Trojan horse BackDoor.Agent.BA

Discussion in 'Trojan Defence Suite' started by EMF_CLAN, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. EMF_CLAN

    EMF_CLAN Guest

    This is a nasty worm that runs around the dll files in win folder i have searched for 2 weeks solid have had not one instance of a cure let alone containment of the worm even norton can detect it it took avg to find it and then unable to delete it

    i ran tds and guess what you all dont even detect this code, hmmm a trojan prog that dont find a trojan that is odd.


    let YS know what you know...


    Thanx, another trojaned pc...
     
  2. EMF_CLAN

    EMF_CLAN Guest

    i meant to say in above that NORTON CANT DETECT IT

    i unistalled norton and installed AVG to discover the backdoor worm in my pc
     
  3. EMF_CLAN

    EMF_CLAN Guest

    Also i assume this all generates from about:blank browser hijack

    it does as IE wont ever go to my own home page

    i have since installed mozilla firefox browser and made it my default so as to stop the browser hijacking

    this should be against the law to produce a webpage such as they have, i saw proscute the webpage that it direct us to
     
  4. EMF_CLAN

    EMF_CLAN Guest

  5. FanJ

    FanJ Guest

  6. EMF_CLAN

    EMF_CLAN Guest

    i have tried to find this file for 8 solid days and cannot even locate it

    i have scanned 20 times today every concievable file and this is not able to be found , this is rather funny but obtrusive and stealthy, the dll is unable to be located by win search as well as dll search but yet it is found every time with avg , im like wtf is going on... this all generates from about blank hijack im sure
     
  7. EMF_CLAN

    EMF_CLAN Guest

  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi EMF,
    sorry about your problems. This nasty is not a common trojan. See in this thread https://www.wilderssecurity.com/showthread.php?t=39430
    in my reply #2 the solutions i posted as it needs special threatment to get really rid of it.
    After those instructions please run a new scan (fully updated), with other scanners temporary closed to give TDS full access to all files on your system: AVG open the GUI and uncheck all options before starting TDS scan with all scanoptions inthere checked.
    There was no need to uninstall Norton, as uninstalling that one can bring other unstability to the system. But that's up to you of course. Sorry you did not come here two weeks earlier for the solutions posted here.
    After this you might like to get the Hijackthis tool to create a HJT.log; look in that if you see anything astonishing and share that with us please.
    id the fully updated TDS find anything else?
    If so, rightclick on one of the items to save as text (scandump.txt in the TDS directory) and paste that in your next posting.
    Please post back what you experienced.
     
    Last edited: Jul 14, 2004
  9. EMF_CLAN

    EMF_CLAN Guest

    ok here is one of many post to come
    here is hj log

    Logfile of HijackThis v1.98.0
    Scan saved at 9:14:28 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
     
  10. EMF-CLAN

    EMF-CLAN Guest

  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    C:\Program Files\Messenger\MSMSGS.EXE
    This line in the bottom i do not trust. I think that's not the normal messenger, or i am confusing two things now, so don't fix it yet. TonyH helped recently somebody with that entry in the trojans and backdoors forum (think it was) so have to find that back as he explained some about it there.

    Further, your log seems so short, did you check all the scan options or did you snip things out?

    Lookign forward to the other logs.
     
  12. EMF-CLAN

    EMF-CLAN Guest

    i run a everything on the pc at a minimun i have almost no services running etc i shut them off in win manag.

    and as for msn messenger that goes away when i shut off msn , the scan log is fairly shirt due to the fact that i run almost no services

    i had in the past had the about blank problem but as of late it has not been aparent because one i dont use ie but when i do pop up the ie browser the about blank is there but not sure why hijack isnt showing it , maybe because it isnt my default browser?

    i will post other logs as they become avaliable
     
  13. EMF-CLAN

    EMF-CLAN Guest

    Logfile of HijackThis v1.98.0
    Scan saved at 10:07:29 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\robbie\Desktop\My Items\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\robbie\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7D536075-3D26-4718-903E-C63E565A7195} - C:\WINDOWS\System32\plma.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O18 - Filter: text/html - {0CA83198-2F9F-48B9-9C0A-7EE390972D21} - C:\WINDOWS\System32\plma.dll
    O18 - Filter: text/plain - {0CA83198-2F9F-48B9-9C0A-7EE390972D21} - C:\WINDOWS\System32\plma.dll
     
  14. EMF-CLAN

    EMF-CLAN Guest

    the above is what happens when i used internet explorer...
     
  15. EMF-CLAN

    EMF-CLAN Guest

    you will see the about home hijacker ,that is deleted often but i assume it is a faction of the backdoor worm that is in cahoots with the worm
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    https://www.wilderssecurity.com/showthread.php?t=35268
    Found TonyH's posting. I was confusing the good guy you have with the bad guy (if the msg* would have been in windows)
    Now looking for the rest of what you posted.

    Yes, now i see the sp.html lines you fixed and came back.
    Hmmmmmmmm did you after fixing them disable system restore, reboot and enable it again to create a new restore point? If not, the nasty keeps coming back.

    is that pl*.dll file something you know and should be there?

    Didn't you make the HJT log just normal as it is when you reboot and just everything like it is in your configuration starting up without closing anything yet?
    As you are rather technical yourself fortunately and see the things, you might enjoy the AutoStartViewer from the DiamondCS site, which shows even more what might be hidden for HJT. Gavin is extremely good in detecting the stuff in that, certainly if in that one you check all options to be posted in the log.
     
