Trojan removal from XP

[Zander]

I have a trojan on my PC the name of which
is 'scagent.exe'.
This trojan was discoverd when my McAfee viruscan, which
has up-to-date definintions, reported the trojan but would
not allow deletion, quarantine or clean. When I submit the
name scagent to the various virus scanner software
providers only Sophos had any details of what to look for
in the System32 folder and the registry. If I try to
download any tools to help to remove the trojan they seem
to be prevented by the scagent trojan.

As I am using XP with NTFS then I cannot see the drive to
remove the scagent manually from a bootable floppy, unless
there is a tool out there that allows file and directory
viewing from a DOS like environment.

The trojan name pops up at a number of points in the
registry so unless their is another solution I may have to
resort to deleting entries manually after the usual
precautions.

If anyone has any ideas please reply.

thanks in advance

Zander

 

[Carey Frisch [MVP]]

There is a very helpful virus removal newsgroup you should post to:
news://msnews.microsoft.com/microsoft.public.security.virus

Virus Removal Tools
http://securityresponse.symantec.com/avcenter/tools.list.html

Online Virus Removal Tutorials
http://www.symantec.com/techsupp/virusremoval/virusremoval_info_tutorial.html

You may wish to try the Panda ActiveScan Free Online Scanner.
Just click on the "Scan your PC" box.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Download Ad-Aware 6.0 and scan your PC for spyware:
http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

3 Steps to Help Insure Your PC is Protected
http://www.microsoft.com/security/protect/

Frequently Asked Questions About Antivirus Software
http://www.microsoft.com/security/protect/antivirus.asp

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

------------------------------------------------------------------------------------


|I have a trojan on my PC the name of which
| is 'scagent.exe'.
| This trojan was discoverd when my McAfee viruscan, which
| has up-to-date definintions, reported the trojan but would
| not allow deletion, quarantine or clean. When I submit the
| name scagent to the various virus scanner software
| providers only Sophos had any details of what to look for
| in the System32 folder and the registry. If I try to
| download any tools to help to remove the trojan they seem
| to be prevented by the scagent trojan.
|
| As I am using XP with NTFS then I cannot see the drive to
| remove the scagent manually from a bootable floppy, unless
| there is a tool out there that allows file and directory
| viewing from a DOS like environment.
|
| The trojan name pops up at a number of points in the
| registry so unless their is another solution I may have to
| resort to deleting entries manually after the usual
| precautions.
|
| If anyone has any ideas please reply.
|
| thanks in advance
|
| Zander

 

[phoenix]

I have a trojan on my PC the name of which
is 'scagent.exe'.
This trojan was discoverd when my McAfee viruscan, which
has up-to-date definintions, reported the trojan but would
not allow deletion, quarantine or clean. When I submit the
name scagent to the various virus scanner software
providers only Sophos had any details of what to look for
in the System32 folder and the registry. If I try to
download any tools to help to remove the trojan they seem
to be prevented by the scagent trojan.

As I am using XP with NTFS then I cannot see the drive to
remove the scagent manually from a bootable floppy, unless
there is a tool out there that allows file and directory
viewing from a DOS like environment.

The trojan name pops up at a number of points in the
registry so unless their is another solution I may have to
resort to deleting entries manually after the usual
precautions.

If anyone has any ideas please reply.

thanks in advance

Zander

Have you tried going into Safe Mode and removing it?

Regards

Bill

 

[Zander]

Thanks guys I have tried all your suggestions but as I
said this trojan is not known at most virus scanner
providers. I did try changeing attributes, as suggested,
but the file cannot be deleted under windows. I changed
the name to scagent.old, which it allowed me to do, but
even delete on this name after changing attributes did not
work. Until there is a tool provided by one of the anti-
virus suppliers for this trojan it looks like I will have
to re-install windows using FAT or FAT32, at least I will
then be able to use a DOS disk to manually remove this and
any future malware of this type.

I think Microsoft need to think about a command line
interface for Windows, for this type of exercise, as I
feel sure I would be able to remove this trojan if I could
see the filing system at a command prompt.

Unless there is any other suggestions or tools the it
looks like a Windows re-install. Ironically I received my
copy of the free MS Security Update CD this morning
containing anti-virus, firewall, etc., software, Although
I am running McAfee viruscan and ZoneAlarm pro, at the
moment, and run Lavasoft's adware with the latest refs
file frequently.

btw I work in IT and am reasonably familiar with DOS, hell
I admit that I am even familiar with Windows 3.0 and 3.11.

thanks again

Zander

 

[michael cromarty]

Thanks guys I have tried all your suggestions but as I
said this trojan is not known at most virus scanner
providers. I did try changeing attributes, as suggested,
but the file cannot be deleted under windows. I changed
the name to scagent.old, which it allowed me to do, but
even delete on this name after changing attributes did not
work. Until there is a tool provided by one of the anti-
virus suppliers for this trojan it looks like I will have
to re-install windows using FAT or FAT32, at least I will
then be able to use a DOS disk to manually remove this and
any future malware of this type.

I think Microsoft need to think about a command line
interface for Windows, for this type of exercise, as I
feel sure I would be able to remove this trojan if I could
see the filing system at a command prompt.

Unless there is any other suggestions or tools the it
looks like a Windows re-install. Ironically I received my
copy of the free MS Security Update CD this morning
containing anti-virus, firewall, etc., software, Although
I am running McAfee viruscan and ZoneAlarm pro, at the
moment, and run Lavasoft's adware with the latest refs
file frequently.

btw I work in IT and am reasonably familiar with DOS, hell
I admit that I am even familiar with Windows 3.0 and 3.11.

thanks again

Zander

I contracted this virus/trojan yesterday on a machine running Win2000.
Found a couple sites using a google search on scagent.exe
http://computercops.biz/postp246994.html
http://forums.techguy.org/showthread.php?t=248975
http://forums.spywareinfo.com/index.php?showtopic=10469&st=15

One thing I did to try to figure out what files were new and offending
was a simple search on *.* for the entire system, then order by time
from most current to least. As I went down the list I came across a
large (100 files or so) block of files all with the same minute in
their "Last Modified" field. Either I got really inspired for a
minute or something is fishy here... Most of the entries were
websites, but I did find a number of executable and .dll files. I was
unable to delete any of them as they were apparently running and under
system control.
I think the start of the clean up was deleting the following registry
entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
I also change the file permissions on all the files that were created
in that second making myself have full control and system and service
set to deny all.