MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 12-26-04, 23:04
Crimsona X's Avatar
Crimsona X Crimsona X is offline
Private E-2
 
Join Date: Dec 2004
Location: Australia
Posts: 16
Thanks: 0
Thanked 1 Time in 1 Post
Unhappy trojan horse backdoor.agent.4 ax - how do I get rid of it?

My anti-Virus program, AVG, picked up trojan horse backdoor.agent.4 ax.

It says it cant remove the file, so at the moment its in quarentene.
Ive downloaded a fair few tools and the like but they dont seem to be working.

Im not sure if this information is useful, but a program I have says this is what the file contains, sorry its so long XD:

This program cannot be run in DOS mode.
Service Pack 2
UserAgent Mozilla/4.0 compatible MSIE 6.0 Windows NT 5.1
Connection close
AcceptEncoding none
UserAgent Mozilla/4.0 compatible MSIE 6.0 Windows NT 5.1
Connection close
AcceptEncoding none
/c del
Error memory allocation bad memory block type.
Invalid allocation size Iu bytes.
Client hook allocation failure.
Client hook allocation failure at file hs line d.
The Block at 0xp was allocated by aligned routines, use _aligned_realloc
Allocation too large or negative Iu bytes.
Client hook reallocation failure.
Client hook reallocation failure at file hs line d.
DAMAGE after hs block
DAMAGE before hs block
Client hook free failure.
The Block at 0xp was allocated by aligned routines, use _aligned_free
hs located at 0xp is Iu bytes long.
hs allocated at file hs
DAMAGE on top of Free block at 0xp.
_heapchk fails with unknown return value
_heapchk fails with _HEAPBADPTR.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADBEGIN.
Bad memory block found at 0xp.
_CrtMemCheckPoint NULL state pointer.
_CrtMemDifference NULL state pointer.
Object dump complete.
crt block at 0xp, subtype x, Iu bytes long.
normal block at 0xp, Iu bytes long.
client block at 0xp, subtype x, Iu bytes long.
File Error
Dumping objects
Detected memory leaks
Total allocations Id bytes.
Largest number used Id bytes.
Id bytes in Id hs Blocks.
offset must be within size, 0
alignment must be a power of 2,0
Damage before 0xp which was allocated by aligned routine
The block at 0xp was not allocated by _aligned routines, use realloc
The block at 0xp was not allocated by _aligned routines, use free
Unknown Runtime Check Error
Stack memory was corrupted
char c i 0xFF
Changing the code in this way will not affect the quality of the resulting optimized code.
The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
RunTime Check Failure
Invalid pointer was assigned at
Stack around the variable
The variable
Local variable used before initialization
Stack memory corruption
Cast to smaller type causing loss of data
Stack pointer corruption
The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention.
Assertion Failed
Assertion failed
Assertion failed
_CrtDbgReport String too long or IO Error
Second Chance Assertion Failed File s, Line d
Microsoft Visual C
Program ss
Press Retry to debug the application
For information on how your program can cause an assertionfailure, see the Visual C
program name unknown
inconsistent IOB fields, stream
_ptr stream
runtime error
TLOSS error
DOMAIN error
This application has requested the Runtime to terminate it in an unusual way.Please contact the applications support team for more information.
Microsoft Visual C
Runtime Error
Buffer overrun detected
Unknown security failure detected
c\Documents and Settings\Owner\Desktop\stuff\default\webcurrent\Debug\nn.pdb
AUS Eastern Standard Time
AUS Eastern Daylight Time
AUS Eastern Standard Time
AUS Eastern Daylight Time
le corupt.Enn
,al 3any
----------------
agBoxAw
NFudo
AmQe
VirtualFree
VirtualAlloc
GetProcAddress
LoadLibraryA
kernel32.dll
abcdefghijklmnopqrstuvwxyz
C\WINNT\System32\ewnboq.exe
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetTimeZoneInformation
SetCurrentDirectoryA
8GetCurrentDirectoryA
aGetFullPathNameA
FindFirstFileA
FileTimeToLocalFileTimeKGetDriveTypeA
FileTimeToSystemTime
FindClose
LCMapStringW
LCMapStringA
SetEndOfFile
GetSystemInfolGetLocaleInfoA
yVirtualProtect
GetCPInfo
SetFilePointer
SetStdHandle
InterlockedExchange
VirtualQuery
GetStringTypeW
GetStringTypeA
kMultiByteToWideChar
FlushFileBuffers
SetConsoleCtrlHandler
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
WideCharToMultiByteOGetEnvironmentStringsW
FreeEnvironmentStringsW
FreeEnvironmentStringsAMGetEnvironmentStrings
UnhandledExceptionFilter
RtlUnwind
GetProcessHeap
vVirtualFreesVirtualAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapAlloc
GetFileType
SetHandleCount
InterlockedIncrement
OutputDebugStringA
InterlockedDecrement
GetStdHandle
GetCommandLineA
GetStartupInfoA
ExitProcesswGetModuleHandleA
RaiseException
DebugBreak
GetSystemTimeAsFileTimes
HeapValidate
IsBadReadPtr
SHELL32.dll,IsBadWritePtr
ShellExecuteExA
SHChangeNotify
RegCreateKeyExA
RegSetValueExA
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegDeleteValueA
GetShortPathNameA
PGetEnvironmentVariableA
lstrcatA
GetCurrentProcess
SetPriorityClass
GetCurrentThread
SetProcessPriorityBoost6SetThreadPriority
GetSystemDirectoryA
HLoadLibraryA
GetProcAddress
FreeLibrary
DeleteFileA
CreateDirectoryA
CreateProcessA
CreateFileAdMoveFileAiGetLastError
ReadFile
WriteFile
GSleep
CreateToolhelp32Snapshot
Process32First
zOpenProcess
Process32NextOTerminateProcess
CloseHandle
GetVersionExAuGetModuleFileNameA
setenv.c
cchCount2
cchCount1
cchCount2
cchCount1
a_cmp.c
wtombenv.c
tzset.c
JanFebMarAprMayJunJulAugSepOctNovDec
SunMonTueWedThuFriSat
drive.c
.exe
.bat
.com
a_map.c
chsize.c
convrtcp.c
_getbuf.c
osfinfo.c
a_str.c
MessageBoxA
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationA
GetProcessWindowStation
f\vs70builds\3077\vc\crtbld\crt\src\vsprintf.c
f\vs70builds\3077\vc\crtbld\crt\src\sprintf.c
A security error of unknown cause has been detected which hascorrupted the programs internal state. The program cannot safelycontinue execution and must now be terminated.
A buffer overrun has been detected which has corrupted the programsinternal state. The program cannot safely continue execution and mustnow be terminated.
Program
Program
Runtime Library
floating point not loaded
not enough space for arguments
not enough space for environment
not enough space for thread data
unexpected multithread lock error
unexpected heap error
unable to open console device
not enough space for _onexit/atexit table
pure virtual function call
not enough space for stdio initialization
not enough space for lowio initialization
unable to initialize heap
This application cannot run using the active version of the Microsoft .NET RuntimePlease contact the applications support team for more information.
a_env.c
stdargv.c
stdenvp.c
onexit.c
stream.c
filename
_open.c
_flsbuf.c
_base
stream
_freebuf.c
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
SOFTWARE\Microsoft\VisualStudio\7.1\Setup\VS
EnvironmentDirectory
ImageNtHeader
CreateToolhelp32Snapshot
EnumProcessModules
GetModuleInformation
Module32First
Module32Next
PDBOpenValidate3
DBIQueryModFromAddr
ModQueryLines
ModClose
unsigned
isctype.c
ioinit.c
szUserMessage
documentation on asserts.
Expression
Line
File
Module
Debug s
Debug Library
wsprintfA
Warning
Error
output.c
null
null
flag
_sftbuf.c
i386\chkesp.c
mscoree.dll
CorExitProcess
sprintf.c
string
fopen.c
fclose.c
Kernel32.dll
IsDebuggerPresent
is being used without being defined.
A variable is being used without being defined.
was corrupted.
File
Line
Module
A cast to a smaller data type has caused a loss of data. If this was intentional, you should mask the source of the cast with the appropriate bitmask. For example
A local variable was used before it was initialized
nBlockUse
_BLOCK_TYPE_IS_VALIDpHead
d at 0xp.
d at 0xp.
lRequest
pHead
nLine
nBlockUse
nBlockUse
pHead
_pLastBlock
pHead
_pFirstBlock
_CrtIsValidHeapPointerpUserData
lRequest
pOldBlock
nLine
pOldBlock
pOldBlock
pNewBlock
fRealloc
fRealloc
pOldBlock
_pLastBlock
pOldBlock
_pFirstBlock
_CrtCheckMemory
dbgheap.c
Free
Normal
Ignore
Client
_file.c
fprintf.c
format
nul
Open
InternetGetConnectedState
s\s.exe
Urlmon.dll
InternetSetCookieA
URLDownloadToFileA
Host s
Host s
WSAGetLastError
Software\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\Microsoft\Cryptography\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
JavaUpdate0.07
zlclient.exe
smc.exe
ccapp.exe
ujih
ujjh
uh,wAjjh
uhjAjjh
tjah
csmu
UkjSu
uhyAjh
uZjhxAjh
uhjAjh
uh,wAjjhwAj
uhjAjjhwAj
QhoAjj
BhxoA
uhlAjh
uhkAjh
uhlAjh
szModule
szComspec
szParams
InterfaceList
nBytesReturned
state
SystemDirectory
StartInfo
ProcInfo
PhiA
RhiA
PhiAhiA
host
buffer
wsda
server
request_message
temp
PhiAhiA
incoming
buffer
path
packet
StartInfo
ProcInfo
sockfd
wsda
server
client
sockfd2
rset
dwDisp
sizei
temp
filename
osvers
length
.text
Reply With Quote
Sponsored links
  #2  
Old 12-26-04, 23:18
Crimsona X's Avatar
Crimsona X Crimsona X is offline
Private E-2
 
Join Date: Dec 2004
Location: Australia
Posts: 16
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: trojan horse backdoor.agent.4 ax - how do I get rid of it?

Ive found the file in my systems folder, so I got its exact location, I dont think its possible to simply delete the file but I dont really know XD
Reply With Quote
  #3  
Old 12-26-04, 23:43
PhilliePhan
Guest
 
Posts: n/a
Lightbulb Re: trojan horse backdoor.agent.4 ax - how do I get rid of it?

Hi Crimsona X,

Where there is one piece of Malware, often more can be found, so. . .

Generally, it is a good idea to start with the Cleanup Tutorial HERE:
READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it - you didn't give OS) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Im not around too much these days, but somebody will try to take a look when they get a chance.

Best luck
PP
Reply With Quote
  #4  
Old 12-29-04, 01:27
Crimsona X's Avatar
Crimsona X Crimsona X is offline
Private E-2
 
Join Date: Dec 2004
Location: Australia
Posts: 16
Thanks: 0
Thanked 1 Time in 1 Post
Default Re: trojan horse backdoor.agent.4 ax - how do I get rid of it?

okay, ive followed the steps and from what I know my comp is clean :D so tonight Ill be downloading hijackthis :D
thanks for the help! i just hope its gone for good now! :D
Reply With Quote
  #5  
Old 12-29-04, 13:43
PhilliePhan
Guest
 
Posts: n/a
Lightbulb Re: trojan horse backdoor.agent.4 ax - how do I get rid of it?

Quote:
Originally Posted by Crimsona X
okay, ive followed the steps and from what I know my comp is clean :D so tonight Ill be downloading hijackthis :D
thanks for the help! i just hope its gone for good now! :D
Happy to hear your machine is back to normal Please go ahead and send us a HJT log to doublecheck.


PP
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 22:44.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger