Spy Agent.bc and js\Wonka

Discussion in 'Malware Help (A Specialist Will Reply)' started by ScottyB, Oct 14, 2006.

  1. ScottyB

    ScottyB Private E-2

    Hi guys,

    Ok I have XP SP2, McAfee Virus checker running which keeps popping up warnings about the titled above trojans.
    Visible symptoms are that my broswer gets redirected to specific sites when its not that I'm clicking on. Could be other symptoms but I haven't noticed

    Have done all the prepping you have advised and also run AVG (which I de-activated while running the tests and just left mcafee)

    Here are the files you need.

    I will be EVER so grateful if anyone could help me. I am an IT developer but a noob in Malware stuff and this is extremly fustrating. So I can follow all instructions you need to give.

    Thanks so much
    Files following

    ScottyB
     

    Attached Files:

    ScottyB, Oct 14, 2006
    #1
  2. ScottyB

    ScottyB Private E-2

    And the rest...

    Cheers again
     

    Attached Files:

    ScottyB, Oct 14, 2006
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 SDK, SE v1.4.2_11

    Now install the current version of Sun Java from: Sun Java Runtime Environment
    If you need Java SDK, you should also download & install the latest version of it too.


    Now run this: WareOut Removal and attach the requested log!

    Then run HijackThis and if the below lines still exist select them but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C7223CA-C825-407F-A169-512EDC8240FD}: NameServer = 85.255.114.42,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC23E67-8E81-4B27-84D3-87472CEE695A}: NameServer = 85.255.114.42,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D21E41B9-4178-4545-8589-8BA2B98BBDE7}: NameServer = 85.255.114.42,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D8830707-F365-46DC-A53C-B0787C597389}: NameServer = 85.255.114.42,85.255.112.20
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.42 85.255.112.20
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C7223CA-C825-407F-A169-512EDC8240FD}: NameServer = 85.255.114.42,85.255.112.20
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.42 85.255.112.20

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete the below if found    :
    C:\WINDOWS\system32\dmawq.exe

    Now reboot into normal mode and attach a new HJT log.
     
    chaslang, Oct 15, 2006
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds