Trojan horse BackDoor.Agent.BA

This is a nasty worm that runs around the dll files in win folder i have searched for 2 weeks solid have had not one instance of a cure let alone containment of the worm even norton can detect it it took avg to find it and then unable to delete it

i ran tds and guess what you all dont even detect this code, hmmm a trojan prog that dont find a trojan that is odd.


let YS know what you know...


Thanx, another trojaned pc...

 

i meant to say in above that NORTON CANT DETECT IT

i unistalled norton and installed AVG to discover the backdoor worm in my pc

 

Also i assume this all generates from about:blank browser hijack

it does as IE wont ever go to my own home page

i have since installed mozilla firefox browser and made it my default so as to stop the browser hijacking

this should be against the law to produce a webpage such as they have, i saw proscute the webpage that it direct us to

 

her eis a pci i have hosted that shows my tds scanner and then avg picking up the trojan , your trojan remover seems to be spoofed


http://www.emfclan.com/virus/showtroj.JPG


http://www.emfclan.com/virus/showtroj.JPG



http://www.emfclan.com/virus/showtroj.JPG

 

Hi EMF-CLAN,

Could you please send that file wdmnl.dll (zipped) to Gavin:

submit@diamondcs.com.au

 

i have tried to find this file for 8 solid days and cannot even locate it

i have scanned 20 times today every concievable file and this is not able to be found , this is rather funny but obtrusive and stealthy, the dll is unable to be located by win search as well as dll search but yet it is found every time with avg , im like wtf is going on... this all generates from about blank hijack im sure

 

if needed i am on msn messenger at dilligafkid@hotmail.com if real time communication is needed

 

Hi EMF,
sorry about your problems. This nasty is not a common trojan. See in this thread https://www.wilderssecurity.com/showthread.php?t=39430
in my reply #2 the solutions i posted as it needs special threatment to get really rid of it.
After those instructions please run a new scan (fully updated), with other scanners temporary closed to give TDS full access to all files on your system: AVG open the GUI and uncheck all options before starting TDS scan with all scanoptions inthere checked.
There was no need to uninstall Norton, as uninstalling that one can bring other unstability to the system. But that's up to you of course. Sorry you did not come here two weeks earlier for the solutions posted here.
After this you might like to get the Hijackthis tool to create a HJT.log; look in that if you see anything astonishing and share that with us please.
id the fully updated TDS find anything else?
If so, rightclick on one of the items to save as text (scandump.txt in the TDS directory) and paste that in your next posting.
Please post back what you experienced.

 

ok here is one of many post to come
here is hj log

Logfile of HijackThis v1.98.0
Scan saved at 9:14:28 AM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

 

ok now here is a pic of the faber log running and then i activated AVG and it poped up the backdoor trojan

http://www.emfclan.com/virus/7-7-04-avgfind-no-faber-find.JPG


also faber shwed no instance of the backdoor


i will post TDS results with AVGoff as soon as it is finished

 

C:\Program Files\Messenger\MSMSGS.EXE
This line in the bottom i do not trust. I think that's not the normal messenger, or i am confusing two things now, so don't fix it yet. TonyH helped recently somebody with that entry in the trojans and backdoors forum (think it was) so have to find that back as he explained some about it there.

Further, your log seems so short, did you check all the scan options or did you snip things out?

Lookign forward to the other logs.

 

i run a everything on the pc at a minimun i have almost no services running etc i shut them off in win manag.

and as for msn messenger that goes away when i shut off msn , the scan log is fairly shirt due to the fact that i run almost no services

i had in the past had the about blank problem but as of late it has not been aparent because one i dont use ie but when i do pop up the ie browser the about blank is there but not sure why hijack isnt showing it , maybe because it isnt my default browser?

i will post other logs as they become avaliable

 

Logfile of HijackThis v1.98.0
Scan saved at 10:07:29 AM, on 7/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7D536075-3D26-4718-903E-C63E565A7195} - C:\WINDOWS\System32\plma.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Filter: text/html - {0CA83198-2F9F-48B9-9C0A-7EE390972D21} - C:\WINDOWS\System32\plma.dll
O18 - Filter: text/plain - {0CA83198-2F9F-48B9-9C0A-7EE390972D21} - C:\WINDOWS\System32\plma.dll

 

the above is what happens when i used internet explorer...

 

you will see the about home hijacker ,that is deleted often but i assume it is a faction of the backdoor worm that is in cahoots with the worm

 

https://www.wilderssecurity.com/showthread.php?t=35268
Found TonyH's posting. I was confusing the good guy you have with the bad guy (if the msg* would have been in windows)
Now looking for the rest of what you posted.

Yes, now i see the sp.html lines you fixed and came back.
Hmmmmmmmm did you after fixing them disable system restore, reboot and enable it again to create a new restore point? If not, the nasty keeps coming back.

is that pl*.dll file something you know and should be there?

Didn't you make the HJT log just normal as it is when you reboot and just everything like it is in your configuration starting up without closing anything yet?
As you are rather technical yourself fortunately and see the things, you might enjoy the AutoStartViewer from the DiamondCS site, which shows even more what might be hidden for HJT. Gavin is extremely good in detecting the stuff in that, certainly if in that one you check all options to be posted in the log.

