PPRuNe Forums - View Single Post - Trojan horse Downloader.agent.BF
Thread: Trojan horse Downloader.agent.BF
View Single Post
Old 2nd July 2004 | 16:37
  #26 (permalink)  
E-Liam
 
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Whiz,

Okay, it's not that one. (I went for the easiest one to spot.. that script shows a file name and path right after fùAppInit_DLLsÖ but that isn't the one.) Let's try and chase it out and clear up a couple of other problems in the meantime..

Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank

O2 - BHO: store title - {80ADFA92-EC2C-4FD5-30CC-ACA4E4DD39FC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll

O3 - Toolbar: dalesend - {16C2A31F-F4F5-A78F-9652-F14F747883CC} - C:\PROGRA~1\FIRSTM~1\Bend Peak.dll

O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe See here

O4 - HKLM\..\Run: [grimsafe] C:\PROGRA~1\SLOWHE~1\window mfcd.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp folder, but not the folder itself. Next please find and delete the following bolded file...

C:\WINDOWS\system32\syshost.exe

..and these folders...

C:\PROGRA~1\FIRSTM~1

C:\PROGRA~1\SLOWHE~1

Then please boot back into normal mode and download AdAware 6 181 from here.

Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.

Now to set it up for optimum performance...

Make sure the following settings are configured. Remember that ON=GREEN.

From main window click Start | Activate in-depth scan.

Then click Use custom scanning options | Customize and have these options switched ON...

Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files

Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..

Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.

and uncheck..

Automatically try to unregister objects prior to deletion.

Then click Proceed, to save your settings.

Now click the Scan button.

When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.


Next, reboot again and download Spybot - Search & Destroy, from here: if you haven't already got the program.

Click on Settings, and Settings again. Go to the Webupdate section, and check Display also available beta versions.

Now press Online, and search for, and put a check mark next to all updates, and install following the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

. Please go here and download, unzip and then open CoolWebShredder. Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

Also, a couple of queries...

O4 - Global Startup: dnc_manager.lnk = C:\Program Files\Radan Software\Radan 03\radan\nt\i386\bin\dnc_manager.exe

Is the above [Radan 03] CadCam software, or something else legit that you know you have..??

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

And with reference to Messenger+3, you might want to read this...

Once you've done all this lot, we'll see if that's got the bugger, so could you please post a new HJT log.

One of the benefits of using HJT is that it can pick up things that get left out by the various scanning programs, such as that worm.

Cheers

Liam
E-Liam is offline