[done]Trojan Horse BackDoor.Agent.BA.

Discussion in 'adware, spyware & hijack cleaning' started by Smallfry, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. Smallfry
    Offline

    Smallfry Registered Member

    Ok working on a friends computer and he's had this one for awhile.

    AVG pops up about 10 times on startup with the following virus.
    Trogan Horse BackDoor.Agent.BA
    in
    C:\windows\system32\comfc.dll

    AVG cannot heal it or remove it to virus vault as the file is in use. Restarting in safe mode and running AVG still wont fix it.
    I've run both Ad Aware and SD Spybot (amazing how much junk they find between them) but the virus is still popping up.

    Anyway heres the HijackThis log.

    Hope you can help.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:08:27, on 07/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {858044B9-1583-42E1-A34C-4B13EA6E09F5} - C:\WINDOWS\System32\dfoaf.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DC95EC47-8E7D-4398-A513-2B44FFEF40B4}: NameServer = 195.92.195.95 195.92.195.94
  2. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Hello Smallfry,

    Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

    Run Hijackthis again with all browsers closed and check these items and then on Fix:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dfoaf.dll/sp.html (obfuscated)

    O2 - BHO: (no name) - {858044B9-1583-42E1-A34C-4B13EA6E09F5} - C:\WINDOWS\System32\dfoaf.dll (file missing)

    O4 - HKCU\..\Run: [rundll32] C:\windows\rundll32.exe

    O16 - DPF: {11111111-1111-1111-1111-111111111732} - file://c:\progra~1\pl.exe

    Don't reboot yet.

    Open the program you downloaded (APM)
    In the upper window select explorer.exe
    In the lower window find and rightclick C:\WINDOWS\System32\dfoaf.dll
    Select Unload DLL and click OK on the prompts that follow.

    Reboot and scan with AdAware (the first program you downloaded)

    Reboot. Now, do the following

    Copy the contents of the quote box to Notepad.
    Name the file Appinit.bat
    Save as type All Files
    Save on the Desktop.


    Double click on Appinit.bat
    This will create a file on the desktop named windows.txt
    Copy and paste that log here along with a new HJT log.
  3. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Ok I tried this however C:\windows\system32\dfoaf.dll was not listed under explorer.exe

    Here are the log files from Hijack this

    Logfile of HijackThis v1.97.7
    Scan saved at 10:10:22, on 08/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

    I've attached the windows.txt file you had me make as it just shows jibberish to me :D

    Attached Files:

  4. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Hello,

    Yes the file does look like jibberish, but could I ask you to do something.
    Could you copy and paste that window.txt file here instead of attaching the file this time. One of my computers does not show the file properly and I am finding it easier to just do the copy and paste.
  5. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    regf       Pugf hbin  ¨ÿÿÿnk, ÏY·.Ä ÿÿÿÿ ÿÿÿÿÿÿÿÿ ¸ x ÿÿÿÿ 0 < 0 x  Windows ÿÿÿsk x x  Ô  „¸ È   ¤       !  €  !  ?          ?               Ðÿÿÿvk  ˜   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  h Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s
    Ñ_åàÿÿÿvk  €   5swapdisk h ° ð  X Ðÿÿÿvk  à   . TransmissionRetryTimeoutÐÿÿÿvk  €'   p USERProcessHandleQuota4 àÿÿÿh ° ð  X ˆ Ø Øÿÿÿvk <    AppInit_DLLs ÀÿÿÿC : \ W I N D O W S \ S y s t e m 3 2 \ c o m f c . d l l À
  6. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Hello,

    Well, we have ourselves a hidden dll that we will have to get rid of.

    There is some info I need from you first. Do you have XP home or XP professional?

    Is your system file NTFS or Fat32? (To check this, all you need to do is go to Start>My computer>Highlight your C drive and Right click on it and choose properties. You will see File System near the top and it will tell you if it is NTFS or Fat32.)

    When you give me the info. we will proceed on getting rid of that dll or your problem will just come back.
  7. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Unfortunatly I cant work on the computer for a week now. The friend who owns the PC has gone to spain for a week and taken his PC home. Sorry to jerk you about but I'll get back to you once I can get my grubby mitts on his PC again.

    I know he has XP home and I think he has NTFS but I cant confirm that yet.
  8. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    No problem,

    We will be here :)
  9. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Ok.

    He has NTFS and Xp Home edition.
  10. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Hello,

    I'm back. I went on vacation and just got back last night. Sorry for the delay.

    Here is the next step:

    Copy the contents of this quote box into note pad and save it as hiving.bat

    Now, open and run hiving.bat.

    If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible. This will end the constant reinstall of about:Blank.

    ----------------------
    You run Home and so you will restart into Safe mode.

