major trojan infection, e.g. downloader.agent.bf and such nasty stuff

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bb4ever, Jul 10, 2004.

  1. bb4ever

    bb4ever Private E-2

    Hello there,

    i have some serious virus problems on my computer, and really cant get rid of them all... i tried a lot, after viewing some threads with equal problems.

    i did the hsremove.exe, i used hijackthis and removed all suspicious stuff, i ran avg scan, spybot s+d etc. etc.

    here is my hijack this log:

    Logfile of HijackThis v1.98.0
    Scan saved at 11:13:36, on 10.07.2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programme\Grisoft\AVG6\avgcc32.exe
    C:\Programme\DrWeb for Windows\drwebscd.exe
    C:\PROGRA~1\DRWEBF~1\spiderml.exe
    C:\progra~1\steam\steam.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Programme\DrWeb for Windows\spidernt.exe
    C:\Programme\Grisoft\AVG6\avgw.exe
    C:\HijackThis.exe

    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Programme\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [THGuard] "C:\Programme\TrojanHunter 3.8\THGuard.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [DrWebScheduler] "C:\Programme\DrWeb for Windows\drwebscd.exe"
    O4 - HKLM\..\Run: [SpIDerMail] "C:\PROGRA~1\DRWEBF~1\spiderml.exe"
    O4 - HKLM\..\Run: [ieqz32.exe] C:\WINDOWS\ieqz32.exe
    O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\drwebsp.dll
    O12 - Plugin for .UVR: C:\Programme\Internet Explorer\Plugins\NPUPano.dll
    O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

    I found out about the virus when i couldn't start up my system, only in safe mode (before i came to the windows start screen there was a message about a file missing and then the automatic restart came...).

    Until now, the problem has not ocurred again, but could you please check my log so i can be really safe ?

    MANY MANY THANKS IN ADVANCE!!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have at least one visible remnant of the problem:

    O4 - HKLM\..\Run: [ieqz32.exe] C:\WINDOWS\ieqz32.exe

    Fix that line using HijaakThis and then boot into save mode and delete:

    C:\WINDOWS\ieqz32.exe

    There could be more of these files laying around too.

    So your PC is working OK now? No hijacks?
     
  3. bb4ever

    bb4ever Private E-2

    hi chaslang!

    i just now fixed the line, booted in safe mode and deleted it. but i have to say, i used my computer for 1 week now and there were no problems at all..

    but its better to be on the safe side, so the line is gone ;)

    as of now, i am not aware of any more hijacks!

    thanks for your help!
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your welcome! There is a strong possibility that more of those EXEs from this problem are still on you PC. They will most likely not be a problem unless something tries to run one of them. It can be time consuming to look at all the files in your C:\windows, c:\windows\system, and c:\windows\system32 directories to find what this pest has left laying around. Typically there are multiple EXEs, DAT, and DLL files. The problems is that there are many valid files with those extensions that belong there too. So it takes a bit of time to separate the good from the bad. Sometimes you can identify them by file modification dates but not always.

    For now you are probably okay though.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds