TROJ_AGENT.J

Hi,
I'm running XP (Professionnal Edition) and somehow I've contracted the TROJ_AGENT.J virus which has attached itself to "msaeg.dll" file in WINDOWS\SYSTEM32.

The problem I've got is how do I remove msaeg.dll ?

I've followed the instructions from my virus protection (PC-cillin) and Ad-aware 6 without success.
No sucess too with the solution "TROJ_AGENT.J" of Trend Micro.

Has anybody got any ideas on what to do?

Thanks

Patrice
LYON (France)

Here is the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 18:54:51, on 16/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Trend Micro\PC-cillin 9\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 9\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 9\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Fichiers communs\Sonic Shared\cinetray.exe
C:\Program Files\SpamPal\spampal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CHODEL\Bureau\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://freebox.free.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dajimn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FF63CBCA-971D-43FF-8CAF-42258CEB2E97} - C:\WINDOWS\System32\dajimn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Rappels du Calendrier Microsoft Works.lnk = ?
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Voir les cookies - C:\WINDOWS\web\cookies.html
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra button: Organise-notes (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Wanadoo (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://freebox.free.fr/
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.0140277778
O16 - DPF: {ABB08127-7417-11D4-8566-00500448008D} (Chat Class) - http://downloads.winwise.fr/Common/npchatlax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi Patrice,

This is a Coolwebsearch infection. It has a hidden file causing the reinfection, so we need to find that first to remove it and then we can fix the rest

1. Download this free tool called dllfix

here:
http://downloads.subratam.org/dllfix.exe

or here:
http://tools.zerosrealm.com/dllfix.exe

Save it to your desktop

It is a self-extracting archive; double click on it and install.

2. Open the DLLFIX folder and double click on Start.bat.

At the main menu, choose option 1 (Run Find-All) and press *enter*. You will immediately get a prompt asking to continue, choose *ok*.

Let the program run the search (this may take a few minutes)
When finished, it will popup a window saying *Done* and hit ok to view log. Notepad will open and display the log file output.txt

Copy and paste the contents of that log back here.

Attach a copy of the file windows1.txt (scroll down from the reply box and you will see an *Manage attachments* button that will let you attach that file

Close the dllfix.