DOWNLOADER 2 BM AND 2 BO - Free Antivirus Forum

DOWNLOADER 2 BM AND 2 BO

BullGuard Antivirus Forum > Virus Removal > Removal Help > DOWNLOADER 2 BM AND 2 BO

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

solarshining
New Member

Date Joined Nov 2004
Total Posts : 5

Posted 11-13-2004 1:55 (GMT +1)

Somehow my pc has been infected by the dreaded trojan horse virus downloader agent 2 bm and downloader agent 2 bo...

What can I do, How can I get rid of this, Can I get rid of it?

Can someone assist me with fixing this problem, I have windows NT, and I'm not really educated in pc technical problems! Please HElp,!!!!

solarshining
New Member

Date Joined Nov 2004
Total Posts : 5

Posted 11-13-2004 2:05 (GMT +1)

My log file

Logfile of HijackThis v1.97.7
Scan saved at 5:01:28 AM, on 11/13/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
d:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\BrmfRsmg.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
D:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Documents and Settings\Aldous Huxley\Application Data\sact.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
D:\Program Files\mozilla.org\Mozilla\mozilla.exe
C:\WINNT\System32\dllhost.exe
C:\WINNT\System32\msdtc.exe
C:\Documents and Settings\Aldous Huxley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wrpjy.dll/sp.html#33111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {F83BAA6A-B7B6-4EDF-D198-3BB291E94A5C} - C:\WINNT\msho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINNT\Downloaded Program Files\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] d:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [crub] C:\WINNT\crub.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Anua] C:\Documents and Settings\Aldous Huxley\Application Data\sact.exe
O4 - HKCU\..\Run: [Hqx] C:\WINNT\System32\w?wexec.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37961.9965277778
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{938826F2-71AF-4F73-A071-00D1F88E399F}: NameServer = 192.168.69.1

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-15-2004 1:28 (GMT +1)

Hey

Please download AboutBuster: http://tools.zerosrealm.com/AboutBuster.zip

Just unzip to Desktop.

Adware http://www.lavasoftusa.com/support/download/

Download this scanner – mwav exe: http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe

Download these files: http://www.spywareinfo.com/~merijn/winfiles.html#control
Write down their location

Leave the programs.

Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Disable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

Please print out the remainder of these directions, as you'll have to proceed in Safe Mode. Now, disconnect to the net.

Reboot into Safe Mode (hit F8 key until menu shows up).

Start-run, type:regedit
Find- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
check for a key called-HOMEOldsp, if present- delete it.
And if you have some files in searchpage/searchbar which end with …\sp delete them
Go to Edit in registry and type - HOMEOldsp. Click-Find Next, delete it-if present.
Use F3 for search more, if you find more- delete them.
Same procedure with-About:blank
Close Registry.

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\wrpjy.dll/sp.html#33111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\wrpjy.dll/sp.html#33111
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Double click the AboutBuster.exe file. Click OK, then click Start, then click OK.

This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad and save as a .txt file).

Run Adware

we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Click on the Scanning button on the left and select :
Scan within archives
Scan active processes
Scan registry
-Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
Under Select drives & folders to scan, choose:
Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
Include additional object information
Include negligible objects information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:

2. Unload recognized processes & modules during scan
Under the Cleaning Engine:Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).

Now run the Scanner, you downloaded from Microworld.
Activate all in settings

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp.
C:\Windows\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <<<This will delete your files in your internet cache--including cookies.
C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
Empty your "Recycle Bin"

There are usally a couple of files that you will not be able to delete..this is normal.

Install the files from Spyware info, if needed

Reboot. Please update Hijackthis, or download a new version: : http://danborg.org/spy/HJT/hijackthis.exe

this should be your first reboot! If you need updates: : http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en

post new log, with AboutBuster log
---------------------------------------------------------------------------

Touch

Member of - Alliance of Security Analysis Professionals

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-26-2004 8:57 (GMT +1)

Please go offline

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ilwri.dll/sp.html#33111
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ilwri.dll/sp.html#33111
O2 - BHO: (no name) - {F83BAA6A-B7B6-4EDF-D198-3BB291E94A5C} - C:\WINNT\msho.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [crhj32.exe] C:\WINNT\crhj32.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [Hqx] C:\WINNT\System32\w?wexec.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\ljryslwk.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

Reboot into Safe Mode - hit F8 key untill menu shows up

Find and delete:
C:\WINNT\system32\ilwri.dll/sp.html
C:\WINNT\msho.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINNT\crhj32.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\WINNT\System32\w?wexec.exe
C:\Program Files\Internet Explorer\ljryslwk.exe

Reboot and post new log- in this thread, it is confusing when you post it, as new topic ;-)

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Wednesday, January 07, 2009 11:32 AM (GMT +1)
There are a total of 65.902 posts in 16.171 threads.
In the last 3 days there were 22 new threads and 106 reply posts. View Active Threads