista with Zone Alarm Security Suite with all of the
newest updates.
Again,I am posting only what I'm told by ZA.
|
|
Posted by David H. Lipman on May 26, 2008, 1:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I just googled the virus,was led to this page, am having the exact same
problem.In CA
| Yahoo Anti-Spy,the virus is called Konvoy B,with absolutely no practical
removal
| instructions that can be understood.Although it could just be my computer,many
| anti-malware sites and their forums are inaccessible,as well as Notepad.exe and
| msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is advertised
continuously
| while surfing FireFox,even when in Safe Mode. I'll help in any ways I can,but
please help
| me get this infection off of my computer. Just as well,I am running a Vista
with Zone
| Alarm Security Suite with all of the newest updates.
|
| Again,I am posting only what I'm told by ZA.
1. Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
2. Disable Notepad's word wrap:
In Notepad.exe; Format --> uncheck; "Word wrap"
3. Download/run Deckard's System Scanner:
http://www.techsupportforum.com/sectools/Deckard/dss.exe
4. Save the scan results (Main.txt and Extra.txt)
5. And then post the contents of Main.txt and Extra.txt in your post in one of
the below
expert forums...
{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
Forums where you can get expert advice for HiJack This! (HJT) and Deckard's
System Scanner
Logs.
NOTE: Registration is REQUIRED in any of the below before posting a log
Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0
Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7
Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
|
|
Posted by smc on May 26, 2008, 2:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options
David Williams;3761921 Wrote:
> I just googled the virus,was led to this page, am having the exact same
> problem.In CA Yahoo Anti-Spy,the virus is called Konvoy B,with
> absolutely no practical removal instructions that can be
> understood.Although it could just be my computer,many anti-malware
> sites and their forums are inaccessible,as well as Notepad.exe and
> msnmsgr.exe failing on activation,immediately.AntiSpywareMaster is
> advertised continuously while surfing FireFox,even when in Safe Mode.
> I'll help in any ways I can,but please help me get this infection off
> of my computer.
> Just as well,I am running a Vista with Zone Alarm Security Suite with
> all of the newest updates.
>
> Again,I am posting only what I'm told by ZA.
[SMC - reply]
Win32.Trojan.Spy.Agent.kb has been an issue with my network. First
indications I had a problem was the inability to "send" email. Email
on two of the computers on the network is hosted on Comcast servers,
who finally killed my email port and my ability to send email due to
the massive amounts of email going through my system. It appears that
this virus opened the door for unsolicited email ("spam") to be sent
through one of the network computers. I've since re-directed email to
be sent through another port and email once again is functional.
Both computers are updated daily with the latest ZA virus definitions
and email is scanned inbound and outbound. After running a ZA Spyware
scan, Win32.Trojan.Spy.Agent.kb surfaced on one computer only, this
one running Outlook Express.
After quarantined in ZA the trojan re-surfaced during the next scan.
So far I've re-quarantined AND deleted both in quarantine. Another
scan after re-boot showed a clean computer, however I realize the
probability of this returning is still relatively high. -smc
--
smc
------------------------------------------------------------------------
smc's Profile: http://forums.techarena.in/member.php?userid=50407
View this thread: http://forums.techarena.in/showthread.php?t=974108
http://forums.techarena.in
|
| Similar Threads | Posted | | trojan.win32.agent.xud | August 11, 2008, 4:18 pm |
| Where does Trojan-downloader.win32.Agent.bkd start up? | June 17, 2007, 9:33 pm |
| Win32:Agent-QC in pagefile.sys | April 17, 2007, 1:12 am |
| Trojan Dropper Agent 8 B Help | August 9, 2005, 9:21 pm |
| Re: Trojan Dropper Agent 8 B Help | August 9, 2005, 10:44 pm |
| Re: Trojan Dropper Agent 8 B Help | August 10, 2005, 12:39 pm |
| Trojan Horse Downloader.Agent.ETP | August 9, 2006, 11:16 am |
| JS Downloader Agent (Virus) and Trojan Horses | January 27, 2008, 2:24 pm |
| trojan.agent.f / ewido/grisoft-anti-malware ? | December 19, 2006, 5:13 pm |
| OT: ? internet security :-) | February 2, 2006, 5:42 pm |
|
XML site map