Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Backdoor.Agent.B

    I went round to a friend's house to clean up the mess that had infested their Windows XP computer - it was truly horrible.

    I managed to remove all but one of the nasties - but Norton Antivirus still reports that a file called C:WindowsSystem32WINM.DLL is infected with Backdoor.Agent.B.

    I downloaded the Symantec tool for removing this nasty, and I think I followed all the instructions correctly, but I still haven't managed to completely remove it. On its first run the tool claimed to have cleaned it, and on subsequent runs says it wasn't found, but the Norton Antivirus realtime file scan reports this infection every few seconds.

    Anyone familiar with this little <img src=/w3timages/censored.gif alt=censored border=0> and got an alternative suggestion for how to remove it?

    StuartR

  2. #2
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Lorain, Ohio, USA
    Posts
    953
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Backdoor.Agent.B

    I don't have XP or have even had a nasty on my ME <img src=/S/evilgrin.gif border=0 alt=evilgrin width=15 height=15>...but I do know (from posts at other Forumwebsites, etc.), that to be really sure all nasties are removed...one must disable system restore, do the uninstall program of said nasty, using whatever is offered by Norton (etc.)...reboot...then re-enable the system restore...then do another scan for the nasty...to make sure it is gone!
    Does this help any???

  3. #3
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Los Angeles Area, California, USA
    Posts
    7,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Backdoor.Agent.B

    Hi Stuart:
    In addition to running the Norton tool, have you manually checked all the Run keys in the registry (Run, Run Services, Run Once...under both HKEY Local Machine & HKEY Current User).

    Also, this seems similar to the problem in this thread, but I don't know if it was solved yet.

  4. #4
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    Thanks, both, for the resposes.

    I have indeed searched for appropriate registry entries - even booting to Safe mode and using Autoruns to locate anything I recognise as nasty. Unfortunately I can't check for nasty services since something (??) seems to have prevented the use of services.msc and various other tools!

    This little critter not only uses a large number of different registry entries to get itself restarted on reboot, but also attaches itself to almost every single running program and undoes any effort to remove the offending entries and threads! (See http://securityresponse.symantec.com/avcen...or.agent.b.html). I did follow the instructions for manual removal in that document, but this looks like some slightly different variant 'cos it's still there!

    I have told my friend to identify all the software that they use and make sure they have the installation media - 'cos I don't think anything short of a rebuild will fix this <img src=/w3timages/censored.gif alt=censored border=0> but it is very frustrating to have successfully removed the other dozens of viruses, sypware and nasties and be defeated by the last one.

    StuartR

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Backdoor.Agent.B

    Stuart

    Have you tried running Trend Micros' Housecall (ages though that takes?).

    Wouldn't it be nice if all antivirus software firms used the same naming convention, and called the same virus the same name?

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  6. #6
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    That's not a bad idea. When they get back from their travels (it being half term for the small people almost certainly responsible for this event).

    StuartR

  7. #7
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Backdoor.Agent.B

    Stuart,

    I did some Googling around and came up with the cause of your friend's woes. It seems to be IamBigBrother or a related variant. The removal instructions are available here.

    I found other information about this <img src=/w3timages/censored.gif alt=censored border=0> nasty here
    [i][b]IamBigBrother description:From the publisher:
    'Once you have restarted Windows after installing IamBigBrother, it will be running in the background monitoring all activity on your computer. All of the information is saved to file for later viewing using our parental management program called CWIN. Using CWIN To View Saved Activity'
    Properties:
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  8. #8
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    Doc,

    This looks like a good match - thank you. I will have to wait for them to get back from their vacation to try it!

    StuartR

  9. #9
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Backdoor.Agent.B

    <img src=/S/crossfingers.gif border=0 alt=crossfingers width=17 height=16> <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  10. #10
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Backdoor.Agent.B

    Perhaps a repair installation of Windows or open the Recovery Console and see if there is anything you can do with EVENTVWR or SERVICES from there first.

    Sygate you might want to edit out of the registry to be sure you got all traces of it and then reinstall. Sounds as though some of those nasties have been busy reorganizing the system files !!

    I've never heard of Webroot SpySweeper before. I appreciate the tip. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  11. #11
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    I was hoping that installing SP2 might sort out the system files, but I don't think I can do a repair installation after installing SP2 without a slipstreamed SP2 installation disk can I?

    StuartR

  12. #12
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    I went to have another look at this PC today. I didn't find any of the files that IamBigBrother uses. But this time I tried the Symantec manual removal steps. The key one that enabled me to kill the <img src=/w3timages/censored.gif alt=censored border=0> was to rename the registry key HKLMSoftwareMicrosoftWindowsNTCurrentVersionWindow s to be Windows1. Then wait a few seconds and clear the contents from AppInit_DLLs inside the newly renamed key - then IMMEDIATELY reboot, before renaming Windows1 back to Windows. A virus scan was then able to kill the rest of it.

    These things are sent to try us.

    I have now cleared all of the SpyWare and Viruses from this PC - I found WebRoot SpySweeper the most effective of the SpyWare tools - it cleared variants of CoolWeb that CWShredder couldn't.

    I was left with two problems.
    <UL><LI>Any attempt to run MMC programs, like EVENTVWR or SERVICES return an error message saying that I don't have admin privs or the MMC is incompatible with the version of Windows.
    <LI>Sygate Personal Firewall always GPFs on startup - even though I deinstalled it, loaded the latest version and reinstalled.[/list]But at least they don't get lots of pornography adverts whenever they go online now!

    I installed Windows XP SP2 on the PC, hoping that this would fix the last couple of problems, but no such luck. Any suggestions?

    StuartR

    Edited by StuartR to add a link for SpySweeper

  13. #13
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Backdoor.Agent.B

    What a fine utility Autostreamer is, it even has an option to pause before creating the ISO image so you can add extra folders to the image. I've always liked simple utilities that don't need to be installed and do a single job well.

    Why not post a pointer in the Software Finds and Wants forum?

    StuartR

  14. #14
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Backdoor.Agent.B

    Good point. I don't believe you can.. If you want to throw one together there's a utility called AutoStreamer that I'm told does a nice job of it.

    edited to correct stupid spelling error in link. <img src=/S/bash.gif border=0 alt=bash width=35 height=39>
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

  15. #15
    Uranium Lounger
    Join Date
    Mar 2001
    Location
    New Jersey
    Posts
    6,684
    Thanks
    1
    Thanked 11 Times in 11 Posts

    Re: Backdoor.Agent.B

    Done. Good idea Stuart. I hadn't tried the program yet, but if you like it, then I can be pretty sure it's a keeper. I got the tip from the creator of XP Smoker. So I was pretty sure it was a nice, tight program.
    <IMG SRC=http://www.wopr.com/w3tuserpics/DocWatson_sig.gif>

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •