trojan horse backdoor.agent.4 ax - how do I get rid of it?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Crimsona X, Dec 27, 2004.

  1. Crimsona X

    Crimsona X Private E-2

    My anti-Virus program, AVG, picked up trojan horse backdoor.agent.4 ax.

    It says it cant remove the file, so at the moment its in quarentene.
    Ive downloaded a fair few tools and the like but they dont seem to be working.

    Im not sure if this information is useful, but a program I have says this is what the file contains, sorry its so long XD:

    This program cannot be run in DOS mode.
    Service Pack 2
    UserAgent Mozilla/4.0 compatible MSIE 6.0 Windows NT 5.1
    Connection close
    AcceptEncoding none
    UserAgent Mozilla/4.0 compatible MSIE 6.0 Windows NT 5.1
    Connection close
    AcceptEncoding none
    /c del
    Error memory allocation bad memory block type.
    Invalid allocation size Iu bytes.
    Client hook allocation failure.
    Client hook allocation failure at file hs line d.
    The Block at 0xp was allocated by aligned routines, use _aligned_realloc
    Allocation too large or negative Iu bytes.
    Client hook reallocation failure.
    Client hook reallocation failure at file hs line d.
    DAMAGE after hs block
    DAMAGE before hs block
    Client hook free failure.
    The Block at 0xp was allocated by aligned routines, use _aligned_free
    hs located at 0xp is Iu bytes long.
    hs allocated at file hs
    DAMAGE on top of Free block at 0xp.
    _heapchk fails with unknown return value
    _heapchk fails with _HEAPBADPTR.
    _heapchk fails with _HEAPBADEND.
    _heapchk fails with _HEAPBADNODE.
    _heapchk fails with _HEAPBADBEGIN.
    Bad memory block found at 0xp.
    _CrtMemCheckPoint NULL state pointer.
    _CrtMemDifference NULL state pointer.
    Object dump complete.
    crt block at 0xp, subtype x, Iu bytes long.
    normal block at 0xp, Iu bytes long.
    client block at 0xp, subtype x, Iu bytes long.
    File Error
    Dumping objects
    Detected memory leaks
    Total allocations Id bytes.
    Largest number used Id bytes.
    Id bytes in Id hs Blocks.
    offset must be within size, 0
    alignment must be a power of 2,0
    Damage before 0xp which was allocated by aligned routine
    The block at 0xp was not allocated by _aligned routines, use realloc
    The block at 0xp was not allocated by _aligned routines, use free
    Unknown Runtime Check Error
    Stack memory was corrupted
    char c i 0xFF
    Changing the code in this way will not affect the quality of the resulting optimized code.
    The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
    RunTime Check Failure
    Invalid pointer was assigned at
    Stack around the variable
    The variable
    Local variable used before initialization
    Stack memory corruption
    Cast to smaller type causing loss of data
    Stack pointer corruption
    The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
    Assertion Failed
    Assertion failed
    Assertion failed
    _CrtDbgReport String too long or IO Error
    Second Chance Assertion Failed File s, Line d
    Microsoft Visual C
    Program ss
    Press Retry to debug the application
    For information on how your program can cause an assertionfailure, see the Visual C
    program name unknown
    inconsistent IOB fields, stream
    _ptr stream
    runtime error
    TLOSS error
    DOMAIN error
    This application has requested the Runtime to terminate it in an unusual way.Please contact the applications support team for more information.
    Microsoft Visual C
    Runtime Error
    Buffer overrun detected
    Unknown security failure detected
    c\Documents and Settings\Owner\Desktop\stuff\default\webcurrent\Debug\nn.pdb
    AUS Eastern Standard Time
    AUS Eastern Daylight Time
    AUS Eastern Standard Time
    AUS Eastern Daylight Time
    le corupt.Enn
    ,al 3any
    ----------------
    agBoxAw
    NFudo
    AmQe
    VirtualFree
    VirtualAlloc
    GetProcAddress
    LoadLibraryA
    kernel32.dll
    abcdefghijklmnopqrstuvwxyz
    C\WINNT\System32\ewnboq.exe
    SetEnvironmentVariableA
    CompareStringW
    CompareStringA
    GetTimeZoneInformation
    SetCurrentDirectoryA
    8GetCurrentDirectoryA
    aGetFullPathNameA
    FindFirstFileA
    FileTimeToLocalFileTimeKGetDriveTypeA
    FileTimeToSystemTime
    FindClose
    LCMapStringW
    LCMapStringA
    SetEndOfFile
    GetSystemInfolGetLocaleInfoA
    yVirtualProtect
    GetCPInfo
    SetFilePointer
    SetStdHandle
    InterlockedExchange
    VirtualQuery
    GetStringTypeW
    GetStringTypeA
    kMultiByteToWideChar
    FlushFileBuffers
    SetConsoleCtrlHandler
    GetCurrentProcessId
    GetCurrentThreadId
    GetTickCount
    QueryPerformanceCounter
    WideCharToMultiByteOGetEnvironmentStringsW
    FreeEnvironmentStringsW
    FreeEnvironmentStringsAMGetEnvironmentStrings
    UnhandledExceptionFilter
    RtlUnwind
    GetProcessHeap
    vVirtualFreesVirtualAlloc
    HeapCreate
    HeapDestroy
    HeapFree
    HeapReAlloc
    HeapAlloc
    GetFileType
    SetHandleCount
    InterlockedIncrement
    OutputDebugStringA
    InterlockedDecrement
    GetStdHandle
    GetCommandLineA
    GetStartupInfoA
    ExitProcesswGetModuleHandleA
    RaiseException
    DebugBreak
    GetSystemTimeAsFileTimes
    HeapValidate
    IsBadReadPtr
    SHELL32.dll,IsBadWritePtr
    ShellExecuteExA
    SHChangeNotify
    RegCreateKeyExA
    RegSetValueExA
    RegOpenKeyExA
    RegQueryValueExA
    RegCloseKey
    RegDeleteValueA
    GetShortPathNameA
    PGetEnvironmentVariableA
    lstrcatA
    GetCurrentProcess
    SetPriorityClass
    GetCurrentThread
    SetProcessPriorityBoost6SetThreadPriority
    GetSystemDirectoryA
    HLoadLibraryA
    GetProcAddress
    FreeLibrary
    DeleteFileA
    CreateDirectoryA
    CreateProcessA
    CreateFileAdMoveFileAiGetLastError
    ReadFile
    WriteFile
    GSleep
    CreateToolhelp32Snapshot
    Process32First
    zOpenProcess
    Process32NextOTerminateProcess
    CloseHandle
    GetVersionExAuGetModuleFileNameA
    setenv.c
    cchCount2
    cchCount1
    cchCount2
    cchCount1
    a_cmp.c
    wtombenv.c
    tzset.c
    JanFebMarAprMayJunJulAugSepOctNovDec
    SunMonTueWedThuFriSat
    drive.c
    .exe
    .bat
    .com
    a_map.c
    chsize.c
    convrtcp.c
    _getbuf.c
    osfinfo.c
    a_str.c
    MessageBoxA
    GetActiveWindow
    GetLastActivePopup
    GetUserObjectInformationA
    GetProcessWindowStation
    f\vs70builds\3077\vc\crtbld\crt\src\vsprintf.c
    f\vs70builds\3077\vc\crtbld\crt\src\sprintf.c
    A security error of unknown cause has been detected which hascorrupted the programs internal state. The program cannot safelycontinue execution and must now be terminated.
    A buffer overrun has been detected which has corrupted the programsinternal state. The program cannot safely continue execution and mustnow be terminated.
    Program
    Program
    Runtime Library
    floating point not loaded
    not enough space for arguments
    not enough space for environment
    not enough space for thread data
    unexpected multithread lock error
    unexpected heap error
    unable to open console device
    not enough space for _onexit/atexit table
    pure virtual function call
    not enough space for stdio initialization
    not enough space for lowio initialization
    unable to initialize heap
    This application cannot run using the active version of the Microsoft .NET RuntimePlease contact the applications support team for more information.
    a_env.c
    stdargv.c
    stdenvp.c
    onexit.c
    stream.c
    filename
    _open.c
    _flsbuf.c
    _base
    stream
    _freebuf.c
    RegOpenKeyExA
    RegQueryValueExA
    RegCloseKey
    SOFTWARE\Microsoft\VisualStudio\7.1\Setup\VS
    EnvironmentDirectory
    ImageNtHeader
    CreateToolhelp32Snapshot
    EnumProcessModules
    GetModuleInformation
    Module32First
    Module32Next
    PDBOpenValidate3
    DBIQueryModFromAddr
    ModQueryLines
    ModClose
    unsigned
    isctype.c
    ioinit.c
    szUserMessage
    documentation on asserts.
    Expression
    Line
    File
    Module
    Debug s
    Debug Library
    wsprintfA
    Warning
    Error
    output.c
    null
    null
    flag
    _sftbuf.c
    i386\chkesp.c
    mscoree.dll
    CorExitProcess
    sprintf.c
    string
    fopen.c
    fclose.c
    Kernel32.dll
    IsDebuggerPresent
    is being used without being defined.
    A variable is being used without being defined.
    was corrupted.
    File
    Line
    Module
    A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example
    A local variable was used before it was initialized
    nBlockUse
    _BLOCK_TYPE_IS_VALIDpHead
    d at 0xp.
    d at 0xp.
    lRequest
    pHead
    nLine
    nBlockUse
    nBlockUse
    pHead
    _pLastBlock
    pHead
    _pFirstBlock
    _CrtIsValidHeapPointerpUserData
    lRequest
    pOldBlock
    nLine
    pOldBlock
    pOldBlock
    pNewBlock
    fRealloc
    fRealloc
    pOldBlock
    _pLastBlock
    pOldBlock
    _pFirstBlock
    _CrtCheckMemory
    dbgheap.c
    Free
    Normal
    Ignore
    Client
    _file.c
    fprintf.c
    format
    nul
    Open
    InternetGetConnectedState
    s\s.exe
    Urlmon.dll
    InternetSetCookieA
    URLDownloadToFileA
    Host s
    Host s
    WSAGetLastError
    Software\Microsoft\Windows\CurrentVersion\Run\
    SOFTWARE\Microsoft\Cryptography\
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    JavaUpdate0.07
    zlclient.exe
    smc.exe
    ccapp.exe
    ujih
    ujjh
    uh,wAjjh
    uhjAjjh
    tjah
    csmu
    UkjSu
    uhyAjh
    uZjhxAjh
    uhjAjh
    uh,wAjjhwAj
    uhjAjjhwAj
    QhoAjj
    BhxoA
    uhlAjh
    uhkAjh
    uhlAjh
    szModule
    szComspec
    szParams
    InterfaceList
    nBytesReturned
    state
    SystemDirectory
    StartInfo
    ProcInfo
    PhiA
    RhiA
    PhiAhiA
    host
    buffer
    wsda
    server
    request_message
    temp
    PhiAhiA
    incoming
    buffer
    path
    packet
    StartInfo
    ProcInfo
    sockfd
    wsda
    server
    client
    sockfd2
    rset
    dwDisp
    sizei
    temp
    filename
    osvers
    length
    .text
     
  2. Crimsona X

    Crimsona X Private E-2

    Ive found the file in my systems folder, so I got its exact location, I dont think its possible to simply delete the file but I dont really know XD
     
  3. PhilliePhan

    PhilliePhan Guest

    Hi Crimsona X,

    Where there is one piece of Malware, often more can be found, so. . .

    Generally, it is a good idea to start with the Cleanup Tutorial HERE:
    READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

    There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

    Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

    Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

    Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!

    If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

    Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

    Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

    I’m not around too much these days, but somebody will try to take a look when they get a chance.

    Best luck :)
    PP
     
  4. Crimsona X

    Crimsona X Private E-2

    okay, ive followed the steps and from what I know my comp is clean :D so tonight Ill be downloading hijackthis :D
    thanks for the help! i just hope its gone for good now! :D
     
  5. PhilliePhan

    PhilliePhan Guest

    Happy to hear your machine is back to normal :) Please go ahead and send us a HJT log to doublecheck.


    PP :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds