Trojan help! Probably Downloader.agent.al HIJACK log inside

Hi,

I have already read the tutorial, downloaded all the programs and gone through all the steps and I am posting the hijack this log as a last resort. Ad-Aware SE detects Downloader.Agent.Al, removes it but it always comes back. I'm also getting the about:blank homepage problem. Also I cannot open My computer, or any folder from the desktop, instead I have to use internet exploer and type in c:\ for example to open c:. Please help I don't knwo what to do, in this log the malicious files causing the problems are:

C:\WINDOWS\system32\netxh32.exe
C:\WINDOWS\wincq.exe

, however after I delete these and get rid of them, 2 new files will come up taking up the same amount of ram and doing the same things.
Also, every time I start windows, my browswer opens up (this is how i can always tell I'm still infected. I also was, but not anymore getting a AVG warning about a qzpxp.dll file when I opened internet explorer and it told me it was some sort of trojan. Please help I don't knwo how to get this damn thing off my computer!!!!!

Here is the log:

Edit by chaslang: Unrequested inline log deleted.

 

First:

Please EXTRACT HijackThis from the ZIP File to a Safer location. Here's how:

To create a new folder:
Click START > My Computer > Local Disc C: > Program Files
Now, RightClick on an Empty Area and select New > Folder & name it HijackThis and ENTER

To Extract HijackThis:
Now, Right Click your HijackThis ZIP File and select Extract All > Next > and browse to your newly created HijackThis Folder
(C:\Program Files\HJT) and click Next.

Now run HJT from there. Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

The reason HJT needs its own safe folder is so that backups will be safely preserved. That way, if a mistake is made in the removal process, the mistakenly deleted entry can be restored.

Second:

Please close ALL browsers when using HJT!


Third:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser and e-mail. Please close these before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT


We are very busy here at MajorGeeks.Com PhilliePhan, Chaslang or myself with check back when time permits.!

 

I have done all of the above, here is the attachment.

 

First:


Download and run About:Buster & HSRemove..


Second:


Post a new HJT log. Let me know if you have any problems with any of the above.

 

Didnt get it edited in time,

 

What are you talking about w/ the DelDomains? I've never heard of ti. Secondly to you and they other guy, I have done everything on the tutorial page which means I have installed and used HSremove and About:Buster.

My main problem is not being able to open anything off the desktop, drwtsn32.exe comes up and i have to end task it in order to unfreeze the comp after trying to open a folder off of the desktop. My main problem is not the about: empty page but rather the trojan or virus w/ the 2 files in the log. There is no need to repost the log as I have already run HSRemove and About:Buster.

Thanks,

Flaviu

 

You have the about:blank hijacker with many other problems. Please exclude the DelDomains and procede with running HSRemove & about:buster. After this reboot and post new HJT log. We will take things one at a time.

 

Yes, and I have already solved the about:blank problem once and it has returned. My guess is the trojan reintroduces it after restart. Also,

!!!!!!!!!!!!!!!!!!!!!!!!!!!!! EDIT:

Not only can I not open folders off the desktop, but from anywhere other than internet explorer.

Thanks

 

What do you mean exclude?

 

Your not cleaning it thouroughly, there are sveral steps in removing this, Please work with me and follow my instructions closely. Lets take things one step at a time. Procede with the HSRemove & about:buster. Run these 2, reboot and post a new log.

Note: When running about:buster click update to make sure you have the latest ref file.

 

Do not download and run it. Procede to HSRemove and about:buster. Then post new log after you reboot.


Note: When running about:buster click update to make sure you have the latest ref file.

 

I did as you requested. As I had anticipated, the about: blank was gone the first few times I opened Internet Explorer, after which it returned...probably because of the trojan that keeps reintroducing it! I have attached the new log.

 

BTW the trojan files in this log are:

C:\WINDOWS\system32\ipni.exe
C:\WINDOWS\system32\javabq32.exe

 

Please allow me a moment to analyze your log.

Please relocate your HJT to a safe location. Run HJT from C:\Program Files\HJT

 

I have relocated it. Is it neccessary to repost a log?

 

No, Please allow me a moment to post you a fix

Just be sure that HJT is ran from this location before clicking fix.

 

Thank you very much, you guys are unbelievably fast and proffessional. I hope you get payed for this help you give so many people...

 

Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:


ipni.exe

javabq32.exe



Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dscja.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dscja.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\dscja.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\dscja.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\dscja.dll/sp.html#44768

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\dscja.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {3C73D315-DD9F-9F82-0398-D2936B2878B2} - C:\WINDOWS\ntek32.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [javabq32.exe] C:\WINDOWS\system32\javabq32.exe

O4 - HKLM\..\RunOnce: [ipni.exe] C:\WINDOWS\system32\ipni.exe

O15 - Trusted IP range: 213.159.118.226

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.vi ewpoint.com/cgi-bin/beta/vet_install_popup.pl?1&4&&

O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/f049bf10/enter.cab

O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetu p.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab

O20 - Winlogon Notify: draw32 - draw32.dll (file missing)

O23 - Service: System Config IEXPLORE (Security) - Unknown owner - C:\WINDOWS\system32\cfg\FireDaemon.exe (file missing)

O23 - Service: Workstation NetLogon Service (? 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\mfcxb32.exe (file missing



Again, make sure All Browser Windows are Closed when you Click FIX.



NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:


C:\WINDOWS\system32\ipni.exe

C:\WINDOWS\system32\javabq32.exe

C:\WINDOWS\dscja.dll

C:\WINDOWS\ntek32.dll


NEXT:
Run CCleaner


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Please download: HSFix.zip

Extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like C:\HSFix). It should have a ReadME included with instructions on how to run it and how to collect the log it produces.

Please run the tool as directed and attach the log it produces.

Now, Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

Before I continue I would like to ask you something. The 2 exe files that you said I should try to end task will end task but they start up again almost instantaneously. I have found a procedure to delete them but I don't know if I should do it or just run and fix w/ hijack. Here is what I found I can do previously w/ other 2 files of the trojan, not these ones. I find them, and press delete, but don't click yes yet. I open task manager, end task, and quickly press yes to the delete. It works and they do not reopen unless I reboot and the trojan has a chance to make 2 new files.

Should I delete the 2 files this way before doing the fix procedure?

 

If you cant end task, procede with my instructions. You will be deleting them after you fix with HJT so they should be ok. Just procede!

 

Unfortunately, NOTHING has changed for the better All original problems including the about: still exist. Also, now I am getting a warning from AVG when opening internet explorer for plijaq.dll as trojan horse Collected.2.F

I have attached the log from HJFix and the new log from Hijack This.

 

Did you delete the files I asked you to? If you deleted these they should have NOT came back. Also, Make sure system restore is DISABLED!


I will post you another fix, PLEASE FOLLOW IT STEP BY STEP!

 

PLEASE MAKE SURE SYSTEM RESTORE IS DISABLED!


Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ksnzr.dll/sp.html#44768

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {397ACE10-AC4F-6D02-B07D-9C18F19A967C} - C:\WINDOWS\sdkwj.dll

O4 - HKLM\..\Run: [javabq32.exe] C:\WINDOWS\system32\javabq32.exe

O4 - HKLM\..\RunOnce: [d3hc.exe] C:\WINDOWS\d3hc.exe

O4 - HKLM\..\RunOnce: [ipni.exe] C:\WINDOWS\system32\ipni.exe


Again, make sure All Browser Windows are Closed when you Click FIX.



Now navigate to and DELETE the following if they should remain:


C:\WINDOWS\d3hc.exe

C:\WINDOWS\system32\ipni.exe

C:\WINDOWS\system32\javabq32.exe

C:\WINDOWS\dscja.dll

C:\WINDOWS\ntek32.dll

C:\WINDOWS\system32\ksnzr.dll

C:\WINDOWS\sdkwj.dll

C:\WINDOWS\mfcxb32.exe


NEXT:
Run CCleaner


NEXT:

Run HSFix.zip again while still in Safe Mode.



