Virus BDL14025, I need help....thanks

Discussion in 'malware problems & news' started by mentalist01, Jul 18, 2004.

Thread Status:
Not open for further replies.
  1. mentalist01

    mentalist01 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    12
    Hi, I'm new here and not very good with technical stuff. Had some relatives using my PC during the week and since then I keep getting virus BDL14025.exe which cant be removed by any of the usual ways. I have AVG6.0, Ad-ware, Spybot and Hijack This which I am not very familiar with. I also run Error Nuker and it found several errors on several files, but when it came to fix I was required to purchase the product :(

    I read the two posts here about this problem but I can't understand them The Hijack This log that I saved into documents I cant open to post here!!

    Can I be helped?

    Thank you in advance
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi mentalist01,

    Well, first thing we need is a little more information. I'm assuming it's AVG6 that's giving you the alerts, but can you tell us where exactly the file is located that it's alerting on?

    Secondly, perhaps it'd help if you also posted a HijackThis log so we can see what's what on your system.
     
  3. mentalist01

    mentalist01 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    12
    Hi Mark

    Yes it is avg6 alerting me to the virus

    It just says C:/temp/BDL14025

    I don't know why I can't open the HJT log that I saved, I clicked the open option and nothing. The box says the log file type is an activeX plug in object
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Without a log there is little we can suggest other than opening the task manager and looking for a running program of that same name, kill the process and try to manually delete the file.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As well as what LWM suggests, have you tried clearing out your "Temp" files? Booting into safe mode and running a scan that way?

    Cheers :D
     
  6. mentalist01

    mentalist01 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    12
    Ok I think I managed to open file (I read that it has to be opened in notepad)
    Thank you guys!!!

    Logfile of HijackThis v1.98.0
    Scan saved at 07:21:50, on 19/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\FMCTRL.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\OPEN SITE\OPENSITE.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\NOADS\NOADS.EXE
    C:\WINDOWS\SYSTEM\WINDAT.EXE
    C:\PROGRAM FILES\FREE HISTORY ERASER\HISTORYERASER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\WINDUPDATES\WINKA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/Default.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\MSLAGENT\4B_1,0,1,0_MSLAGENT.DLL (file missing)
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WINSB1.DLL
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WINSB1.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\SYSTEM\pc32.exe bg
    O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
    O4 - HKLM\..\Run: [WindUpdates] C:\PROGRAM FILES\WINDUPDATES\WINUPDT.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NoAds] "C:\PROGRAM FILES\NOADS\NOADS.EXE"
    O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
    O4 - HKCU\..\Run: [windat.exe] windat.exe
    O4 - HKCU\..\Run: [SPSTEALT] "C:\PROGRAM FILES\FREE HISTORY ERASER\HISTORYERASER.EXE" /stealt
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
    O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
    O15 - Trusted Zone: *.greatplugin.com
    O15 - Trusted Zone: http://chat.msn.co.uk
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...9fb906cb2e72:5e17f82db4671e0d17ebad4bf17236ad
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  8. mentalist01

    mentalist01 Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    12
    Will do thanks
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    In the above post you reply:

    mentalist01
    Junior Member Join Date: Jul 2004
    Posts: 8

    Re: Virus BDL14025, I need help....thanks

    I did say I was useless with this technical thingys. Do you mean I should unhide files and run HJT again then repost the log?

    Be patient with me please



    Keep asking as many questions as you like, you will get the hang of it at some stage. I understand that it may be a little daunting at the moment, however you are now posting in the right forum, and these guys have patience by the truck-load :D

    Cheers :D
     
  11. Just to document this trojan for anyone doing a search on the web for files bdl14025.exe , msbb.exe , optimize.exe , and installer2.exe :

    Somehow, I was redirected to websites www2.flingstone.com and static.flingstone.com where these executables were in the URL so it downloaded it into my c:\temp and c:\temprorary internet files directories. I ran Ad-Aware and it identified these as malware installing small apps in subdirectories it created: c:\program files\internet optimizer and c:\program files\bullseye network The vendor description that Ad-Aware gave was 180solutions and Bulleye Network. Ad-Aware quarantined these files and asked me to reboot so that it could check the registry. On reboot, Ad-Aware highlighted about 17 registry keys and values that were added and prompted me to remove them. I also ran "msconfig" command line from Task Manager to see what was added recently at Startup. A new command line was added using rundll32.exe to open a file called bridge.dll in c:\windows\system32. I unchecked this so it wouldn't run at Startup again, but it didn't matter because Ad-Aware had already deleted the bridge.dll file. Also, I noticed that my startup web page was changed, so you might want to point it to open a blank page in Internet Options just in case it redirects you to that trojan again. I ran a retail version of McAfee Anti-Spyware and it said my PC was clean now.

    I don't know if I'll have the same problems tomorrow with these files appearing again, but it looks like Ad-Aware added a fix recently so you might want to update the Ad-Aware database list first before running it.

    And you know why this happened? Because I turned off my ZoneAlarm firewall, McAfee Anti-Spyware, and McAfee AV so it wouldn't interefere with a video editing program I was running at the time. But I forgot to turn them back on when I signed in!!! Oh well, you live and learn. Hope this helps the next guy who has this problem!
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    TrojansR4Weiners, great post, thanks for sharing :D

    Cheers :D
     
  13. yeehaa

    yeehaa Guest

    hi all,

    i have the same file, bdl14025.exe coming back into my temp and temporary internet files everytime i open my browser (IE or Firefox, doesnt seem to matter)

    the most amazing thing is that neither ad-aware, spybot, or norton AV are picking it up. i only noticed this because my mcafee firewall told me that this program was trying to access the internet.

    I have removed the internet optimizer and bullseye folders, but this bdl file seems to be coming back...

    anyone having a similar problem??

    Thanks!
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Yeehaa

    Please take a look here:

    https://www.wilderssecurity.com/showthread.php?t=45508

    And follow post number 7

    Let us know how you go...

    Cheers :D
     
  15. yeehaa

    yeehaa Guest

    Thanks BlackSpear!

    I actually deleted bridge.dll, and cleared all the temp files - and the files are gone now!

    I am still making sure by scanning with stinger right now.

    Thanks a lot again!
     
Loading...
Thread Status:
Not open for further replies.