Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Downloader Agent Uj


  • This topic is locked This topic is locked
3 replies to this topic

#1 shark35

shark35

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 31 July 2006 - 05:32 PM

mi pc is infected with download agent uj.
i ran ewido 4,0 and detected it but cant delet.
i run f-secure black ligth utitity and it find and delete , but after restart it looks agin with downloader agent.
When try safe mode boot (safe mode, netwurk or command) the pc automatically restart to safe mode screen.

black ligth log
07/29/06 11:11:51 [Info]: BlackLight Engine 1.0.42 initialized
07/29/06 11:11:51 [Info]: OS: 5.1 build 2600 (Service Pack 1)
07/29/06 11:11:51 [Note]: 7019 4
07/29/06 11:11:51 [Note]: 7005 0
07/29/06 11:11:57 [Note]: 7006 0
07/29/06 11:11:57 [Note]: 7011 572
07/29/06 11:11:57 [Note]: 7026 0
07/29/06 11:11:57 [Note]: 7026 0
07/29/06 11:12:04 [Note]: FSRAW library version 1.7.1019
07/29/06 11:13:33 [Info]: Hidden file: c:\WINNT\system32\csysh.exe
07/29/06 11:13:33 [Note]: 7002 32
07/29/06 11:13:33 [Note]: 7003 1
07/29/06 11:13:33 [Note]: 10002 1
07/29/06 11:14:25 [Info]: Hidden file: c:\WINNT\system32\wbem\wbemtest.exe
07/29/06 11:14:25 [Note]: 10002 1
07/29/06 11:15:43 [Note]: 7007 0







Logfile of HijackThis v1.99.1
Scan saved at 11:11:16 AM, on 7/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\hpb2ksrv.exe
C:\WINNT\System32\hpbhksrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\ORL\VNC\WinVNC.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\hpnra.exe
C:\WINNT\System32\hpstatus.exe
C:\Program Files\Java\j2re1.4.2\bin\javaw.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\TEMP\VX5D97.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\HPBSPSVR.EXE
C:\WINNT\System32\HPBJDSNT.EXE
C:\Documents and Settings\HLOERA\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [HP Network Registry Agent] C:\WINNT\System32\hpnra.exe
O4 - HKLM\..\Run: [HP Status] C:\WINNT\System32\hpstatus.exe
O4 - HKLM\..\Run: [HP Proxy Server] C:\Program Files\Hewlett-Packard\ProxyService\ProxyService.lnk
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINNT\firewall_anti.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [MSTCPDLL] PasswdMon.exe
O4 - HKLM\..\Run: [WTFCTF] qwe.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HbTools] C:\Program Files\HbTools\Bin\4.7.2.1\HbtOEAddOn.exe
O4 - HKLM\..\Run: [eexnxdaf] C:\WINNT\System32\qrtjjoiu.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKCU\..\Run: [InpriseMon] MONITER.exe
O4 - HKCU\..\Run: [NukeSpan] stuffmon.exe
O4 - HKCU\..\Run: [ActionScr] xsetup.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Búsqueda en Google - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Traducir palabra inglesa - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.1.0.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\Program Files\ShopperReports\Bin\1.1.0.0\ShprRprt.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/hC96QSiIdIdCo0Inx4lz.chm::/on.exe
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (HbtInstObj) - http://installs.hotbar.com/installs/hbtool...2.1/hbtools.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - http://sisace/comun/cabs/sscala32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7818F33-39A5-42B5-8FCD-9ECE518313B4}: Domain = deacorp.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7818F33-39A5-42B5-8FCD-9ECE518313B4}: NameServer = 10.1.11.168,10.1.11.167
O18 - Filter: text/html - {81F39C09-2C28-464D-862A-E4FF82DBFE7E} - C:\WINNT\System32\effg.dll
O18 - Filter: text/plain - {81F39C09-2C28-464D-862A-E4FF82DBFE7E} - C:\WINNT\System32\effg.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP Status - Hewlett-Packard Company - C:\WINNT\System32\hpb2ksrv.exe
O23 - Service: HP Status Print - Unknown owner - C:\WINNT\System32\hpbhksrv.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:37 AM

Posted 31 July 2006 - 05:48 PM

Hello there, welcome to Bleeping Computer.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask. Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused. Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

1) * Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINNT\firewall_anti.exe
O4 - HKLM\..\Run: [MSTCPDLL] PasswdMon.exe
O4 - HKLM\..\Run: [WTFCTF] qwe.exe
O4 - HKLM\..\Run: [eexnxdaf] C:\WINNT\System32\qrtjjoiu.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\System32\winshost.exe
O4 - HKCU\..\Run: [InpriseMon] MONITER.exe
O4 - HKCU\..\Run: [NukeSpan] stuffmon.exe
O4 - HKCU\..\Run: [ActionScr] xsetup.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.1.0.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {946B3E9E-E21A-49c8-9F63-900533FAFE15} - C:\Program Files\ShopperReports\Bin\1.1.0.0\ShprRprt.dll (file missing)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/hC96QSiIdIdCo0Inx4lz.chm::/on.exe
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (HbtInstObj) - http://installs.hotbar.com/installs/hbtool...2.1/hbtools.cab
O16 - DPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} (SSDateCombo Control) - http://sisace/comun/cabs/sscala32.cab
O18 - Filter: text/html - {81F39C09-2C28-464D-862A-E4FF82DBFE7E} - C:\WINNT\System32\effg.dll
O18 - Filter: text/plain - {81F39C09-2C28-464D-862A-E4FF82DBFE7E} - C:\WINNT\System32\effg.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

2) * Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINNT\System32\winshost.exe
C:\WINNT\firewall_anti.exe
C:\WINNT\System32\qrtjjoiu.exe
C:\WINNT\System32\effg.dll

3) Now reboot back to normal mode.
Open HijackThis.
Click on Open Misc Tools Section
Make sure that both boxes beside "Generate StartupList Log" are checked:
  • List all minor sections(Full)
  • List Empty Sections(Complete)
Click Generate StartupList Log.
Click Yes at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here

4) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply.

5) Download GMER from Here
Right Click the Zip and Select "Extract All"
Double Click gmer.exe to launch the program.
Click on the Rootkit Tab and then click Scan.
It takes a while to run, once complete, copy the results to notepad and save them somewhere safe.
Post those results in the next reply.

6) Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
____________________

Please post back with:
1) A new Hijackthis log.
2) The startup list.
3) The GMER scan.
4) The combofix log.
5) The Fix wareout log.

You will need multple posts to add the logs.
David

#3 shark35

shark35
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 02 August 2006 - 08:57 AM

TROJANATOR :
I REALLY APPRECIATE YOUR HELP.
AFTER READ YOURS COMMENTS BOUT M PC, I HAVE DECIDED TO RESTORE IT. SO I'LL BACKUP MY FILES AND START AGAIN.
THANKS A LOT.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:08:37 AM

Posted 02 August 2006 - 12:50 PM

No problem, and it is a wise choice indeed.

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users