Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

TrojanDownloader.Win32.Agent.bc

This is a discussion on TrojanDownloader.Win32.Agent.bc within the Resolved HJT Threads forums, part of the Tech Support Forum category. I cannot remove TrojanDownloader.Win32.Agent.bc!! please help ... Logfile of HijackThis v1.99.1 Scan saved at 4:03:22 PM, on 07/03/2005 Platform: Windows


 
 
Thread Tools Search this Thread
Old 03-07-2005, 03:05 PM   #1
Guest
 
Join Date: Jan 2005
Posts: 38
OS:



I cannot remove TrojanDownloader.Win32.Agent.bc!!

please help ...

Logfile of HijackThis v1.99.1
Scan saved at 4:03:22 PM, on 07/03/2005
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\appty32.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a2\a2guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\GetRight\getright.exe
C:\PROGRA~1\GetRight\getright.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\biuew.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B7CDB2C-16B5-286B-C7F1-C5C80397E087} - C:\WINDOWS\system32\apioz.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [d3mj32.exe] C:\WINDOWS\d3mj32.exe
O4 - HKLM\..\RunOnce: [appty32.exe] C:\WINDOWS\system32\appty32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Shortcut to TAX.xls.lnk = C:\Documents and Settings\Administrator\Desktop\TAX.xls
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1
O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\sdkms32.exe (file missing)
poorguy is offline  
Sponsored Links
Advertisement
 
Old 03-07-2005, 05:34 PM   #2
Guest
 
Join Date: Apr 2004
Posts: 941
OS:


Hi poorguy


Download CleanUp! (Alternate Link if main link don't work) and install it. Don't run it

Download CWShredder.exe from here (do not run it yet, we'll get to it in a later step):[LIST]Cwshredder.exe But do not run it yet

download AboutBuster from one of these sites.
https://www.besttechie.net/tools/AboutBuster.zip
https://www.majorgeeks.com/download4289.html
https://www.malwarebytes.biz/AboutBuster.zip
https://www.atribune.org/downloads/AboutBuster.zip
https://www.snapfiles.com/dlnow/rdir.dll?id=108281

After you download it unzip all files from the zip folder to a folder or your desktop.
update it don't run it yet

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

second

please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Cwshredder

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")

next run

Run AboutBuster and follow the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Click Start.
Click Ok. This will start the scan
Click Yes. By killing explorer.exe it makes it easier to remove the files that need to be removed. Note: Dont worry if your taskbar disappears for a moment. Also, explorer.exe is not Internet Explorer. Now, it will finish the first scan. Then after the first scan is done this window will popup.
Click Ok.
Click Yes. This will start the second scan.

After the second scan finishes.
Click Exit. Then reboot the computer, and run AboutBuster one more time. Save the log

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

next

post a new HijackThis log and your about buster log also let me know how it went

Lobos
Lobos is offline  
Old 03-08-2005, 08:38 AM   #3
Guest
 
Join Date: Jan 2005
Posts: 38
OS:



Logfile of HijackThis v1.99.1
Scan saved at 9:03:49 AM, on 08/03/2005
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\serverappliance\appmgr.exe
C:\WINDOWS\system32\serverappliance\elementmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\serverappliance\srvcsurg.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a2\a2guard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Shortcut to TAX.xls.lnk = C:\Documents and Settings\Administrator\Desktop\TAX.xls
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{6E00B59A-C11D-4F3E-BD2C-0375A6AD9CE2}: NameServer = 192.168.0.1

Filename Diagnosis
C:\WINDOWS\atlev32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\atluj.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\crpc.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\d3wj32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\ipfs32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\javatj.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\msvc.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\sdkcb32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\sdkdl32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\addyg32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\apigz32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\apiuq.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\appzu.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\d3vo.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\javaei32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\ntsh32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\system32\sdkvv32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\winni32.exe TrojanDownloader.Win32.Agent.bc
C:\WINDOWS\winyi32.exe TrojanDownloader.Win32.Agent.bc
poorguy is offline  
Sponsored Links
Advertisement
 
Old 03-09-2005, 10:16 AM   #4
Guest
 
Join Date: Jan 2005
Posts: 38
OS:


Question

I've got tons of .exe files in my windows, system and system32 directory. I need an answer check the log above am I clean or no t?
poorguy is offline  
Old 03-09-2005, 03:59 PM   #5
Guest
 
Join Date: Apr 2004
Posts: 941
OS:


Hi poorguy

Quote:
Originally Posted by poorguy
I've got tons of .exe files in my windows, system and system32 directory. I need an answer check the log above am I clean or no t?
Umm yes and No

yes your log is clean

no not with those trojans still there

You can fix this with hijack this with all browsers closed
it is just left over from mccafee
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)


Next find preferably in safe mode so go into safe mode and delete each file

C:\WINDOWS\atlev32.exe
C:\WINDOWS\atluj.exe
C:\WINDOWS\crpc.exe
C:\WINDOWS\d3wj32.exe
C:\WINDOWS\ipfs32.exe
C:\WINDOWS\javatj.exe
C:\WINDOWS\msvc.exe
C:\WINDOWS\sdkcb32.exe
C:\WINDOWS\sdkdl32.exe
C:\WINDOWS\winni32.exe
C:\WINDOWS\winyi32.exe

C:\WINDOWS\system32\addyg32.exe
C:\WINDOWS\system32\apigz32.exe
C:\WINDOWS\system32\apiuq.exe
C:\WINDOWS\system32\appzu.exe
C:\WINDOWS\system32\d3vo.exe
C:\WINDOWS\system32\javaei32.exe
C:\WINDOWS\system32\ntsh32.exe
C:\WINDOWS\system32\sdkvv32.exe


next run about buster again

and come back

and post another hijack this log
and posy your aboutbuster log


Lobos
Lobos is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:21 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts