Downloader agent.11.q , etc.

I am having what I think is a common problem and after much searching, it seems that running hijack this and getting some help with the logfile has been the answer. I am new to this site and apologize if I don't observe protocol. I have downloaded and run hijack this and have saved the logfile and need help to analyze/fix the problem. The symptoms are that my Internet Explorer homepage is continually changed to about blank and I get AVG messages showing downloader agent 11.q, 11.d and startpage. 19n. I have tried to delete or quarantine them but they continue. I have also run CW shredder, ad-aware, spybot search and destroy and AVG antivirus. All are current.

There was a note on this site regarding unrequested hijack this logfiles so I have not included it.

Can someone please help me?

 

Sounds to me as if your infected with the about:blank hijacker. Lets take this slow and get it removed.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:


http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

I have followed the instructions in the "READ ME FIRST BEFORE ASKING FOR SUPPORT". There were a couple of glitches. I have Windows ME and I found no Safe Boot with Networking Support so I ran the online scans from a normal boot. The Symantec scan showed a file C:\recycled\Q330995.exe infected with adware. CWSIEFEATS. There was no option to clean it unless I was supposed to buy the software offered. CW Shredder showed about 20 cool web items that were deleted. (I think)
I assume that Buster was supposed to take care of the about blank problem but it is still there as are the many alerts that I get from my AVG antivirus. They are mostly downloader agent.11.q and downloader agent.12.d although they show up from many different files. I used the option to delete the file when they come up but it continues to happen.

I will appreciate any help you can give me.

 

Download this file: SpSeHjfix109

Unzip it to your desktop or to a folder.

Boot into Safe Mode

Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning.

Run SpSeHjfix one more time.

Reboot in Normal mode.

Run HijackThis again and post a new log. Also post the log from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.

 

I ran the SpSeHjfix as you said. I ran it both times in Safe Mode. (Internet Explorer has been coming up automatically during boot with the about blank address. During the boot after running the SpSeHjfix, I got an internet explorer error message.) Also, the SpSeHjfix recommended that I use a different browser. Do you agree? Any suggestions?

During the internet connection to send this message, a couple of downloader error notifications appeared.

I also ran the Hijack This and both logs are enclosed.

Thanks for your help.

 

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ojmuw.dll/sp.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FA9B33EE-6AA5-0861-55D2-E2A766D4C7CC} - C:\WINDOWS\CREH32.DLL

O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [IPRL32.EXE] C:\WINDOWS\SYSTEM\IPRL32.EXE

O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System\IPRL32.exe

C:\WINDOWS\System\ojmuw.dll

C:\WINDOWS\System\IPRL32.exe

C:\WINDOWS\CREH32.dll

C:\ied_s7.cab

C:\x.cab

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.


After doing ALL of the above, Scan with HijackThis and attach the new log.

 

Thank You!
There is a definite improvement. I.E. did not come up when I last booted.
Thus far I have not gotten any trojan horse downloader agent warnings from AVG Antivirus.

Yesterday I decided to backup some files in case of a catastrophe and my Adaptec Direct CD Wizard is telling me there is no supported CD/R/CD/RW drive. If I put a CD in the drawer, I keep getting a message saying to put a CD in. Don't know if this is a coincidence or not.

Also, do you have any advice on an alternate browser or do you feel that I.E. is OK?

Latest HJT log file is enclosed.

 

Your HJT log is clean!

As far as another browser, I would recommend Mozilla Firefox 1.04 as its safer than IE.

Are you having any further problems?

 

Do you think that the problem with my CD/RW could be related to the downloader virus? I did not have any problem prior to the last couple days. Control panel/system/device says that it is functioning properly.

I am writing this from work and have only tried my computer the one time last night when I posted the last thread, but I didn't see any problem.

Also, I am using AVG antivirus. Any recommendations? Do I need a firewall? My ISP didn't seem to think so.

This service and your help were a lifesaver. Thanks again.

 

What problem are you having with your CD/RW drive??

Yes, you need a firewall. Please see the thread below for more information.

How to Protect yourself from malware!

 

Booted up tonight and went on internet. During that process, my AVG antivirus said that I had a Trojan horse Startpagae.19.AN in Windows\System\NDKOD.DLL. I check delete the file. I expect it to come back as I have seen the same message before and deleted the file before. The Downloader has not reappeared as yet.

Problem with CD is that computer does not seem to recognize my CD/RW. The HP Direct CD Wizard in my taskbar has a red circle around it with a line through it. If I put the mouse pointer there it says "no supported CD-R/CD-RW drive". In control panel/system/devices, both are supposed to be working properly.

I thought we were finished but I guess not.

Thanks again.

 

This is going to be a Hardware/Software problem most likely. Before you post this in the Software/Hardware Forum, go into Device Manager and go to the CD-ROM's and remove the drives. Reboot and see if problem remains.

If you still have the problem, let me know and I will move this thread into the Software Forum for you.

 

Downloader agent seems to be gone. Also, my homepage is stable. I still have one trojan which is startpage.19.AN. It comes up just about every time I go online. My AVG antivirus finds it and I select the delete file option but it keeps coming up. Should this be a new thread?

Thanks.

 

Can you provide me with the exact file name and location of the infection AVG is finding?

 

Sorry for the delay. Your site has not been letting me post replies. Probably a cookie issue per your webmaster. The startpage.19.AN has appeared under several different files. Some are:
Windows\system\pamdbla.dll
windows\system\ndkod.dll
windows\system\kadcc.dll

What now?

Also, can you tell me how to set the cookies in Windows ME to satisfy your sites requirements? I am sending this reply from my office computer which is apparently more cookie friendly.

 

Lets start by running these online scans:

TrendMicro Online Scan
Bitdefender online scan
RavAntivirus online scan <-- select Auto Clean then click Scan My PC
TrojanScan online scan

After you do the above scans post your results as in what was found and if it was remvoed or not.

Also, for the cookie problem, run CCleaner and default your security settings. Also, your Privacy Tab be sure its set at Medium.

 

As you suggested I tried to run the on-line scans.
Trend Micro - tried several times - failed due to internet traffic ?
Bitdevender - when loading, antivirus engine failed several times. Then it failed to update the virus signature but offered the option to scan anyway which I did. No problem
RAV antivirus - found one infected file.
Trojan Scan found two -
C:\windows\system\iprl32.exe trojan downloa
C:\mydocuments\tools\backup\backup-20050515-185340-310dll trojan downloa

It appears that the downloader trojan is not gone after all. The trojan scan did not offer the option of deleting the file without downloading an a-squared program.

What do you suggest next?

 

Download Pocket KillBox


Now, Copy and Paste C:\windows\system\iprl32.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now allow Killbox to reboot your system, after you have rebooted see if AVG still detects the trojan. Also, just to be safe lets do one last step.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

 

Downloaded killbox and deleted the C:\windows\system\iprl32.exe file. Then downloaded and updated TrojanHunter. Did not fine anything.

I got an AVG alert on Trojanhorse startpage.19.AN in C:\windows\system\klhc.dll

Ran AVG Scan at least time and each time it found and "healed" trojanhorse BackDoor.Agent.8.L in C:\_restore\temp\iprl32.0.

Update of trojanhunter did not go smoothly. Don't know if I got the full update.

 

If you had System Restore disabled like you should have you would have the infection in that location.

First, go Disable SYSTEM RESTORE and then procede with this fix!

About the TrojanHunter updates, download the following file. Once you have it downloaded right click and EXTRACT ALL to the TrojanHunter installation directory.

Now navigate to and delete the following file

C:\windows\system\klhc.dll


After you do the above, reboot and post a fresh HJT log.

 

System restore has been disabled since the first time you told me. Don't know if this will change your thinking but I will go ahead with the rest of your suggestions and get back to you. Also, when I went on the internet, my home page had been changed to Google.

 

In addition to disable system restore which I did over two weeks ago, the viewing of hidden files is still enabled.

