Downloader.Agent.2.BN and other downloader agents! - please help me??

BullGuard Antivirus Forum > Virus Removal > Removal Help > Downloader.Agent.2.BN and other downloader agents! - please help me??

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

gavin3003
New Member

Date Joined Oct 2004
Total Posts : 6

Posted 10-31-2004 5:41 (GMT +1)

I have some downloader agents on my laptop, its running windows 2000NT, My AVg keeps bringing up a message box every few seconds, but AVG wont move them. I've run TDS-3 and it cant clean the files as they are non readable.

I've done the hijackthis and the results are below.

If someone could help, I'd really appreciate it as I'm seriosly behind on my projects!!

Thanks in advance (fingers crossed ) Gavin

Logfile of HijackThis v1.97.7
Scan saved at 4:23:26 PM, on 10/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\apicz32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\JupitCo.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\explorer.exe
G:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\nwkmw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\nwkmw.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-cache.infoteam.co.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 62.186.228.198;10.0.9.211;10.0.9.90
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B6D55ABF-E936-D3F1-AF9F-2A9350869ABA} - C:\WINNT\appox32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsb.exe] C:\WINNT\system32\winsb.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6819444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infoteam.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infoteam.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = infoteam.co.uk

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 10-31-2004 6:38 (GMT +1)

Hey

Please download AboutBuster: http://tools.zerosrealm.com/AboutBuster.zip

Just unzip to Desktop.

Adware http://www.lavasoftusa.com/support/download/

Download this scanner-mwav exe: http://home9.inet.tele.dk/le01/Sikkerhed.htm

Leave the programs.

Show hidden files:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Please print out the remainder of these directions, as you'll have to proceed in Safe Mode. Now, disconnect to the net.

Reboot into Safe Mode (hit F8 key until menu shows up).

Start-run, type:regedit
Find- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
check for a key called-HOMEOldsp, if present- delete it.
And if you have some files in searchpage/searchbar which end with …\sp delete them
Go to Edit in registry and type - HOMEOldsp. Click-Find Next, delete it-if present.
Use F3 for search more, if you find more- delete them.
Same procedure with-About:blank
Close Registry.

Scan with HijackThis , close all other windows and browsers, and place a checkmark next to these items, and fix:

Double click the AboutBuster.exe file. Click OK, then click Start, then click OK.

This will scan your computer for the bad files and delete them. Save the report it creates (copy and paste it into notepad and save as a .txt file).

Run Adware

we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
Automatically save logfile
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)
Click on the Scanning button on the left and select :
Scan within archives
Scan active processes
Scan registry
-Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file
Under Select drives & folders to scan, choose:
Select all of your hard drives that are not selected already
Click on the Advanced button on the left and select:
Include additional object information
Include negligible objects information
Include environment information
Click the Tweak button and select:
Under the Scanning Engine:

2. Unload recognized processes & modules during scan
Under the Cleaning Engine:Let Windows remove files in use at next reboot
Click on Proceed to save the settings.

Click Start and on the next screen choose:
Use custom scanning options
Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Save the log file when it asks and then click Finish.
When finished, mark everything for removal and get rid of it. (Right-click on any of the entries and choose Select All from the drop down menu and click Next).

Now run the Scanner, you downloaded from Microworld.
Activate all in settings

Reboot.

Download newer Hijackthis
http://www.download.com/3001-8022_4-10307556.html?idl=n

this should be your first reboot! If you need updates: : http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en

post new Hijackthis log, with AboutBuster log
---------------------------------------------------------------------------

Touch

Member of - Alliance of Security Analysis Professionals

gavin3003
New Member

Date Joined Oct 2004
Total Posts : 6

Posted 10-31-2004 6:50 (GMT +1)

Thanks Touch, I'll be back with you asap

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 10-31-2004 7:06 (GMT +1)

Touch

Member of - Alliance of Security Analysis Professionals

gavin3003
New Member

Date Joined Oct 2004
Total Posts : 6

Posted 10-31-2004 10:07 (GMT +1)

Hi Touch
I've hit a snag, I've downloaded all the apps, but I cannot log on in safe mode as this laptop was part of my redundancy package and as such I dont have admin rights, which I think may be why I cannot log on using my username and password?

Does this sound correct?

Any ideas how to bypass passwords to get into safe mode?

gavin3003
New Member

Date Joined Oct 2004
Total Posts : 6

Posted 11-3-2004 11:48 (GMT +1)

Hi Touch,

Finally getting somewhere, cool

I've followed your instructions, yikes 722 viruses removed using eScan alone!!

Below are the 2 logs you requested:

New Hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 10:42:45 AM, on 11/3/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
C:\Program Files\Sophos SWEEP for NT\SWUPDATE.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\system32\JupitCo.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINNT\system32\wuauclt.exe
G:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = www-cache.infoteam.co.uk:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: InterCheck Monitor.LNK = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37918.6819444444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infoteam.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infoteam.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = infoteam.co.uk

AboutBuster log:

-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 6 Random Key Entries
Deleted 2 Service Keys Successfully!
Removed! : C:\WINNT\apicz32.exe
Removed! : C:\WINNT\atlxf32.dll
Removed! : C:\WINNT\iegi32.exe
Removed! : C:\WINNT\javakx.exe
Removed! : C:\WINNT\pdzhc.dat
Removed! : C:\WINNT\rukse.dat
Removed! : C:\WINNT\system32\gynqu.dat
Removed! : C:\WINNT\system32\neted.exe
Removed! : C:\WINNT\system32\sysin32.exe
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Removed 6 Random Key Entries
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!

I really appreciate your assistance in sorting my laptop - Thank You so much, the AVg message is gone, Is this OK now?

Gavin

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 11-3-2004 12:29 (GMT +1)

Hey Gavin

Yes, you have a clean log.

AboutBuster have done a really good job ;-)

Install these for safer surfing:

http://www.javacoolsoftware.com/spywareblaster.html

http://www.javacoolsoftware.com/spywareguard.html

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.unhsolutions.net/IEPK/index.shtml

My pleasure smilewinkgrin

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Wednesday, January 07, 2009 2:48 PM (GMT +1)
There are a total of 65.905 posts in 16.171 threads.
In the last 3 days there were 22 new threads and 107 reply posts. View Active Threads