win32.trojandownloader.agent.al virus

Find timber, he can help you.

Thanks for your reply!
Who is Timber? I am new to this discussion forum.

Timber is a moderator on a2k. BTW, Welcome.
Go to the Computer Forum, and post your q. He'll appear - sooner or later.

Here's timber. Start by seein' This Topic - do everything in that topic (just that topic - go ahead and check out the other topics it links to if you'd like some background, but for now, just take the steps listed in the "Please perform the following prior to posting a HJT log" topic. When done, post your HJT log to this thread.

Be patient; it may take a few hours but somebody who can help will get to it before too long.

Here is the log (note 1: I was not able to perform the BitDefender Scan Online, I downloaded the BitDefender Virus Scan program, I ran it and no viruses were found) (note 2: My Internet Explorer was not able to accept the TrendMicro online virus scan, it kept shutting down)

Thank you for all your time!!

Logfile of HijackThis v1.99.1
Scan saved at 3:40:36 PM, on 2/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\mssy32.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\d3ja.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cupzp.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cupzp.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xaoso.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cupzp.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cupzp.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xaoso.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6292CB7C-CAEA-9541-226F-1C73897C3C39} - C:\WINDOWS\d3ja.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [d3ja.exe] C:\WINDOWS\d3ja.exe
O4 - HKLM\..\RunOnce: [mssy32.exe] C:\WINDOWS\mssy32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {217234FC-041F-4F27-84AB-8329440C4DED} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4ca.cab
O16 - DPF: {7EB1930A-8342-4899-BD05-2D8722053AE1} (TWorkflowMapX.WorkflowMapX) - O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\system32\atlpu32.exe (file missing)

First, your Windows XP and Internet Explorer should be updated to current levels before we do anything else ... not much point tryin' to get rid of bugs and pests if the windows are left wide open.

Also, please refer back to This Topic ; you should place HJT into its own folder on your "C:\" drive - you don't need to redownload it; just drag your copy from C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe to the new folder you've made for it.


Oh - and a question - when you downloaded CWS Shredder, did you have it check for updates before runnin' it?

Thank for your prompt reply.

When our computer was installed and setup, we realized that the Windows operating system was a pirated version. The vendor assured us that as long as we keep our virus definitions up to date we will be fine. However I questioned the whole service pak and patches requirements.

HJT is in its own folder on my "C:\" drive. I cannot see the C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe folder.

I did check for updates before running it.

Should my next step be to go and purchase an authentic Windows Operating System?

Thanks again.

Ya know, really it might be best to purchase a legitimate copy of Windows - that machine may have seemed like a great bargain then, but now you're lookin' at the downside of cheap.

Due to the nature of the exploits to which your unpatched operating system is vulnerable, and the widespread occurance of those exploits out there on the 'net, it is unlikely any fixes would be of more than temporary benefit, if even that.

As to your vendors' assurances, well, it sure seems they were worth about as much as the paper they weren't written on, doesn't it? At the very least, I'd not do business with that one again. Of course, its very possible you couldn't even find that one again.

One way to save a bit on the cost of the OS would be to purchase it along with some qualifyin' hardware from a LEGITIMATE OEM (Original Equipment Manufacturor) vendor, one who's main business is sellin' hardware like motherboards, power supplies, processors, drives,, bare-bones systems, etc - buy a sound or video card or a NIC, or some memory, or an internal drive of some sort, sometimes even just a mouse or keyboard, and you can purchase an OEM version of an OS (and other software as well) at a significant savings over full retail. You will get a real install disk - at this point, even WIN XP SP2 is available - along with a legitimate activation key. The downside is that that copy of Windows does not qualify for direct Microsoft support - you're on your own as far as install issues go (you're the manufacturor/reseller, remember), that copy really is machine-specific in that it can't be migrated to another machine, and generally, there will be no manual. On the other hand, it will ne a fully functional OS and qualify for all patches and updates.


If you lean that way, bear in mind you should do business only with a legitimate reseller. The main focus of the firm's sales pitch oughtta be on its hardware deals, not on its cheap software. Any seller claimin' to specialize in OEM software by itself most likely is gonna be a scam. Research the firm a bit - don't go just for price advantage - you've already seen where that gets you.

I do not mind paying the money to purchase the Windows Operating system. I will check out what the computer store (Future Shop in Canada) offers in terms of rebates and such.

In terms of the installation, can this be done at home or should I leave my hard drive with the computer store and have them do it? You mentioned the following "The downside is that that copy of Windows does not qualify for direct Microsoft support - you're on your own as far as install issues go (you're the manufacturor/reseller, remember), that copy really is machine-specific in that it can't be migrated to another machine, and generally, there will be no manual." Does this apply to the Win XP SP2?

What happens with the virus though? I am assuming that it remains in the computer. Could this virus affect the new installed operating system?

The computer was purchased while I was working in Ireland and I will never again purchase a computer by an individual.

Thanks again for all your support and time.

You should have no trouble installin' a legitimate OS - and there are plenty of resouces out on the web loaded with tips and such to help you do it smoothly. If you do a full, clean install, there should be no problem. I'd recommend you back up all your personal data to removeable media first, and also gather up any install disks for programs you've purchased - downloaded programs are a little tougher -if you didn't save a pristine copy of the original, unexecuted download along with a text file of its activation or registration key, you likely will ahve to re-download it - without installin' it - and save it to removeable media as well.

Then, basically, what you do is you wipe your machine's drive ("Format") and install the OS "Clean". If you do go to that effort and expense, fer chrissakes go to the small additional effort and expense to keep your machine clean from then on - its better to prevent than to cure.

Oh, and btw - one of the first things to do once you've got your machine up and runnin' honestly is of course to hit Windows Update, and to install, update and configure a good anti-virus Also,before reloadin' any of your saved-to-removeable-media stuff, scan it with a good, currently updated anti-virus.

Had an idea - you might wanna take a look HERE - dunno for sure if its gonna work for ya, but its worth a shot in your situation. If ya do decide to try it, I'd appreciate it if ya would lemme know what happened.

I tried it out and I could't locate any of the files specified.

I just saw that another individual got hit with the same virus. Hopefully, they are not running Windows on a pirated operating system!!!

I will head to the computer store and buy the Windows XP OS.

Thanks again for all your help!!!!

Sorry it didn't help. And thanks a lot for the feedback. Good luck.