Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Blackdoor.small3.bi and Downloader.agent.7.e

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Blackdoor.small3.bi and Downloader.agent.7.e

Unread postby Schonk1 » January 27th, 2005, 3:19 pm

I read the question of panman and the answer of ChrisRLG. My brother has been visited some days ago with the same Trojan Horse, with all the consequences Planman described. Although his system Windows 98 SE is protected by AVG and Zonealarm, the attack apear4ed to be heavy. He asked me for help and I folllowed the recipe of ChrisRLG to destroy intruder. Everything worked nice. The only problem I got was, that the serviceFilter.vbs did not work for Windows 98SE. We got the message that the file was ment for Windows XP. So I could'nt post the Hijackthis log, servicefilter log and about:buster log

However, without posting these logfiles, everything looked OK. AVG could'nt find the Trojan Horse anymore and the system looked to be clean again. Using the IE 6 Browser to visit internet, shocked us. AVG gave a new call for the presence of the damned Horse or what it may else be. Again and again we tried the recipe, however the system now is totaly poisened.

Does Windows 98 SE need another recipe? If so, please help us out.
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert
Advertisement
Register to Remove

Unread postby ChrisRLG » January 27th, 2005, 4:18 pm

Welcome to malware removal.

I would need a hijackthis log to give any more advice.

get it from the downloads link at the top of this forum.

Unzip to its own folder - then run it, scan, save log, then copy and paste the full log file here as a reply.

DO NOT FIX ANYTHING WITH HIJACKTHIS WITHOUT EXPERT ADVICE - MOST OF WHAT IT FINDS IS REQUIRED FOR WINDOWS TO WORK.

ChrisRLG
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 27th, 2005, 4:41 pm

Thanks for your reply. Yesterday I made this Hijackthis-log:

Logfile of HijackThis v1.99.0
Scan saved at 22:36:46, on 26-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab

I hope you can help us with this
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 27th, 2005, 5:06 pm

Copy the data from the code box below to a notepad file.

Save to the DESKTOP (so you can find it) as ALL FILES, with the name of KILLTRUSTED.REG

Then double click the file - when it asks say yes to merging with the registry.

Code: Select all
REGEDIT4 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] 

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] 




If you have IE-SPYAD installed it will need to be reinstalled as this will wipe all the trusted and restricted zones from the system.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab


Click on Fix Checked and exit HijackThis.

Post back a fresh HijackThis log and we'll take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Hijackthis log

Unread postby Schonk1 » January 28th, 2005, 9:37 am

I followed your last advice. I don't have IE-spyad.

Logfile of HijackThis v1.99.0
Scan saved at 14:42:35, on 28-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 28th, 2005, 9:58 am

Hi there,

My suggestion is so that you can follow all of this, to copy all the text to a wordpad file on your computer.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please download About:Buster from here: http://downloads.malwareremoval.com/AboutBuster.zip. Once it is downloaded extract it to c:\aboutbuster.
We will use that program later in this process.

Next download CWShredder, install. If you already have CWShredder, please delete it and download the latest version.
We will use that program later in this process.

Ok.

Now reboot to safe mode (F8 at boot time).

Run AVG7 let it run one scan - dont let it reboot the machine if it asks.

Then run cwshredder first, hit 'fix' as opposed to 'scan only'. Let it delete all it finds.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so. (It does take a long time to run)

Reboot to normal mode.

Some of the item in the hijackthis fix below may be gone aleady - with luck.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fkaqo.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\fkaqo.dll

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and the about buster log and we'll take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 28th, 2005, 11:10 am

Starting your site still activates AGV two times. In the AVG-window I clicked on mauve every time.

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 28th, 2005, 11:29 am

That log is not complete - please copy and paste the complete log for me.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 28th, 2005, 11:42 am

I'sorry, but I don't know how that happened. I hope this one is complete

Logfile of HijackThis v1.99.0
Scan saved at 16:51:12, on 28-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 28th, 2005, 12:01 pm

hmmmm its all back.

Did you do the hijackthis fix with all windows closed - even all browser windows.

Try this time in safe mode.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\cpdns.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab

Click on Fix Checked and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system\cpdns.dll

Exit Explorer

Now run AVG, AboutBuster and CWShredder.

reboot as normal afterwards. Twice.

Post back a fresh HijackThis log and the about buster log and we'll take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » January 28th, 2005, 12:03 pm

Do you have more than one user account on this machine ?
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 28th, 2005, 1:36 pm

As you advised, I did everything in safe mode. Indeed, we have two internet providers, of which one is hardly used. We can't close the contract we have at this moment. starting in normal mode still AVG activates a warning for the Trojan Horses. I get the feeling that this machine (my brother's) is a great mess, or do we things completely wrong.

Logfile of HijackThis v1.99.0
Scan saved at 18:22:17, on 28-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab


Scanned at: 22:45:00 on: 26-1-05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 28th, 2005, 3:00 pm

well that looks cleam

Try a reboot - twice again - then reboot and do a new HJT log - I want to make sure its not coming back.

Then I will give you some tools to help stop it coming back.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 28th, 2005, 3:53 pm

I did two times a cold start of the system to normal mode. Then I made contact with your site. Every time AVG activated twice with a warning. I moved the intruders to the Vault each time, after which the system seems to work properly. Could it be that AVG is poisened and that an uninstall and new setup could help?

Logfile of HijackThis v1.99.0
Scan saved at 20:42:36, on 28-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baria.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baria.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\baria.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baria.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baria.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baria.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 28th, 2005, 4:42 pm

You have a number of files that we would like copies of - to check out and play with.

1. Using Windows Explorer, go to . Locate the first file you want to zip.

C:\WINDOWS\SYSTEM\JAVAQU.DLL

2. Right click on the file and select "Send To" and "Compressed (zipped) Folder".

3. Then locate and right click on


C:\WINDOWS\baria.dll

4. Select "Copy".

5. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in.

Note that the folder should have 2 files in it if you found them all.

6. Right click on the zipped folder and select "Explore".

7. In "File" menu select "Add a Password". Enter the password infected and confirm the password.

7. Please email to cjwd-subAThostingatessex.com (Please replace the 'AT' with an '@' )

Please copy the following to the email and attach the zipped file(s) :

The password is "infected".
The thread is found here. http://www.malwareremoval.com/forum/viewtopic.php?t=55

Paste it in the text field.

and send please.

I will then check the file diectly - might even install on my systems to check out what it is doing.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware