Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Psw.agent.cci


  • Please log in to reply
1 reply to this topic

#1 ves

ves

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 08 August 2006 - 02:41 PM

Hi,
I'm new here... hope you can help.

On booting up, my AVG scanner flashed a screen saying:

Virus found: Trojan Horse PSW.Agent.CCI
found in: C:\windows\system32\mssync.20.exe

I managed to note down these details before the screen left, but when I do a virus scan nothing shows up. I checked the vault to see if it was already removed, but no. I looked up the file in ssystem 32 folder, it's there, but wont let me delete it. Also, there's another file mssync20.sys Don't know if that's related. I'm not sure if it's safe to delete these files anyway !!!

Previous to this AVG alert, I have been having blue screen problems over last few days. Various fatal system errors and one stating: Driver IRQL not less or equal. Telling me to uninstall new hardware and software. Don't know if this is all related. I had run several system scans to find a virus, but nothing showed up.
I'm running PC in safe mode at the moment to look into it. Bear in mind I am not really a techie! Just a curious newbie!
Any thoughts anyone?

Thanks,

Oh, P.S. Just completed another AVG scan in safe mode, with all hidden folders opened. The mssync.20.exe folder result stated 'READING ERROR'. ???? Does that mean it is a virus with some sort of block in it to prevent virus scanning?
Val

Edited by ves, 08 August 2006 - 02:46 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:35 PM

Posted 08 August 2006 - 04:58 PM

Heya ves.

This is all looking very sinister but the Blue Screen shows that you might have a rootkit infection.
Before we come to any rash conclusions try the following.

You can also try and delete the files in safe mode, as they are more likely to get there.
I can assure you that the files can be safely deleted; they are malware.

Avira states the following about the family of trojans:

Side effects:
Drops files
Drops a malicious file
Records keystrokes
Registry modification
Steals information

I'm pretty sure the file has backdoor capabilities, so due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc....

To start with, let's complete a rootkit scan in normal mode.
To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users