4 Replies Latest reply on Nov 4, 2009 10:50 AM by Rsteven1

    I cannot log into Windows XP due to spy-agent.bw!mem infection

      Hello computer experts,

      My laptop has recently been infected by two instances of the Trojan spy-agent.bw!mem which were detected by a McAfee virus scan 5 days ago. Since that time, I have been struggling to log into Windows XP Home and desperately trying to find out how to get rid of these viruses, but with no luck...

      The results of the McAfee scan:

      Trojans

      C:\WINDOWS\system32\twest.exe
      Spy-Agent.bw!mem

      C:\WINDOWS\system32\winlogon.exe
      Spy-Agent.bw!mem

      Status: termination failed.

      When starting up, Windows XP hangs up at the log-in/select user screen. At first, I was able to get past the login screen and the computer stalled at the Desktop but with none of my desktop icons, start menu, etc--Initially, I was able to get past the blank desktop background by hitting cntrl-alt-del, bringing up the Command-line prompt in Task Manager, and then typing "C:\" at which time the following error message came up:

      '/idlist,:0:3972, c:\
      Windows can't find ‘/idlist,:0:3972, c:\’. Make sure you typed the name correctly, and then try again. To search a file, click the Start button, and then click Search.'

      Now, that won't even work. When I tried to start my computer yesterday and this morning on numerous occasions, when I turn on the computer, Windows XP Home never gets past the log-in page where you select the user. Whether I select my user name or the Administrator, it logs in for a few seconds, at which time I see the desktop for a second, but then it immediately logs off again, and I'm back at the log-in screen.

      The results of the last McAfee scan that was run before my computer stopped getting past the log-in/select user screen, it stated that it had detetected 5 items of which 3 were quarantined and 2 remain, Would you please guide me as to how I should proceed to eradicate these little pests from my computer so I can log in?

      Before it became impossible to log into Windows XP a few days ago, I was also able to run several other scans as was suggested on other tech support forum websites: GMER Rootkit Scanner and DDS as recommended on other virus removal tech assistance forums--I ran before them before it became impossible to log into Windows XP.--If there's a way to attach them, I'd be super grateful if someone would let me know how.

      Thank you very much in advance,
      Liam
        • 1. Re: I cannot log into Windows XP due to spy-agent.bw!mem infection

          hi,

           

          've u tried scanning the machine in safe mode, because memory resident viruses are since in process so cannot be deleted when computer is in normal mode so reboot the machine in safe mode and try running on demand scan.

           

          regards

          • 2. Re: I cannot log into Windows XP due to spy-agent.bw!mem infection
            maziz

            Hi lzaidel

             

            I would recommend a Command Line scan in Safe Mode.

             

            You will need to boot your machine into "Safe Mode with Command Prompt" but before you do this, there are some very good instructions for running a Command Line Scan in safe mode on McAfee's Knowledge base. These need to be followed step by step.

             

            For more information about "Performing a command-line scan in Windows 7, Vista, XP, 2003 or 2000", please see KB51141.

             

            Also, more information about threats can be found at http://vil.nai.com.

             

            Hope this helps.

             

             

            Message was edited by: Greg Sanders on 11/4/09 4:46 PM
            • 3. Re: I cannot log into Windows XP due to spy-agent.bw!mem infection

              Hello

              it would be nice to have Log.

              Could you plz download and install 'HijackThis', run a scan and copy/paste the log in your next reply.

               

              ?twest.exe - is it a typo and it means twext.exe ?

               

               

              Nachricht geändert durch Raziel.van.Nosgoth on 11/4/09 7:23 AM
              • 4. Re: I cannot log into Windows XP due to spy-agent.bw!mem infection

                Since the threat is a memory resident infection you should be able to run an On Demand Scan of the system reboot and run another On Demand Scan. Since the threat resides in memory (Rootkit) then the action from VSE may fail to clean or delete the threat until reboot. We will mark the file for deletion pending reboot. Running a Command Line Scan using the latest Beta Dat will be the next step to take. I have attached a document that will walk you through this. If this does not prove successful then we will need to locate the file(s) responsible. I have attached another document that covers common locations for files that are dropped by Malware. You can use this document to help in your search. If you locate the Malware you can upload what you believe to be infected to http://www.virustotal.com  This will let you know who is detecting and what they are detecting as. If you get several vendors detecting the threat you know your on the correct path. You will also see if McAfee is detecting the threat. If it shows McAfee detecting then you will want to update your DAT files and confirm that the configuration of VSE is correctly configured such as "scan all files", etc. Also, Artemis is very useful when scanning. Information on enabling Artemis in Virus Scan Enterprise KB53732. If you confirm McAfee is not detecting and other vendors are you will want to proceed with uploading the samples to McAfee Labs for research. You can use KB50388 to guide you through the process. Once you have submitted the sample if you don't get a response from McAfee Labs you can call and log a case with support to have the case escalated to the Threat Escalation Group.