    Last edited: Jul 7, 2004
  17. EMF-CLAN

    EMF-CLAN Guest

    i have made a directory on my server and i will post alot of extra info in this directory as i dont wanna clutter up the forums you all have worked hard on

    and another thing this is greatly appreciated your lightning quick responses

    i will still post the regular item u request but i wll also post pics and logs that could clutter up these forums as they may be unessesary

    http://www.emfclan.com/BADSANTA/

    this is the directory for you to view if needed


    I AM GOING TO BEAT THIS DAM THING IF IT KILLS ME
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That thing is not going to beat you at all, we snipe it out all together!
    Make sure all hidden files and folders are showing too! Folder options, show hidden files.

    Nice you use Faber Toys, i love that program.
    Does the thing have a registry key to make it start up again, maybe with other names each time?
     
    Last edited: Jul 7, 2004
  19. EMF-CLAN

    EMF-CLAN Guest


    yep all hids are showing

    post resuilts of tds soon
     
  20. EMF-CLAN

    EMF-CLAN Guest

    not sure what this is


    No but i will post that as soon as the tds full super duper scan is done
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, the TDS deep searching does take a while, especially if you use other programs at the same time; most people step away from the system to walk the dog, watch football, eat, sleep, go dancing, but you created a wealth on logs in the meantime. :)
    Could have googled in the forum how other people with that infection solved it (in the adware forum)
    I know for sure those R0 and R1 lines with sp.html are part of the nasty.
    Maybe the file is included in a service you closed manually so it doesn't show up in the HJT log?
    can't find info on the plma.dll thing, googled rather deep for it ....... but no luck yet. Maybe that is the thing?
    What do the properties say on that plma.dll?
    If you have Port Explorer up, does it ever try to connect to internet?
    If you scan it with anything you have, does it give any alarms? You might like to zip it and submit to submit@diamondcs.com.au ?

    Did SpybotS&D beep on anything?
     
  22. EMF-CLAN

    EMF-CLAN Guest

    well well see what else but as of now it found this in the deep deep scan

    Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
    File: c:\windows\system32\plma.dll
     
  23. EMF-CLAN

    EMF-CLAN Guest

    this was not identified in the quick scan i will post more text in my web folder of bad santa as other things were found but not relevent due to progs i was using at time , or maybe


    the deep scan discovered these items

    Scan Control Dumped @ 11:29:02 07-07-04
    (DELETED) Positive identification (embedded in file) (in archive):

    Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: gh0stz_2.04.exe (In c:\documents and settings\robbie\desktop\my

    items\gh0stz_2.04_islandthunder1.4.zip)

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\robbie\desktop\my

    items\fireworx\fireworks_mx_installer.exe.exe

    (DELETED) Positive identification (embedded in file) (in archive):

    Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: gh0stz.exe (In c:\documents and settings\robbie\desktop\my items\ghost

    recon\gh0stz_island_thunder_14.zip)

    (DELETED) Suspicious Filename: Dual extensions
    File: c:\documents and settings\robbie\desktop\tower

    files\construction\fdot\d7070000.d03.doc

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 239 bytes
    File: c:\documents and settings\robbie\desktop\web

    server\httpdocs\gods.emfclan.com\httpdocs\albums\users\1036216693:179515460

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 239 bytes
    File: c:\documents and settings\robbie\desktop\web

    server\httpdocs\gods.emfclan.com\httpdocs\albums\users\1036216693:179515460.ba

    k

    Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
    File: c:\windows\system32\plma.dll
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now i have grown a little to point at the exact file.
    As i couldn't find the name nor CLSID in TonyH's list http://www.computercops.biz/CLSID.html so started to think that has to be nasty; i also learned it takes other CLSID's each time in the several logs i looked at here, so we can not say in advance a file with that ID is nasty so delete, wished it were true!

    What i do understand with reading other HJT logs in the "adware cleaning" forum, there are several things to be done, not just
    * close the plma.dll if it is seen in TDS process list / Task Manager
    * deleting (fixing in HJT) those R0 and R1 keys with sp.html,
    * deleting those three lines with plma.dll in it
    * and in save mode delete that plmd.dll thing itself.

    I've not seen in any log the O18 Filter..... you see, you're unique here :)

    The point is, i'm no HJT expert, and i am most probably overlooking lots of things and options and i don't want to endanger your valuable system with a possible wrong advice or wrong order of the thngs that have to be done.
    I am not sure if all has to do with the startpage nasty itself in those other people's logs or that it had to do with other infections and wrongs in their systems, as i saw them using the whole arsenal of CWShredder, Adaware, SpyBotS&D and several other tools.
    (i really looked deep as you notice :) just typing your Backdoor.Agent.BA in the search engine here and pointing to that forum and looking in those threads which got replies or were solved completely)
    so at this point i don't want to make any wrongs.
    Would you like to post your complete HJT log in that forum yourself with the reference to this thread here?
    (need to register as a forum member --which is free of course-- to be able to post there)
    Can tell you they really want the most complete HJT log version you can produce so no killing of services or anything else from your normal startup, they need it all!
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I never delete any file without submitting a zipped or renamed copy to Gavin :)
    The double extensions not necessarily need to mean anything bad, it is just a warning, because of the nasties trying to look innocent as a jpg for instance, lots of spaces and all in the end it is an executable.

    That possible keylogger please zip and submit@diamondcs.com.au is happy to receive it from you.
    (i do see you deleted it but i hope you have a copy somewhere! (maybe in the TDS XDynamic.Unpk folder?) Gavin will be most grateful!)
    Has it been zipped only all that time or was it ever unpacked/installed?
    In case it was only zipped all time, it was a sleeping giant maybe and most probably hasn't done any harm yet.

    Those NTFS ADS Streams, if you drag the files to notepad, doe they show anything like starting with MZ or such? They are on the edge of what might be nothing or maybe something (below 188 bytes can be ignored, below 256 too in most cases, but with infections i wouldn't ignore nothing)
    You can zip and submit those too.
     
Thread Status:
Not open for further replies.