    Restart into Safe mode and find this file:
    C:\WINDOWS\System32\comfc.dll

    Use the security tab on comfc.dll and take ownership.
    Change the 'everyone special' to
    'you> with Admin rights-> FULL control
    Then try to delete it, if that fails try to rename
    it first to different name+ext.
    Example:
    log.dll>bleh.txt
    bleh.txt > badfile.111

    Once you have successfully deleted the file restart into Regular Windows mode.

    Extract and Run CWShredder immediately.
    Press the fix button to clean.

    Restart and run hijackThis again.

    Post your new log here in your next reply.

    Also please create a new Windows.txt and attach it so we can doublecheck.
  11. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    hey. hope you had a nice holiday.

    Threw me a little bit to start with till I realised the forum had changed the program with smileys. Once I fixed them it all ran ok.

    Heres the Hijakthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:10:58, on 29/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeola.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freeola.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://freeola.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

    And here is the Windows.txt

    regf       Pugf hbin  \ W I N D O W S \ s *ÿÿÿnk, °ºŽ²RuÄ ÿÿÿÿ ÿÿÿÿÿÿÿÿ À € ÿÿÿÿ 0 < 0 x  Windowsowsÿÿÿÿÿÿÿÿÿsk € €  Ô  „¸ È   ¤       !  €  !  ?          ?               åZ Ðÿÿÿvk  *   ÀUDeviceNotSelectedTimeoutðÿÿÿ1 5  (  p Ðÿÿÿvk  €'   zGDIProcessHandleQuota"þðÿÿÿ9 0  ë=tÀàÿÿÿvk     °ºSpooler2ðÿÿÿy e s
    Ñ_åàÿÿÿvk  €   5swapdisk p ¸ ø ( ` Ðÿÿÿvk  è   . TransmissionRetryTimeoutÐÿÿÿvk  €'   p USERProcessHandleQuota4 àÿÿÿp ¸ ø ( `  êd
    êe êe êe êe êe êe êe êe êf êf êf êf êf ëf ëf ëf ëf ëg ëg ëg ëg ëg ëg ëg ëg ëg ëh ëh ëh ëh ëh ëh ëh ëh ìh ìi ìi ìi ìi ìi ìi ìi ìi ìj ìj ìj ìj ìj ìj ìj ìj ìj ìk ìk ík ík ík ík ík ík ík íl íl íl íl íl íl íl íl íl ím ím ím ím ím îm îm îm îm în în în în în în în în în îo îo îo îo îo îo îo îo ïo ïp ïp ïp ïp ïp ïp ïp ïp ïp ïq ïq ïq ïq ïq ïq ïq ïq ïq ïr ïr ðr ðr ðr ðr ðr ðr ðr ðs ðs ðs ðs ðs ðs ðs ðs ðs ðt ðt ðt ðt ðt ñt ñt ñt ñt ñu ñu ñu ñu ñu ñu ñu ñu ñu ñv ñv ñv ñv ñv ñv ñv òv òv òw òw! òw! òw! òw! òw! òw! òw! òw! òx! òx! òx" òx" òx" òx" òx" òx" òx" òy" óy" óy# óy# óy# óy# óy# óy# óy# óz# óz# óz# óz$ óz$ óz$ óz$ óz$ óz$ ó{$ ó{$ ó{$ ó{$ ô{% ô{% ô{% ô{% ô{% ô|% ô|% ô|% ô|% ô|& ô|& ô|& ô|& ô|& ô}& ô}& ô}& ô}& ô}& ô}' ô}' õ}' õ}' õ~' õ~' õ~' õ~' õ~' õ~( õ~( õ~( õ~( õ( õ( õ( õ( õ( õ( õ) õ) õ€) ö€) ö€) ö€) ö€) ö€) ö€) ö€* ö€* ö* ö* ö* ö* ö* ö* ö* ö* ö+ ö‚+ ö‚+ ö‚+ ö‚+ ÷‚+ ÷‚+ ÷‚+ ÷‚+ ÷‚, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷ƒ, ÷„- ÷„- ÷„- ÷„- ÷„- ÷„- ÷„- ø„- ø„- ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø…. ø†. ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø†/ ø‡/ ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ù‡0 ùˆ0 ùˆ0 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ùˆ1 ù‰1 ù‰1 ù‰1 ù‰2 ú‰2 ú‰2 ú‰2 ú‰2 ú‰2 úŠ2 þ 0‚8X?‚8X?‚úŠ3 úŠ3 úŠ3 úŠ3 ú‹3 ú‹3 ú‹3 ú‹3 ú‹4 ú‹4 û‹4 û‹4 û‹4 ûŒ4 ûŒ4 ûŒ4 ûŒ4 ûŒ5 ûŒ5 ûŒ5 ûŒ5 ûŒ5 û5 û5 û5 û5 û5 û6 û6 û6 û6 üŽ6 üŽ6 üŽ6 üŽ6 üŽ6 üŽ7 üŽ7 üŽ7 üŽ7 ü7 ü7 ü7 ü7 ü7 ü7 ü8 ü8 ü8 ü8 ü8 ü8 ý8 ý8 ý8 ý9 ý9 ý9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘9 ý‘: ý‘: ý’: ý’: ý’: ý’: ý’: ý’: þ’: þ’; þ’; þ“; þ“; þ“; þ“; þ“; þ“; þ“; þ“; þ“< þ”< þ”< þ”< þ”< þ”< þ”< þ”< þ”< ãT ãT ãT ãT ãT ãT ãT ãT ãT ãU ãU ãU ãU ãU ãU ãU ãU ãU ãV ãV ãV äV äV äV äV äV äV äW äW äW äW äW äW äW äW äW äX äX äX äX äX äX åX åX åX åY åY åY åY åY åY åY åY åY åZ åZ åZ åZ åZ åZ åZ åZ åZ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ[ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ\ æ] æ] æ] ç] ç] ç] ç] ç] ç] ç^ ç^ ç^ ç^ ç^ ç^ ç^
    ç^
    ç^
    ç_
    ç_
    ç_
    ç_
    ç_
    è_
    è_ è_ è_ è` è` è` è` è` è` è` è` è` èa èa èa èa m‘Gh05Ð1á Ñ PSá   üû1á¼ÿ1áÀÿÿÿ»  xE*á N(TO'}O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {O&
    {P&
    |I%
    }D% KO3êU5 ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿZ8#ÿX8$ÿt>ÿL'
    ¥aKAí ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿR)ÿS+
    §_I=í ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿQ(ÿS+
    ¦_I=í ÿHHHÿÿÿÿÿÿÿÿÿHHHÿ ÿ ÿ ÿ ÿHHHÿÿÿÿÿ ÿ ÿQ(ÿS+
    ¦_I=í ÿÿÿÿÿHHHÿHHHÿÿÿÿÿ ÿÿÿÿÿ ÿ ÿÿÿÿÿHHHÿ ÿ ÿQ(ÿS+
    ¦[E:í ÿÿÿÿÿ ÿ ÿ ÿ ÿ ÿ ÿHHHÿÿÿÿÿ ÿ ÿ ÿQ(ÿS+
    ¦[E:í ÿÿÿÿÿHHHÿHHHÿÿÿÿÿ ÿÿÿÿÿ ÿÿÿÿÿHHHÿ ÿ ÿ ÿQ(ÿS+
    ¦_I=í ÿHHHÿÿÿÿÿÿÿÿÿHHHÿ ÿ ÿ ÿÿÿÿÿ ÿ ÿ ÿ ÿQ(ÿS+
    ¦^J@í ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿQ)ÿS,
    ¦*uDípZ1ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv]3ÿv_9ÿv_8ÿv_9ÿl^Aÿ„P*ÿL%¨ÙvíðŒÿíŠÿíŠÿíŠÿíŠÿíŠÿíŠÿíŠÿí‰ÿú³[ÿû*Oÿø³_ÿ£Ž–ÿ¡\9ÿH ‘ŠE
    §·i.î»k1ëºj0êºj0êºj0êºj0êºj0êºj0êºj0ê½o6ê½n5ê¾p7ë°k;ì…I±G& *g:•J
    šK ™K™K™K™K™K™K™K˜J˜JšK™K
    @! ö*

    at least AVG isnt throwing a fit everytime a program starts now.
  12. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Oh for crying out load, I can't believe I did that. I meant to wrap that quote in Code tags, not Quote tags. Sorry, glad you figured it out.

    Run HJT again and check these and then on Fix:

    O4 - HKLM\..\Run: [] C:\WINDOWS\Options\OEMReset.exe /Audit

    O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.98.176.62/EPlugin.cab

    Reboot and post a new log here for final review.
  13. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    ugh, getting the PC off him to finnish this was like pulling teeth. Anyway, heres the log.

    Logfile of HijackThis v1.97.7
    Scan saved at 09:32:33, on 05/08/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freeola.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freeola.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0K2.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB002" /M "Stylus Photo RX500"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O14 - IERESET.INF: START_PAGE_URL=http://freeola.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
  14. Taz71498
    Offline

    Taz71498 Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Hello,

    The log looks good. How are things working now?
  15. Smallfry
    Offline

    Smallfry Registered Member

    Re: Trojan Horse BackDoor.Agent.BA.

    Heya,

    Everything seems to be running ok now. Its even stopped trying to dial out on boot up.

    Thanks for all your help :)
  16. Taz71498
    Offline

    Taz71498 Registered Member

Thread Status:
Not open for further replies.