Trojan.Win32.Agent.aghn

[aquarius]

Hi all,
I am researching the Platte rip-off as it has appeared on my 80 year old father's pc.  They are demanding £49.99 for Get Films Now.

He is adamant he has not been on any of the Platte sites, has not gone through any registration process or entered a 4-digit pin.  He says the only films he has watched are missed episodes on BBC i-player and the ITV equivalent.  Interestingly, someone else said they only went on BBC i-player on the Michael Pollitt website. 

It started about 2 weeks ago and I have yet to examine his history to try and determine where it came from.

Kaspersky identifies the Trojan:  Trojan.Win32.Agent.aghn with file C:\windows\system32\pm_proc2.exe.  A scan identifies and removes the Trojan but it comes straight back again.

Does anyone have a full list of the files and registry entries involved?  So far, I only know of the pm_proc1's & 2.

I have found the instructions on easypc website but not yet tried it.

I also need a recommendation for a good webcam that I can use with Skype to see exactly what is on his pc screen as he is 150 miles away!

Any help gratefully received!

[jonlewi5]

hi.

right in regards to seeing what your father is seeing, try logmein.com, only requires a small download on the host (your fathers pc)

IV not noticed any trojans being in the MBS/platte software, but everytime iv installed it, it has been on a VM and the point has been so i can get "infected"

ill continue this in a min, and ill get you a list of files and reg entries, jsut going for me dinner

ok im back

right, now i havnt checked for reg entries with the platte software, but with the MBS software it is here

HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\currentversion\run

http://img526.imageshack.us/img526/151/regveiwyk4.jpg

now seeing as the PLATTE software is based on the MBS software, it is certainly possible it is in the same place.

and here is a list ( that may not be complete or totally accurate) of all files related (or believed to be related) to MBS/Platte

mbsrm32.exe
mbsreg.exe
mbssm32.exe
mbsmon32.exe
winiconmon.ico.bak0
winicnmon.ico
UBSauthenticateAXC.ocx
ubsauthenticateaxc.ocy
My Sex World.ico
my sex world.icon
sexxpassport.ico
Sexxxpassport.ico
axaccessctr.ocx
imvalid.ico
imvalid.icon
imvalid.ico.bako
rmvalid.exe
smvalid.exe
u2g.f
A8E2D64B
Win32.Agent.afi
setup1_10037.exe
axaccessctrl1.ocx    (that's lower case L and number 0ne)
axaaccessctlrl.ocx   (that's lower case L in each case)
imvalid.ico.bak0      (that's a zero)
imvaild.ico.bak)       may be a mistake ‘)’ or '0'
vico.ico       
vico.ico.bakO          (the 'O' may be an '0' ie zero)
vrm.exe
vsm.exe
vi32.exe
spzax.ocx
spzsu.exe
Show Pink Zone.ico
spzico.ico.bak0
spzico.ico
pzsys1.exe


thats all iv found so far

[ForumFriend]

Thanks, Jon, for taking this up 

[jonlewi5]

Thanks, Jon, for taking this up 

no problemo

[aquarius]

Ditto, thanks for the list jon.


I have not been able to get remote access working with my father's pc.  Tried it between 2 pcs my end and it is ok.  Something his end is stopping the access.  I've got him to allow access, etc, but can't find what the problem is.  Am I going to have the same problem with logmein.com?

[jonlewi5]

well logmein is all done through your web browser, i use it in work and it gets past our corporate firewalls as its all done through the same port as your browser uses to browse the net.

oh and for the record, Trojan.Win32.Agent.aghn has been being detected by at least f-secure since 09-10-2008.

so it is pretty new, but should be detedcted by most a/v's

[aquarius]

Thanks for the LogMeIn.
Worked very well except Kaspersky wouldn't let me do anything with it.
Funny with Skype though, as when you are talking, it must go into both pcs so the echoes go on forever!  So with Kaspersky, I had to talk to him via chat when he stopped moving his mouse long enough for me to get a word in edgeways!
Not sure what I have got out of it yet though as there is no history and most of the Kaspersky logs are empty!

I'll let you know.

[jonlewi5]

lol ye its a dead handy program

been thinking, on the pc or in the recycle bin is there any executables, what im after is the MBS/Platte installler, as id like to run it through a few scanners, id also like to cross check it with one from another platte controlled site.

Its just this is the first time iv heard of it including a trojan.

[aquarius]

Sorry,
Some files were in the recycle bin but as it was huge and screeched (cause of trojan), I got him to empty it.  The installation deleted the initial executables although if it is not deleted properly it comes back doesn't it?  I'll have another look tomorrow.  Had enough for today!
I have got a list of the files that were created on that day if you want them.

[jonlewi5]

not a problem,

but yes a list of the files created would be handy

jon

[Stiffed]

I was supposedly signed up on the 9th Nov 2008.

I carried out a system restore back to 8th Nov 2008. This has worked up till now.

Good luck matey!

[Stiffed]

To see how easy it is for parasites like Platte Media to identify then hijack your machine have a look at http://probemyports.com. (No it's not a Platte Media film).

You do not have to proceed just read.

[aquarius]

I found ShieldsUp and Leaktest a few years ago and got quite good results.

My father's System Restore won't work.  Found this site http://bertk.mvps.org/html/srfail.html - Troubleshoot System Restore “Restore Point Failures” in Windows XP.

I gave him the website address to do Microsoft Updates instead of Windows Updates some time ago.  Does he use it!  Checked his update history and there were quite a few failed and cancelled.  If his screen does nothing for 10 seconds, he thinks it is stuck and turns off his pc!