backdoor.agent.ba seems hot these days

[nomoretitanic]

I have the hot new hip thing that kids these days are calling the trojan backdoor virus. AVG informed me of this yesterday, says it's coming from a file titled wdmnmj.dll. I first tried deleting that to no avail, and then later on I found out that the .dll file was completely invisible to me. I tried to make all the hidden files visible by going to the folders option box, but could not find that infected file anywhere. However, AVG still detects it upon startup, my comp, when not running under the safe mode, keeps on rebooting itself, and my browser keeps on resetting the homepage and overloading it with funny pop-ups of viruses in dirty positions.
I hate it.

here's my hijackthis log, under safe mode with networking, there seems to be some pornlinks, and for what it's worth, I swear I've never been to those links before?

Logfile of HijackThis v1.97.7
Scan saved at 12:13:41 AM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pete lee\My Documents\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 66.197.26.230 www.adultrevenueservice.com
O1 - Hosts: 66.197.26.230 www.ccbill.com
O1 - Hosts: 66.197.26.230 www.maximumcash.com
O1 - Hosts: 66.197.26.230 www.freeezinebucks.com
O1 - Hosts: 66.197.26.230 www.silvercash.com
O1 - Hosts: 66.197.26.230 www.freeticketcash.com
O1 - Hosts: 66.197.26.230 www.epiccash.com
O1 - Hosts: 66.197.26.230 www.aebn.net
O1 - Hosts: 66.197.26.230 www.lightspeedcash.com
O1 - Hosts: 66.197.26.230 www.fatpockets.com
O1 - Hosts: 66.197.26.230 www.adultplatinum.com
O1 - Hosts: 66.197.26.230 www.vidsandtoys.com
O1 - Hosts: 66.197.26.230 www.cumfiesta.com
O1 - Hosts: 66.197.26.230 www.nastydollars.com
O1 - Hosts: 66.197.26.230 www.hawgscash.com
O1 - Hosts: 66.197.26.230 www.pure-pornstars.com
O1 - Hosts: 66.197.26.230 www.oxcash.com
O1 - Hosts: 66.197.26.230 www.amateurpages.com
O1 - Hosts: 66.197.26.230 www.milfhunter.com
O1 - Hosts: 66.197.26.230 www.gammae.com
O1 - Hosts: 66.197.26.230 www.captainstabbin.com
O1 - Hosts: 66.197.26.230 www.bignaturals.com
O1 - Hosts: 66.197.26.230 www.sweetmoney.com
O1 - Hosts: 66.197.26.230 www.karasxxx.com
O1 - Hosts: 66.197.26.230 www.albionmedical.com
O1 - Hosts: 66.197.26.230 www.wegcash.com
O1 - Hosts: 66.197.26.230 www.karupspc.com
O1 - Hosts: 66.197.26.230 www.pillsmoney.com
O1 - Hosts: 66.197.26.230 adultrevenueservice.com
O1 - Hosts: 66.197.26.230 ccbill.com
O1 - Hosts: 66.197.26.230 maximumcash.com
O1 - Hosts: 66.197.26.230 freeezinebucks.com
O1 - Hosts: 66.197.26.230 silvercash.com
O1 - Hosts: 66.197.26.230 freeticketcash.com
O1 - Hosts: 66.197.26.230 epiccash.com
O1 - Hosts: 66.197.26.230 aebn.net
O1 - Hosts: 66.197.26.230 lightspeedcash.com
O1 - Hosts: 66.197.26.230 fatpockets.com
O1 - Hosts: 66.197.26.230 adultplatinum.com
O1 - Hosts: 66.197.26.230 vidsandtoys.com
O1 - Hosts: 66.197.26.230 cumfiesta.com
O1 - Hosts: 66.197.26.230 nastydollars.com
O1 - Hosts: 66.197.26.230 hawgscash.com
O1 - Hosts: 66.197.26.230 pure-pornstars.com
O1 - Hosts: 66.197.26.230 oxcash.com
O1 - Hosts: 66.197.26.230 amateurpages.com
O1 - Hosts: 66.197.26.230 milfhunter.com
O1 - Hosts: 66.197.26.230 gammae.com
