1
   

ANOTHER Win32.TrojanDownloader.Agent.al problem

Forums: Computers
Email this Topic Print this Page
 
 
CandyApple
 
Reply Sun 27 Feb, 2005 07:59 pm
I've done everything that is required prior to posting my logfile. Hope you can help me. I've been at my computer the whole day and can't seem to find a way of deleting it.

Status Report from BitDefender:
C:\Documents and Settings\...\Local Settings\Temp\thin.exe: infected with Trojan.Downloader.Agent.AF
C:\Documents and Settings\...\Local Settings\Temp\thin.exe: disinfection failed


Logfile of HijackThis v1.99.1
Scan saved at 9:56:31 PM, on 27/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sdknu32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-hk\msnappau.exe
C:\WINDOWS\d3lc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {12FA8EE3-A02B-CF1E-DA5F-AEB55869AB79} - C:\WINDOWS\javapc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-hk\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [urwdazxfar] C:\WINDOWS\System32\tpkxcgd.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-hk\msnappau.exe"
O4 - HKLM\..\Run: [d3lc.exe] C:\WINDOWS\d3lc.exe
O4 - HKLM\..\RunOnce: [sdknu32.exe] C:\WINDOWS\sdknu32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Program Files\LingoCom\Translator.lnk (file missing)
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/05d6c2257ffcb8d16e04/netzip/RdxIE2.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3134765E-8339-49EB-A1E8-25C5ACB72443}: NameServer = 206.47.244.111 206.47.244.79
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Network Security Service ( 6Q?"õ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\appij32.exe (file missing)
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 836 • Replies: 1
No top replies

 
Don77
 
  1  
Reply Mon 28 Feb, 2005 06:56 pm
Hi CandyApple and welcome to A2K.


First:
Download AboutBuster
Then Unzip it to your desktop.. "Don't run it yet"
Check it for updates if any are found please download them then close out the program
Also
Dowload the following program
CWShredder
It should be the current version, but check for updates
"Don't run it yet"
Go to process manger and end the following process

sdknu32.exe
d3lc.exe
tpkxcgd.exe
sdknu32.exe

Next, reboot into 'SAFE MODE'. (By tapping the F8 key on start up)
Please restart HJT put a check next to the following if they still exist, close all open windows and click "fix.checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zkerx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.scourweb.net/nph-search.cgi?partner=wesrch1&look=stmpl1&kw=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {12FA8EE3-A02B-CF1E-DA5F-AEB55869AB79} - C:\WINDOWS\javapc.dll
O4 - HKLM\..\Run: [urwdazxfar] C:\WINDOWS\System32\tpkxcgd.exe
O4 - HKLM\..\Run: [d3lc.exe] C:\WINDOWS\d3lc.exe
O4 - HKLM\..\RunOnce: [sdknu32.exe] C:\WINDOWS\sdknu32.exe
O23 - Service: Network Security Service ( 6Q?"õ 'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\appij32.exe (file missing)

make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\javapc.dll
C:\WINDOWS\d3lc.exe
C:\WINDOWS\sdknu32.exe
C:\WINDOWS\appij32.exe

Next:
Run About Buster twice in safe Mode Save the logs it generates,

Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the "Fix" button

Restart your computer,

Run About Buster twice again please, Again save the log from it and post back all the logs from AboutBuster and a fresh HJT log please.
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » ANOTHER Win32.TrojanDownloader.Agent.al problem
Copyright © 2026 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.05 seconds on 03/07/2026 at 12:55:03