Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Downloader.agent.blm


  • This topic is locked This topic is locked
41 replies to this topic

#1 somi

somi

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 20 November 2007 - 02:10 AM

hiii
i am using windows xp sp2 and have avg installed in my computer which is up to date.
recently i was infected with virus when scaned with avg naming
downloader.agent.blm
logger.pcap.blm
downloader.agent.bhc
and the risk shown is high
whenever i apply all the actions i wont find any solution to my problem and the virus pomps up again...
plz help me get rid of this problem....

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,096 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:41 PM

Posted 20 November 2007 - 08:19 AM

Use the Smitfraudfix in the link below. Follow directions carefully.
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

Follow up with Super Antispyware.
Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Please post back with results.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 02:25 AM

do i have to install both of them???
smitfraudfix and super antispyware????????????

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 02:56 AM

Run both, one after the other.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 03:18 AM

done that!

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 03:20 AM

Did it work?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 03:23 AM

smitfraud report says-


SmitFraudFix v2.253

Scan done at 12:57:44.21, Tue 11/21/2000
Run from C:\Program Files\Free Download Manager\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Free Download Manager\fum\fum.exe
C:\Program Files\Free Download Manager\FUM\fumoei.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\cmd.exe

hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\drivers\svchost.exe FOUND !

C:\Documents and Settings\Administrator


C:\Documents and Settings\Administrator\Application Data


Start Menu


C:\DOCUME~1\ADMINI~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{6F5D8FBF-94AE-4335-BE06-C2327110B16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6F5D8FBF-94AE-4335-BE06-C2327110B16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6F5D8FBF-94AE-4335-BE06-C2327110B16F}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End





and in super anti-apyware quarantined items are-
adware.vundo-variant
trojan.downloader-gen/comprepl32
trojan.downloader-gen/msplay-fake
trojan.downloader-swchost
and on right-clicking my drives i see autoplay written instead of open...what to do to that?

Edited by somi, 21 November 2007 - 03:32 AM.


#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 03:34 AM

Do your scans come up clean now? Are you still experiencing virus or spyware problems.

For the Autoplay problem, try using Microsoft's Autoplay Repair Wizard.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 03:40 AM

when i scan with my avg antispyware now it still scans out viruses naming-
downloader.agent.bhc
trojan.onlinegames.eza
logger.pcap.a
trojan.onlinegames.gih
trojan.onlinegames.hgx
what to do now??

when i scan with my avg antispyware now it still scans out viruses naming-
downloader.agent.bhc
trojan.onlinegames.eza
logger.pcap.a
trojan.onlinegames.gih
trojan.onlinegames.hgx
what to do now??

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 03:47 AM

Have you tried scanning with AVG Antispyware in Safe Mode? If not, try that.

Does AVG give locations for the infections it finds (thatis, filename and path)?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 03:50 AM

yes avg gives the location
but i havent tried it out in safe mode so let me try it!

the report says-
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:18:31 PM 11/21/2007

+ Scan result:



C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019581.dll -> Downloader.Agent.bhc : No action taken.
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019583.exe -> Logger.Pcap.a : No action taken.
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019582.exe -> Trojan.OnLineGames.eza : No action taken.
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019584.exe -> Trojan.OnLineGames.gih : No action taken.
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019585.dll -> Trojan.OnLineGames.hgx : No action taken.


::Report end




and the site to recommended for the autoplay options didnt help me out please tell me an alternate way for that and now i am going to run avg on safe mode so please hang out for my reply...

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 03:57 AM

The infection is only in your restore points. Clearing these should get rid of it.

Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. Then re-do these steps and turn System Restore back on.

Let me look into the Autoplay problem.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:41 AM

Posted 21 November 2007 - 04:04 AM

For the Autoplay problem, try this:

Right click on your drive, and select the last option "Properties". Select the tab "autoplay". In the "actions" box, select the option "select an action to preform". Then scroll down the actions list and select "open folder to veiw files". Click OK.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 somi

somi
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:india
  • Local time:02:11 AM

Posted 21 November 2007 - 04:12 AM

no such tab as autoplay is seen on right clicking ."general,tools,hardware,sharing quota" only these tabs are seen....
i've done my avg spyware scan in safe mode and now the report says-

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:34:47 PM 11/21/2007

+ Scan result:



C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019581.dll -> Downloader.Agent.bhc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019583.exe -> Logger.Pcap.a : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rk7ibtpe.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rk7ibtpe.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019582.exe -> Trojan.OnLineGames.eza : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019584.exe -> Trojan.OnLineGames.gih : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF44B30A-D627-4245-8B3D-14402443CC0B}\RP19\A0019585.dll -> Trojan.OnLineGames.hgx : Cleaned with backup (quarantined).


::Report end

#15 buddy215

buddy215

  • Moderator
  • 13,096 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:41 PM

Posted 21 November 2007 - 07:04 AM

AVG is still reporting system restore points as infected. Follow the instructions in post #12. That will delete all infected system
restore points and reset system restore.

You should also clean up your computer. Use Ccleaner.
Remove temporary files, logs, cookies, etc. by using Ccleaner. Do not use "Advanced Settings" or the "Issues" button. Use only the default settings. http://www.ccleaner.com/
During installation you will be offered the Yahoo Toolbar. UNcheck if you don't want it.

Permanently delete ALL quarantined files in AVG, SAS, and any other security program you have. Delete Smitfraudfix program.

Edited by buddy215, 21 November 2007 - 07:08 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users