O1 - Hosts: 66.197.26.230 captainstabbin.com
O1 - Hosts: 66.197.26.230 bignaturals.com
O1 - Hosts: 66.197.26.230 sweetmoney.com
O1 - Hosts: 66.197.26.230 karasxxx.com
O1 - Hosts: 66.197.26.230 albionmedical.com
O1 - Hosts: 66.197.26.230 wegcash.com
O1 - Hosts: 66.197.26.230 karupspc.com
O1 - Hosts: 66.197.26.230 pillsmoney.com
O1 - Hosts: 66.197.93.224 uh-oh.net
O1 - Hosts: 66.197.93.224 www.uh-oh.net
O1 - Hosts: 66.197.93.224 wetcircle.com
O1 - Hosts: 66.197.93.224 www.wetcircle.com
O1 - Hosts: 66.197.93.224 free64all.com
O1 - Hosts: 66.197.93.224 www.free64all.com
O1 - Hosts: 66.197.93.224 richards-realm.com
O1 - Hosts: 66.197.93.224 www.richards-realm.com
O1 - Hosts: 66.197.93.224 richards-realm.com
O1 - Hosts: 66.197.93.224 www.richards-realm.com
O1 - Hosts: 66.197.93.224 hardcorejunky.net
O1 - Hosts: 66.197.93.224 www.hardcorejunky.net
O1 - Hosts: 66.197.93.224 mmm100.com
O1 - Hosts: 66.197.93.224 www.mmm100.com
O1 - Hosts: 66.197.93.224 mature-post.com
O1 - Hosts: 66.197.93.224 www.mature-post.com
O1 - Hosts: 66.197.93.224 elephant-list.com
O1 - Hosts: 66.197.93.224 www.elephant-list.com
O1 - Hosts: 66.197.93.224 sleazydream.com
O1 - Hosts: 66.197.93.224 www.sleazydream.com
O1 - Hosts: 66.197.93.224 call-kelly.com
O1 - Hosts: 66.197.93.224 www.call-kelly.com
O1 - Hosts: 66.197.93.224 chubbyland.com
O1 - Hosts: 66.197.93.224 www.chubbyland.com
O1 - Hosts: 66.197.93.224 blitzpics.com
O1 - Hosts: 66.197.93.224 www.blitzpics.com
O1 - Hosts: 66.197.93.224 bondagewizard.com
O1 - Hosts: 66.197.93.224 www.bondagewizard.com
O1 - Hosts: 66.197.93.224 pichunter.com
O1 - Hosts: 66.197.93.224 www.pichunter.com
O1 - Hosts: 66.197.93.224 male-movies.com
O1 - Hosts: 66.197.93.224 www.male-movies.com
O1 - Hosts: 66.197.93.224 silent-screams.com
O1 - Hosts: 66.197.93.224 www.silent-screams.com
O1 - Hosts: 66.197.93.224 citizencane.org
O1 - Hosts: 66.197.93.224 www.citizencane.org
O1 - Hosts: 66.197.93.224 persiankitty.com
O1 - Hosts: 66.197.93.224 www.persiankitty.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {E7637F29-F66E-4C47-A095-F645337ABB25} - C:\WINDOWS\System32\bahba.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKLM\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKLM\..\Run: [xload32] C:\WINDOWS\System32\netdd.exe
O4 - HKLM\..\Run: [Digital Patrol Update 5] C:\Program Files\Proantivirus Lab\Digital Patrol Scanner 5.0\update.exe /autoupdate
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [a] "C:\Program Files\a2\a2guard.exe"
O4 - HKCU\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: 下載編碼內容(&D.S.Lite) - C:\Documents and Settings\pete lee\My Documents\DSLite2.04\DSLite2\dl_text.html
O8 - Extra context menu item: 下載編碼檔案內容(&D.S.Lite) - C:\Documents and Settings\pete lee\My Documents\DSLite2.04\DSLite2\dl_url.html
O8 - Extra context menu item: 使用影音傳送帶下載 - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: NetAnts (HKLM)
O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: D.S.Lite (HKLM)
O9 - Extra 'Tools' menuitem: &D.S.Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...tx/install.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...67/mcfscan.cab

[Pieter_Arntz]

Hi nomoretitanic,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)

O2 - BHO: (no name) - {E7637F29-F66E-4C47-A095-F645337ABB25} - C:\WINDOWS\System32\bahba.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\netda.exe
O4 - HKLM\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKLM\..\Run: [xload32] C:\WINDOWS\System32\netdd.exe

O4 - HKLM\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe

O4 - HKCU\..\Run: [Socket Utility] C:\WINDOWS\System32\svchostz.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\RunServices: [Socket Utility] C:\WINDOWS\System32\svchostz.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...tx/install.cab

Then reboot into safe mode and delete:
C:\Program Files\ClearSearch <= entire folder
C:\WINDOWS\System32\svchostz.exe
C:\WINDOWS\System32\netdd.exe
C:\WINDOWS\System32\netda.exe
C:\install.cab

Then find C:\WINDOWS\System32\drivers\etc\hosts and rename it to hosts.bak

Copy the contents of the bold text to Notepad.
Name the file Appinit.bat
Save as type *All Files*
Save on the Desktop.

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Post the content please.

Regards,

Pieter

[nomoretitanic]

windows.txt returns me a bunch of gibberish--is this what you were asking for?

regf




Pugf hbin  P   )  *ÿÿÿnk, ÀÎÐÔþ[Ä
ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 > e r  Windowsowsa p I ÿÿÿskN€€ €
Ô
„¸ È   ¤    
  !  €
  !  ? 
    
    ? 

  

  


  

 Ðÿÿÿvk  *


ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  Pâ  p
Ðÿÿÿvk  €' 
zGDIProcessHandleQuota"þðÿÿÿ9 0  Ð àÿÿÿvk  

°ºSpooler2ðÿÿÿy e s
Ñ_åàÿÿÿvk  €

5swapdisk p
¸
ø
( ` Ðÿÿÿvk  è


. TransmissionRetryTimeoutÐÿÿÿvk  €' 
O USERProcessHandleQuotao àÿÿÿp
¸
ø
( ` � 
à©2Dv\Ä
G 8 ¹÷ 
 
 `ã>Dv\Ä
O ðS-÷ D
 
  `ã>Dv\Ä
O ðS-÷ L
 
  `ã>Dv\Ä
Y! ',÷ P
    °•IDv\Ä
„ ¾]€ \
    �• NFv\Ä
ë ðWR€ �


X   À¿èOv\Ä
u" ©Î,÷ ¼      ð±ÔSv\Ä
‚ ȹÒö *
  9ÖSv\Ä
ƒ ȹÒö ¤
  S y s t e m �
 @+NDv\Ä
0‡
s   °F  `
  €¸ À: è * @ 3 X @ € °  ° V 5  øÍ Fv À� @+NDv\Ä
 &šXH`
d
  M
  ÐÀRDv\Ä
! ¸‡XH`
h
     ÐÀRDv\Ä
 ¸‡XH`
l
     s m s s . e x e P
pFüFv\Ä
pèï à‘e
  J
”
`
á ð£ PÌee 0
= ¸Q

8 h ð 0 ð  a ,~ ÅÀ *aIv\Ä
# J#·u”
œ
     *aIv\Ä

 ÕŸ¶u”
*

   àG P%# °×qIv\Ä
3# ðA´u”
¤

C   pôwIv\Ä
 â7´u”
¨

   + €¬$ ð-„Iv\Ä
2# ðA´u”
´

U   À à˜Jv\Ä
3# *è¶u”
¸

- 
B) JšJv\Ä
3# *è¶u”
¼

ù 
`!PKv\Ä
ï *è¶u”
ì

 
ÙWv\Ä
# 1·u”
d  
  �• @4Ëjv\Ä
1# —v·u”
À 
 
c s r s s . e x e Ø  ð-„Iv\Ä
÷j (Z  ÐN
¬
`
Ú ðø �—Ú › �) Î p³ 8 0 °7 T °7 ê L ) *- ß ¼Ž
€’U à*X ð-„Iv\Ä
1# YÅ
¬
°
  b 
À 0‡
X%Kv\Ä
ÿ BÓçw¬
Ä


p   X%Kv\Ä
; BÓçw¬
È


   X%Kv\Ä
º
BÓçw¬
Ì


   �• + X%Kv\Ä
" BÓçw¬
Ð

W   0‡
Pß&Kv\Ä
ÿ BÓçw¬
Ô

   Ð3Kv\Ä
 BÓçw¬
à

  0€Kv\Ä
 BÓçw¬
 
 
�• °±Lv\Ä
Z BÓçw¬
ð 
   Ph÷Lv\Ä
K BÓçw¬
 

  ÀEMv\Ä
 BÓçw¬
      “Qv\Ä
 BÓçw¬
ô

   ` 0þQv\Ä
1# BÓçw¬
0

N   ×õ]v\Ä
Ø BÓçw¬
|

   €åø]v\Ä
% BÓçw¬
€

   pugv\Ä
Z BÓçw¬
¬


  w i n l o g o n . e x e X  €f(Kv\Ä
€9 Ð^/  (T Ø
¬
í �E
/
 °/ °. p\ pU h Ø ð * ð s š Ÿ Œ’
õ¾
( PÅWKv\Ä
ô BÓçwØ
ð

  PÅWKv\Ä

[nomoretitanic]

hey somehow I just found the infected mdmnmj.dll file when I logged on as the administrator under safe mode, and I deleted the file, and then used the CWS shredder, and now the problem seems to be solved, AVG does not warn me anymore, and the homepage isn't hijacked anymore. Should I celebrate right now or might my computer still be infected?