Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Blackdoor.small3.bi and Downloader.agent.7.e

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Schonk1 » January 28th, 2005, 4:56 pm

My time is running up. I propose to end our session now and go further tomorrow afternoon. Then I will try to send the files you request. Is that o.k. with you?
Thank you very much for your help up till now. Tomorrow I will back again on the infected machine.
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert
Advertisement
Register to Remove

Unread postby ChrisRLG » January 28th, 2005, 5:01 pm

sure - although this site is still quite smaill and little traffic - I have loads of topics on other forums - and my school need lots of answers for the students - I am only about 24 hours behind :o
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 29th, 2005, 11:16 am

I found both files you mentioned yesterday (Javaqu.dll and Baria.dll). However I did not understand how to get the files, after being zipped en encripted, to you. Do I have to E-mail the files as an attachement and name the password and thread in it, or do you want the complete E-mail in the text-field of this site?

For you information, the file Baria.dll is completely empty (0 bytes).
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby Schonk1 » January 29th, 2005, 11:56 am

In the meantime I have sent you also the E-mail with the zipped and encrypted file Javaqu.dll
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 29th, 2005, 5:20 pm

Do not mind how they come - I am only waiting for your email at present so I will know what it is to do with.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 30th, 2005, 1:23 am

I have sent the E-mail saterday afternoon, using the infected machine of my brother. Both files were zipped and encrypted as you advised (I hope). I'm not so familiar with these techniques. I could not get the file Baria.dll in the attachement. Only Javaqu.dll has been sent. I have sent it to the adress you mentioned in your last advice and I hope you can use it and advice us further. The trouble is that I have to work on my brother's machine. He does not live in the same place as I do.
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 30th, 2005, 1:29 pm

When I try to open those files - my copy of AVG7 goes mad at them - I need to get the infection to my test machine - but will not have access to that till the end of the week. In the meantime:-

I am not sure but am wordering if this malware has combined two different infection methods they have been using seperately in the past.

So could you run this which includes a Norton special fix program. Then post back with that hijackthis log.

Download FxAgentB.exe from http://securityresponse.symantec.com/av ... AgentB.exe and save it to your desktop. After downloading, double-click the FxAgentB file to run it and the program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later. Reboot when done.

Next download CWShredder, install and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, please delete it and download the latest version. Reboot when done.

Then click http://www.lavasoftusa.com/support/download/ to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HijackThis and post a new log at the forum where you are getting help, together with the FxAgentB log.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 30th, 2005, 3:39 pm

Tomorrow we will try your advise. and post the logfiles. Meanwhile the machine increasingly becomes more infected. The effects of these infections which can hardly be described. This happens every time an internet session is started.
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » January 30th, 2005, 7:21 pm

A suggestion has been made to me (I talk to other experts when I (and they) get a difficault problem).

Try using firefox instead of IE until this is cleared - it is when you use IE that you get reinfected. - so dont use it for now.

Firefox - http://www.mozilla.org/products/firefox/

Second suggestion - when (and if) AVG next finds the malware - don't let it delete it to the voult - let it install - that way I can see the full infection rather than just part of it.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » January 31st, 2005, 2:14 pm

This is the Hijackthis log with all the infection up till now. The vault is included. Afterwards you get another Logfile with the executed advice you gave me on last saterday at GMT 20:47.

Logfile of HijackThis v1.99.0
Scan saved at 19:05:39, on 31-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\khyhn.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby Schonk1 » January 31st, 2005, 2:52 pm

I executed your advice of last saterday at 20:47. I could'nt download FxAgentB.exe from http://securityresponse.symantec.com/av ... AgentB.exe. Instead of Symantec the IE reported the page was not found. The adress changed (by the Trojan Horse, I think) into res://fkago.dll/http_404.htm.

CWShredder and Adaware SE with the newest updates were already on the system. I used both according your advice, after rebooting each time. Than I used Hijackthis and made a logfile. This logfile is:

Logfile of HijackThis v1.99.0
Scan saved at 19:44:07, on 31-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ouqct.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ouqct.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ouqct.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ouqct.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ouqct.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby Schonk1 » January 31st, 2005, 5:19 pm

Now we executed your last advice. We downloaded Mozilla Firefox 1.0, used AVG to heal the eventualy virusses which still could be in the system after downloading Firefox 1.0 with IE. AVG healed the Trojans and put them in the Vault. Than the setup for Firefox was executed. After that we surfed with the firefox browser to internet and appeared that the problem was solved.

Our conclusion is that IE has a savety-leak, which Firefox not has (meanwhile known by most computerfreaks). We give you now the Logfile of Hijackthis:

Logfile of HijackThis v1.99.0
Scan saved at 21:48:22, on 31-1-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab



Though this is a solution, we can understand that you like to go further with your investigation to remove the Trojans from a system with the IE-Browser, so you can instruct your students. At this moment we don't know how we can help you. Do you have enough material to make a removal tool for this case? Do you inform Microsoft about their leakage for the Trojans we got in our system?
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 1st, 2005, 4:50 am

I am glad that firefox is providing some relief for you.

I will not be using this as a teaching aid - About:Blank - are very common, BUT unfortunately are almost always unique - they mutate or morph with regular intervals so teaching that is very hard to do. What we do is teach the easier stuff, and only let those who are trained sufficiently do the more difficult ones.

=================

One of my friends has overlooked this topic and has been trying to get his hands on one of the files now in your system, they have found it hard to trace.

ENTER.CAB

In you log it is in one of the last O16's.

You should find it in your temporary internet files - but please search your computer to see if you can find it.

Back to your problem - now using firefox see if you can get that norton tool. I do not hold out much hope that is will help - as I have not yet seen a combination of the two malware versions like that. But to run it will not hurt.

You do need to remove this infection - but the use of firefox instead of IE should make it easier now.

OK

Take a snapeshot with Hijackthis - you by now know which are bad - I will list the current ones - if they change thier name - they are badd - add them to that list yourself to remove.

Safe mode.

Run AVG7
Run CWShredder
Run AboutBuster

Open Hijackthis - close ALL other windows (use a copy of this in wordpad - but close that just before the fix)- check these item - PLUS any new items that add them selves or replace others.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\tzkvh.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {56A43121-F94B-0D52-A4EA-A756169CAF7B} - C:\WINDOWS\SYSTEM\JAVAQU.DLL
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d53492e4/enter.cab

Then fix checked.

Then reboot to normal mode

Do a Hijcakthis log.

Now reboot twice, Open IE between them.

Do a hijackthis log - please post both of them - lets see if that got them
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 1st, 2005, 4:58 am

Also provide a HJT log taken in safe mode - a new infection has shown up which only shows properly in safe mode.

This infection normally has lots of R0/R1 lines with a O2 and an O4 with sometimes some O18's.

Your infection has not shown any O4's or O18's all the time that it had been active. That may be because AVG7 is killing them, but it may be because this malware has morphed to hiding in some way.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 1st, 2005, 5:02 am

One other suggestion - I know from your flag at this forum that you are Dutch.

We do have some Dutch anti-malware fighters at this forum - they can do some language translations for you, if they are needed.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware