Trojan Backdoor Agent, among other things

lyinfait · #1 07-02-2004, 06:56 AM

Hello all. I know I am truly desperate because usually I can just do a search here and find the solution to my problems. Now I've registered and everything. I know my computer is infected-- av scans go back and forth, it's gone it's not, cannot remove etc.

Specs:

OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 1 Build 2600
OS Manufacturer Microsoft Corporation
System Type X86-based PC
Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2590 Mhz
BIOS Version/Date Award Software, Inc. 3.16, 8/5/2003
SMBIOS Version 2.3
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\System32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "5.1.2600.1106 (xpsp1.020828-1920)"
Total Physical Memory 256.00 MB
Available Physical Memory 17.86 MB
Total Virtual Memory 1.20 GB
Available Virtual Memory 103.31 MB
Page File Space 979.04 MB
Page File C:\pagefile.sys

Hijackthis Logfile:

before it completes scan, I get this error message-

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=C:\WINDOWS\control. ini, sSection=don't load, sValue=inetcpl.cpl)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were doing when the error occurred
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.98.0

This message has been copied to your clipboard.

Logfile of HijackThis v1.98.0
Scan saved at 3:41:59 AM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgw.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Verizon Online\acpdlr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Des\Desktop\Computer Troubleshooting\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - (no file)
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/B...1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw11fd.law11.hotmail.msn.com/...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{60614506-06E2-426B-ACC7-C44B7E512CC7}: NameServer = 198.6.1.150 198.6.100.150
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)

-----------------------
Running Norton, AVG anti-virus, CWShredder, hijackthis, spybot, ad-aware, bazooka, also ran Panda ActiveScan twice

System restore is off.
Hijack this was removing the hijackers but like all other programs has taken to finding problem areas and freezing up, closing before completion, or returning error messages.

Every 30 minutes or so, I receive a message that my virtual memory is too low and windows is increasing it.

explorer randomly closes.

and whenever I shut down, ccAPP does that end program thing before the computer will turn off.

And finally, there are far too many running processes.

I hand this over to the experts. Please help me!

lyinfait · #2 07-02-2004, 02:27 PM

No one? It's disabled everything that detects it. Before it disabled AVG, I kept receiving the message that a Trojan backdoor agent was on the computer but as many times as I ran AVG, it could not remove it. I tried deleting the file myself, was told it is file protected-- so I claimed ownership of the file and it conveniently disappeared. I can't run AVG and other av programs are disabled or returning clean scans. And I don't see how that is possible. I need help.

ETA: I was able to delete the 'backdoor agent' from the virus vault--is it gone for good? Total newbie question: How can I enable my av and scanning programs again to be sure?

gonzo90017 · #3 07-02-2004, 10:03 PM

First go to http://www.mlin.net/StartupCPL.shtml and download Startup Control Panel. It's a nifty control panel applet that allows you to easily configure which programs run when your computer starts. It's simple to use and, like all my programs, is very small and won't burden your system. Also Startup Monitor StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents those utterly useless tray applications from registering themselves behind your back, and it acts as a security tool against trojans like BackOrifice or Netbus.

Then go here http://www.answersthatwork.com/Task...es/tasklist.htm and here http://www.sysinfo.org/startuplist.php to check what programs you can disable from starting up.

Both programs are freeware!

Download Antivir http://www.free-av.com/
Download Swatit http://www.sysinfo.org/startuplist.php
Before you run it check for updates!
You can also download Avast http://www.avast.com/eng/products/d..._4_home_ed.html

AntiVir should solve your problems. Just in case it doesn't try then the others. Anyways you still have too much stuff running at the same time. Just do everything I told you.

lyinfait · #4 07-03-2004, 12:59 AM

Thanks for replying. I really appreciate it. I'm downloading the AntiVir now (on dial-up). I did d/l your program, I'm checking the results now. These entries-

fluuhiis
kkccirdn
ULSIJG
winudat
Antivirus

show no path. That doesn't seem like a good sign. And I didn't find them on either site.

Status update: AVG randomly popped up with another notice that I had a virus but still will not run. The file found was fpfddaa.dll and I was able to remove it myself.

I've been running AVG Shell Extension to scan because it is the only program outside of Ad-aware and Spyboy that will check. It located this file Startpage.6.AQ but when I attempted to search and remove it myself, my search came up empty.

I found rundll32.exe, nview.dll as well as Rundll32.exe in my startup through Spybot's running processes. I'm operating XP and answersthatwork says these programs are a bad sign, possibly viruses.

gonzo90017 · #5 07-03-2004, 01:09 PM

Filename: nview.dll,nViewLoadHook
Program Title: NVIEW
Rating: 3 ( Users Choice (application need to be run at startup, but is not system critical) )
Comments: This is a DLL to enable multiple display monitors on a single computer. It can be a cause of numerous problems on some computers

rundll32.exe: BE CAREFUL! This one depends on where it's located. Look here http://www.windowsstartup.com/wso/search.php

Remember to turn off System Restore before running the programs.

lyinfait · #6 07-03-2004, 04:56 PM

AntiVir found VBS\Newlove virus and JS.Byte Verify and deleted them both. But when I tried to run a more comprehensive scan, in safe mode, several warnings recurred including:

Error code 0x000D
Error open file
Not enough memory
Access Denied! Error during file opening

Mostly the memory error was returned but I've run Windiagnostic and the memory test on my computer and neither found any errors.

AVG popped up with a virus warning on this file:

C:\RECYCLER\S-1-5-21-504092786-3922040244-1026121725-500\Dc1.dll

but does not run to remove it. I deleted it myself.

As soon as I opened my IE Browser, AVG found the Startpage.6.AQ Trojan again this time in the file C:\WINDOWS\system32\non.dll. Could I be activating the virus whenever I go online or open up a browser window? Should I continue to find them and remove them myself?

lyinfait · #7 07-19-2004, 08:33 PM

I finally did partial system restore to fix all of my exuberant deleting of registry keys. Windows reinstalled, updated all of my AV programs and ran full scans, including online. They found the trojans and deleted them. Have been running clean since. Thank you gonzo for your help. I appreciate it.