cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Miikeal
Miikeal
Level 7
Report Inappropriate Content
Message 1 of 4
‎11-02-2008 09:06 AM

Spy-Agent.bw!rootkit

My McAfee scan indicates the following infection:

Spy-Agent.bw!rootkit
File:Memory\NTQueryDirectoryFile

The McAfee scan says that it removed the virus, however if I immediately do another scan it removes the virus again....so obviously it is coming back.

System restore is turned off in XP.

A search for this virus in the McAfee database for this virus comes up with nothing so maybe this is a new version?

I have looked at the information for the Spy-Agent.bw virus and it appears that I do have some of the Registry Values it creates, however I am reluctant to use Regedit to delete those values as I am no expert with registry values.

I have tried Stinger and the Rootkit Detective based on some recomendations I read in this forum but had no luck with those.

In addition I recently received a letter from a web site that I use to pay bills that my account may have been compromised due to a virus on my computer. This must be the virus they are refering to as it seems to be the only one I have.

Any help would be appreciated.
0 Kudos
Reply
3 Replies
exbrit
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 2 of 4
‎11-02-2008 09:20 AM

RE: Spy-Agent.bw!rootkit

It is documented in the McAfee database here: http://vil.nai.com/vil/content/v_144031.htm

It should be removable. Try a safe mode scan, reached by tapping F8 repeatedly while booting up. Then go to My Computer and right-click the hard drive and select "Scan".

You'll just see an extra taskbar icon. Hovering over it gives a progress report.

Alternatively run the free version of this tool: http://www.superantispyware.com/superantispywarefreevspro.html

If all else fails run Hijackthis and post its log on one of the following forums for expert advice:

Do not post the log here, we can't help!

DOWNLOAD HIJACKTHIS

Post the logs at a specialist Forum:

AUMHA FORUM

BLEEPING COMPUTER FORUM

CASTLECOPS FORUM

GEEKS TO GO FORUM

MAJOR GEEKS FORUM

MALWARE REMOVAL FORUM

SPYWARE INFO FORUM

TECH SUPPORT GUY FORUM

WHAT THE TECH FORUM (Formerly Tom Coyote)

Be sure to read all the sticky announcements/instructions at the top of each malware forum!
0 Kudos
Reply
Miikeal
Miikeal
Level 7
Report Inappropriate Content
Message 3 of 4
‎11-02-2008 04:16 PM

Cleaned

Thank you for your help. It appears I finally removed the virus.

Here's what I did. Please don't try this as I am no expert but it worked in my case (I got lucky)

Numerous Mcafee scans in safe mode did the same thing. McAfee said it removed the virus but it was right back on the next scan.

Also, a SUPERAntiSpyware detected nothing.

I went to the registry and modified the userint entry by deleting "c:\WINDOWS\system32\oembios.exe" to make the entry just "C\WINDOWS\system32\userinit.exe" to make that computer match what the entry looked like on my laptop (which is virus free).

Then I renamed that registry entry to OLD. That worried me but after a reboot there was a new userinit entry which contained only "C\WINDOWS\system32\userinit.exe". The OLD that I renamed was still there and also contained just "C\WINDOWS\system32\userinit.exe"

I also downloaded Mcafee Rootkit Detective and ran it. I terminated all of the import/export hooks that pertained to the NTQueryDirectoryFile.


After a reboot the computer started up the way it used to pre-virus with my user name (it was starting up with no user identified) and a new Mcafee scan finally reported no virus.

Again, after 2 days and alot of research and scans by different programs, I got lucky.
0 Kudos
Reply
exbrit
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 4 of 4
‎11-02-2008 04:34 PM

RE: Cleaned

Good for you. I probably wouldn't have thought of that. Well good luck to you and I'm glad it's fixed.
0 Kudos
Reply

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC