Unsolved
This post is more than 5 years old
11 Legend
•
47K Posts
0
7711
January 9th, 2005 01:00
NVSVC.EXE AGBOT Trojan
AGBOT Replaces the NVIDIA NVSVC.EXE with itself.
Newer NVIDA Drivers cause the system to Crash when this file is then overwritten by NVIDIA drivers.
Removing NVSVC.EXE everywhere on your drive and then
making a sub directory called nvsvc.exe in the windows system directory and making it hidden and read only will
help prevent this driver or program from being re-installed.
W32/Agobot-EL is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
When first run, W32/Agobot-EL moves itself to the Windows system folder as nvsvc.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = nvsvc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = nvsvc.exe
The Trojan runs continuously in the background providing backdoor access to the computer.
The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at \System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:
Newer NVIDA Drivers cause the system to Crash when this file is then overwritten by NVIDIA drivers.
Removing NVSVC.EXE everywhere on your drive and then
making a sub directory called nvsvc.exe in the windows system directory and making it hidden and read only will
help prevent this driver or program from being re-installed.
W32/Agobot-EL is a backdoor Trojan and worm which spreads to computers protected by weak passwords.
When first run, W32/Agobot-EL moves itself to the Windows system folder as nvsvc.exe and creates the following registry entries to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Generic Service Process = nvsvc.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Generic Service Process = nvsvc.exe
The Trojan runs continuously in the background providing backdoor access to the computer.
The Trojan attempts to terminate and disable various anti-virus and security-related programs and modifies the HOSTS file located at \System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites. Typically the following mappings will be appended to the HOSTS file:
0 events found
No Events found!
DELL-Chris M
Community Manager
•
56.9K Posts
•
232.1K Points
0
January 14th, 2005 14:00
It would be cool if you would also post this on the virus board.
Message Edited by DELL-ChrisM on 01-14-2005 10:53 AM