NOW
Reboot to Normal Windows , attach the HSFix log and a new HJT log.

 

I believe I followed your instructions but nonetheless I shall try again.

Also, I am wondering if i should go into msconfig and take these files away from the startup list.

 

Its possible they came back because the process was not ended. But if you deleted them in Safe Mode like I requested they should not have came back unless System Restore is enabled.

 

Also, I am wondering if i should go into msconfig and take these files away from the startup list.

 

No, HJT will do this when you fix the O4 entries I requested.

 

This infection will keep coming back unless you remove it a certain way. HSFix doesn't apply here. I have a few suggestions, should this latest attempt fail to bear fruit. Just attach a fresh HJT after the latest fix and Do Not Reboot.

PP

 

Thanks PP! Guess I am not aware of this infection if HSFix doesnt apply.

 

This is your typical About:Blank - Chas is the pro at removing this! My procedure is a bit different than his, but usually works OK!

Where did you see the Haxdoor / HorsesServer infection?

PP

 

It worked! Well mostly! I can now reopen folders and the logs look clean. However, My internet explorer still opens up upon startup **automatically** displaying the about: page. Usually internet explorer shouldn't start unless I start it. I guess this can be fixed w/ HSRemove and AboutBuster...

 

Glad to hear it!

 

HJT log in Post 3 & 13

O20 - Winlogon Notify: draw32 - draw32.dll (file missing)

 

I'm glad to see you're all happy too lol. What do I do about the about:blank still coming up?

 

Im currently checking your new logs, please give me a moment.


Did you install Crazy Browser? Do you use it?

 

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After you complete this, reboot and see if any problems remain.

Let me know

 

Yea I do use crazy browser, I got it long ago and its basically IE w/ what was a good-at-the-time popupblocker built in.

Thanks, I am now trying the resetting web things. But hold on do I need to reset, or can I just set the homepage to w/e i want now. Why is it a good idea to reset everything?

BTW I don't have a *desktop* internet explorer icon.

 

Ok, Just checking on the crazy browser. As far as the reset settings go, when your have spyware/virus infections, sometimes they can reset your settings to accept anything when your surf the web letting all of it back on. Doing this will assure settings are default and that you are protected.

 

WOW I just saw in my IE settings that security is set to low 8-| Anyways, I don't ahve a desktop thing and I can't get to the reset!

 

Right click on your Desktop, Select Properties, Click the Desktop Tab, Click on Customize Desktop button and put a check mark next to "Internet Explorer"

This should put your IE icon on your desktop

 

The infections will do this from time to time, its why we ask to defaults settings, because if you dont things will come back when you browse

 

Ok, I can't get the shortcut back, I did what you said, even tried to uncheck it, apply, then check it back, apply..its not coming back to desktop.

I've never been on a forum where people are so fast it's almost like instant messaging on MSN or AOL lol.

 

Go into Control Panel and select Internet Options. Reset everything this way and your icon should reappear

 

It sure worked, and I could've gotten to those settings by Tools -> Internet Options And the icon still hasn't reappeared... But mostly I just wanna thank you man, I wish I could share this bowl with you to repay you Peace

 

Your Welcome! Glad things are running good

You should see this article on How to Protect yourself from malware!

 

Ah! Good Job Chas!



Flav_cool,

Follow these instructions very closely.

First:

Please make a backup of your registry before modifying it.

a. Click Start > Run > Tyep regedt32 and hit OK

b. When registry editor opens, Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation NetLogon Service

If Workstation NetLogon Service exists , right click on it and choose delete from the menu.

c. Now, Navigate to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Workstation NetLogon Service

If LEGACY_Workstation NetLogon Service exists then right click on it and choose delete from the menu.

Note: If you have trouble deleting a key. Then click once on the key name to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.



After you do this, post a new HJT log so I can confirm this service has been removed.