 

i have made a directory on my server and i will post alot of extra info in this directory as i dont wanna clutter up the forums you all have worked hard on

and another thing this is greatly appreciated your lightning quick responses

i will still post the regular item u request but i wll also post pics and logs that could clutter up these forums as they may be unessesary

http://www.emfclan.com/BADSANTA/

this is the directory for you to view if needed


I AM GOING TO BEAT THIS DAM THING IF IT KILLS ME

 

That thing is not going to beat you at all, we snipe it out all together!
Make sure all hidden files and folders are showing too! Folder options, show hidden files.

Nice you use Faber Toys, i love that program.
Does the thing have a registry key to make it start up again, maybe with other names each time?

 

yep all hids are showing

post resuilts of tds soon

 

not sure what this is

No but i will post that as soon as the tds full super duper scan is done

 

Yeah, the TDS deep searching does take a while, especially if you use other programs at the same time; most people step away from the system to walk the dog, watch football, eat, sleep, go dancing, but you created a wealth on logs in the meantime.
Could have googled in the forum how other people with that infection solved it (in the adware forum)
I know for sure those R0 and R1 lines with sp.html are part of the nasty.
Maybe the file is included in a service you closed manually so it doesn't show up in the HJT log?
can't find info on the plma.dll thing, googled rather deep for it ....... but no luck yet. Maybe that is the thing?
What do the properties say on that plma.dll?
If you have Port Explorer up, does it ever try to connect to internet?
If you scan it with anything you have, does it give any alarms? You might like to zip it and submit to submit@diamondcs.com.au ?

Did SpybotS&D beep on anything?

 

well well see what else but as of now it found this in the deep deep scan

Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
File: c:\windows\system32\plma.dll

 

this was not identified in the quick scan i will post more text in my web folder of bad santa as other things were found but not relevent due to progs i was using at time , or maybe


the deep scan discovered these items

Scan Control Dumped @ 11:29:02 07-07-04
(DELETED) Positive identification (embedded in file) (in archive):

Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: gh0stz_2.04.exe (In c:\documents and settings\robbie\desktop\my

items\gh0stz_2.04_islandthunder1.4.zip)

Suspicious Filename: Dual extensions
File: c:\documents and settings\robbie\desktop\my

items\fireworx\fireworks_mx_installer.exe.exe

(DELETED) Positive identification (embedded in file) (in archive):

Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: gh0stz.exe (In c:\documents and settings\robbie\desktop\my items\ghost

recon\gh0stz_island_thunder_14.zip)

(DELETED) Suspicious Filename: Dual extensions
File: c:\documents and settings\robbie\desktop\tower

files\construction\fdot\d7070000.d03.doc

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 239 bytes
File: c:\documents and settings\robbie\desktop\web

server\httpdocs\gods.emfclan.com\httpdocs\albums\users\1036216693:179515460

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 239 bytes
File: c:\documents and settings\robbie\desktop\web

server\httpdocs\gods.emfclan.com\httpdocs\albums\users\1036216693:179515460.ba

k

Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
File: c:\windows\system32\plma.dll

 

Now i have grown a little to point at the exact file.
As i couldn't find the name nor CLSID in TonyH's list http://www.computercops.biz/CLSID.html so started to think that has to be nasty; i also learned it takes other CLSID's each time in the several logs i looked at here, so we can not say in advance a file with that ID is nasty so delete, wished it were true!

What i do understand with reading other HJT logs in the "adware cleaning" forum, there are several things to be done, not just
* close the plma.dll if it is seen in TDS process list / Task Manager
* deleting (fixing in HJT) those R0 and R1 keys with sp.html,
* deleting those three lines with plma.dll in it
* and in save mode delete that plmd.dll thing itself.

I've not seen in any log the O18 Filter..... you see, you're unique here

The point is, i'm no HJT expert, and i am most probably overlooking lots of things and options and i don't want to endanger your valuable system with a possible wrong advice or wrong order of the thngs that have to be done.
I am not sure if all has to do with the startpage nasty itself in those other people's logs or that it had to do with other infections and wrongs in their systems, as i saw them using the whole arsenal of CWShredder, Adaware, SpyBotS&D and several other tools.
(i really looked deep as you notice just typing your Backdoor.Agent.BA in the search engine here and pointing to that forum and looking in those threads which got replies or were solved completely)
so at this point i don't want to make any wrongs.
Would you like to post your complete HJT log in that forum yourself with the reference to this thread here?
(need to register as a forum member --which is free of course-- to be able to post there)
Can tell you they really want the most complete HJT log version you can produce so no killing of services or anything else from your normal startup, they need it all!

 

I never delete any file without submitting a zipped or renamed copy to Gavin
The double extensions not necessarily need to mean anything bad, it is just a warning, because of the nasties trying to look innocent as a jpg for instance, lots of spaces and all in the end it is an executable.

That possible keylogger please zip and submit@diamondcs.com.au is happy to receive it from you.
(i do see you deleted it but i hope you have a copy somewhere! (maybe in the TDS XDynamic.Unpk folder?) Gavin will be most grateful!)
Has it been zipped only all that time or was it ever unpacked/installed?
In case it was only zipped all time, it was a sleeping giant maybe and most probably hasn't done any harm yet.

Those NTFS ADS Streams, if you drag the files to notepad, doe they show anything like starting with MZ or such? They are on the edge of what might be nothing or maybe something (below 188 bytes can be ignored, below 256 too in most cases, but with infections i wouldn't ignore nothing)
You can zip and submit those too.