Ran TrojanHunter with current update and it "found and cleaned" Agent 193 which is the C:\my documents\tools\backkups\backup-20050515-185340-310.dll that I mentioned in previous replys. It said that it was renamed and the suffix.tcf was added.

The new HJT log file is attached.

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
(Keep this if you need it)

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\WINDOWS\System\klhc.dll

C:\_restore\temp <-- Delete everything in this folder!

NEXT:
Run CCleaner

Reboot, Scan with HijackThis and attach the new log.

Are you currently having any further problems?

 

Frustrating. Ran Hijack This. The R1 line was not showing. I checked and fixed the two items starting with 09.

When you say "navigate to and delete" I am assuming that you mean to use Windows Explorer which I did. The C:\WINDOWS\System\klhc.dll was not there.
When I tried to delete the contents of the C:\restore\temp I got the message "access denied - may be inuse" There were over 180 items in the file, most of which were A0000001.cpy with the last digit before the . in ascending order. I then tried killbox which would not kill the files unless I selected one at a time and then used the kill with reboot option which seemed to remove the item. (I later found that file in a folder on the C drive called !SUBMIT which contained the file I thought was deleted.) I deleted it from that file and it seemed to stay gone.

I then ran CC Cleaner.

Attached is the HijackThis log I ran after rebooting.

 

Your HJT log is clean!

Are you having any further problems?

 

Still get AVG alert on StartPage.19.AN. This time it was in windows\system\AECJCAA.DLL file but it is a different file each time.

You said HJT log is clean but as I said in my last post, I was not able to delete the contents of the restore temp file. Could that be the problem? I have not gotten the downloader alert lately but the startpage one persists.

What now?

 

Run the below online scan, let it complete! After scan is complete reboot and post the results. Also, let me know if AVG still detects anything.

Bitdefender

 

Ran Bitdefender. No problems found.

Ran AVG which found and deleted Backdoor.agent.8.L.

Did not have any problems for a few days. (Mostly using Mozilla in lieu of I.E. Browser.) Today I went on line with Mozilla and then tried I.E. and got an AVG warning about Startpage.19.AN in C:\Windows\System|NIBMO.DLL and selected heal option. After getting offline, I ran AVG which found and deleted Startpage.19.AN in C:\_Restore\Temp\A0008440.CPY.

The last one is one of about 24 files in the TEMP folder which I have tried to delete many times since you recommended it a couple weeks ago. When I try to delete them, it says file may be in use. There are about 24 files similar to that one in the Temp folder. Is the C:\_Restore a necessary file?

This has been going on for almost 3 weeks. I purchased a USB external hard drive yesterday and backed up all important files. If there is no other way, perhaps I should consider formatting the hard drive and starting over. The Downloader problem seems to be gone but the Startpage Trojan keeps coming back.
Restore utility in Windows ME is still disabled and viewing of hidden files is still enabled.

Any thoughts?

 

It's actually a directory used by System Restore. To delete the files you need to disable system restore, boot into Safe Mode and manually delete the files. If you still cant delete them you will need to boot from a bootable windows cd and delete them from DOS.


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System\NIBMO.DLL into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Allow killbox to reboot your system. After you have rebooted see if AVG detects it still.

 

Killbox said C:\windows\sysem\nibmo.dll did not exist.

Booted computer with my Windows ME disc in the CD. Brought up restore file and deleted complete directory of temp files. (I think there were 14) Shut down and booted in normal mode. Went to restore file and there were already 9 of the A000___.cpy numbered files. After running AVG on the temp file and running trojanhunter on the temp file, (both negative), there were 12 of the A000___.cpy files.

Is this normal? Don't know yet if I still have a problem but I suspect it will return again. As I said previously, I have not noticed the AVG trojan alerts while using Mozilla. Coincidence?

 

Its somewhat normal, WinME is a very unstable OS, System Restore is a pain in the butt with WinME machines because it causes so many problems.

Procede with Killbox again and run it as previously requested whether it turns blue or not.