Trojan horse Downloader.agent.BF
Thread Starter
Joined: Oct 2001
Posts: 263
Likes: 1
From: farrrr east
Trojan horse Downloader.agent.BF
I have some how managed to download some sort of trojan. AVG reports regular that there is a problem, identified by Trojan horse Downloader.Agent.BF
also comes up with a file it is in eg C
WINDOWS\system\msxr32.exe
to many others to list over the 24 hours since it started. Several sweeps with the restore switched off, with updated AVG 6 and Ad-aware 6.0 and it still keeps poping up, I have even run AVG from the command prompt but the programme didn't kill it. Also my Internet explorer home page will not change from res://rcvki.dll/index.html
no matter what I do.
Also while doing searches with google.co.uk for clues another, american based search engine pops up with it's list of results.
I have run Norton Antivirus Trojan finder from the web site and it found nothing.
Currently running AVG 6 again, part way thru and reporting 34 and going up files, Downloader Agent.
Help I feel a total cleansing of the hard drive coming on....
also comes up with a file it is in eg C
WINDOWS\system\msxr32.exeto many others to list over the 24 hours since it started. Several sweeps with the restore switched off, with updated AVG 6 and Ad-aware 6.0 and it still keeps poping up, I have even run AVG from the command prompt but the programme didn't kill it. Also my Internet explorer home page will not change from res://rcvki.dll/index.html
no matter what I do.
Also while doing searches with google.co.uk for clues another, american based search engine pops up with it's list of results.
I have run Norton Antivirus Trojan finder from the web site and it found nothing.
Currently running AVG 6 again, part way thru and reporting 34 and going up files, Downloader Agent.
Help I feel a total cleansing of the hard drive coming on....
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
allthatglitters,
It sounds like the file has been executed.
I would try scanning in Safe Mode, since that will give you a better chance of removing the pests from your computer.
Take Care,
Richard
It sounds like the file has been executed.
I would try scanning in Safe Mode, since that will give you a better chance of removing the pests from your computer.
Take Care,
Richard
Thread Starter
Joined: Oct 2001
Posts: 263
Likes: 1
From: farrrr east
I have already tried with the computer in safe mode. But it still continues, looks like I'll just have to reformat the hard drive.
Done Deed, Just finishing of updates to XP and office, drivers.
Done Deed, Just finishing of updates to XP and office, drivers.
Last edited by allthatglitters; 25th June 2004 at 20:38.
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi allthatglitters,
Glad you're sorted out.
res://rcvki.dll/index.html
This is one of the latest variants of CoolWebSearch. Without more detail, I couldn't say for sure which one, but most use a super-hidden file with locked permissions, which makes it both difficult to find and to delete. If you have a look around the security forums, you will see many people in the same boat as you were.
Cheers
Liam
Glad you're sorted out.
res://rcvki.dll/index.html
This is one of the latest variants of CoolWebSearch. Without more detail, I couldn't say for sure which one, but most use a super-hidden file with locked permissions, which makes it both difficult to find and to delete. If you have a look around the security forums, you will see many people in the same boat as you were.
Cheers
Liam
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
allthatglitters,
It is a little late now, but for the future. If your Hard Drive have a Virus that has executed its payload, you can do a fresh install of WinXP on top of itself. This will let you keep all the data on the drive and severs the link between the Virus and the OS. You just cannot access any infected files still on the Hard Drive until you run an Antivirus program.
Take Care,
Richard
It is a little late now, but for the future. If your Hard Drive have a Virus that has executed its payload, you can do a fresh install of WinXP on top of itself. This will let you keep all the data on the drive and severs the link between the Virus and the OS. You just cannot access any infected files still on the Hard Drive until you run an Antivirus program.
Take Care,
Richard
Joined: Mar 2001
Posts: 317
Likes: 0
I have had this Trojan from CWS, its proved very irritating and all normal methods off deleting it have failed (ie. deleting the hacks its makes to the Registry etc, CWShredder etc ... it kept returning when I though I had killed it.
BUT ... finally yesterday it I am pretty sure I have clean system.
Ad-ware and Housecall have in the last 24 hours issued updates which seem to be on the case .... run both off these and they should get rid off it for you ....
http://housecall.trendmicro.com/hous...start_corp.asp
Addware link (Lavasoft) download (check for updates when loaded).
Also use...... to make sure ....
Spybot
Hope this works .....
PS : This forum is very useful and helpfull for this sort of stuff ..
http://www.techsupportforum.com/
Good luck !
BUT ... finally yesterday it I am pretty sure I have clean system.
Ad-ware and Housecall have in the last 24 hours issued updates which seem to be on the case .... run both off these and they should get rid off it for you ....
http://housecall.trendmicro.com/hous...start_corp.asp
Addware link (Lavasoft) download (check for updates when loaded).
Also use...... to make sure ....
Spybot
Hope this works .....
PS : This forum is very useful and helpfull for this sort of stuff ..
http://www.techsupportforum.com/
Good luck !
Joined: Mar 2001
Posts: 216
Likes: 0
From: Cardiff ex GLA
Guys,
Im in deep stuff here, Ive tried all of the above, and still have this re-direct problem. I do a full adaware scan which invariably finds a possible browser hijack and a registry value problem .. I delete the files, do a spybot scan which invariably finds 5 DSO exploits, again I remove them and ensure Im immunised. If I do another adaware scan straight away I have the same infected files again ... what the hell is happening ??? I have downloaded the latest plug in for the VX2 variant from adaware and it tells me my system is clean !!! Help !!
Im in deep stuff here, Ive tried all of the above, and still have this re-direct problem. I do a full adaware scan which invariably finds a possible browser hijack and a registry value problem .. I delete the files, do a spybot scan which invariably finds 5 DSO exploits, again I remove them and ensure Im immunised. If I do another adaware scan straight away I have the same infected files again ... what the hell is happening ??? I have downloaded the latest plug in for the VX2 variant from adaware and it tells me my system is clean !!! Help !!
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
whiz,
Did you follow the guide in the thread:
Guide for Eliminating Spyware, Adware, and Random Popups
Take Care,
Richard
Did you follow the guide in the thread:
Guide for Eliminating Spyware, Adware, and Random Popups
Take Care,
Richard
Joined: Mar 2001
Posts: 216
Likes: 0
From: Cardiff ex GLA
Richard,
Yes, Ive followed that guide to the letter. After doing as asked I performed an adaware scan and got 6 problems.... one of which was the possible browser hijack. Since my first post I have also downloaded zonealarm, I was hoping that would sort the buggas, but to no avail.
Yes, Ive followed that guide to the letter. After doing as asked I performed an adaware scan and got 6 problems.... one of which was the possible browser hijack. Since my first post I have also downloaded zonealarm, I was hoping that would sort the buggas, but to no avail.
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Whiz,
There are quite a few variants of this now. When I came here I was asked (nicely, don't anyone get me wrong)
that this forum didn't really want to get into more complex security issues, which I fully respect.
You would be better off going to one of the dedicated security forums, such as...
http://computercops.biz/forum67.html
http://forums.techguy.org/f54-s.html
or
http://www.techsupportforum.com/foru...ne=&forumid=50
You'll get all the help you need.. and you might even get me.. (how much more bad luck could you have in one day.. 
)
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
There are quite a few variants of this now. When I came here I was asked (nicely, don't anyone get me wrong)
that this forum didn't really want to get into more complex security issues, which I fully respect. You would be better off going to one of the dedicated security forums, such as...
http://computercops.biz/forum67.html
http://forums.techguy.org/f54-s.html
or
http://www.techsupportforum.com/foru...ne=&forumid=50
You'll get all the help you need.. and you might even get me..
(how much more bad luck could you have in one day.. )Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals since 2004.
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
whiz,
I wanted to make sure all of the main options were covered before we continue to troubleshoot.
It might be worth tossing the:
McAfee AVERT Stinger
At the problem.
Now a little details about your computer would be helpful, as in which OS you are using and basic hardware specs.
Take Care,
Richard
I wanted to make sure all of the main options were covered before we continue to troubleshoot.
It might be worth tossing the:
McAfee AVERT Stinger
At the problem.
Now a little details about your computer would be helpful, as in which OS you are using and basic hardware specs.
Take Care,
Richard
Joined: Mar 2001
Posts: 216
Likes: 0
From: Cardiff ex GLA
Hi Richard,
Operating system Windows XP Pro service pack 1
hardware as follows :
AMD Athlon XP 2.8+ processor
512mb DDR
80 Gb HDD @ 7200 rpm
Zone alarm has picked up nothing. Spybot repeatedly finds 5 DSO Exploits, I delete them and I do another spybot scan and they are back .. how the hell can the things be re-installing themselves ? Adaware also finds a possible browser hijack which I delete, but as soon as I connect to the internet its back
Operating system Windows XP Pro service pack 1
hardware as follows :
AMD Athlon XP 2.8+ processor
512mb DDR
80 Gb HDD @ 7200 rpm
Zone alarm has picked up nothing. Spybot repeatedly finds 5 DSO Exploits, I delete them and I do another spybot scan and they are back .. how the hell can the things be re-installing themselves ? Adaware also finds a possible browser hijack which I delete, but as soon as I connect to the internet its back
Joined: Sep 2002
Posts: 1,650
Likes: 0
From: Chichester, UK
When I came here I was asked (nicely, don't anyone get me wrong) that this forum didn't really want to get into more complex security issues, which I fully respect.
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Hi Evo,
Thanks for that..
It's just that in the first instance I always ask for a Hijack This log.. and so will any Security Forum worth it's salt. For any nerds they make great reading (who, me?)
, but for general interest I would think that most don't want to see more than one or two.
The other problem is attaching files to the posts. Most tools get out on the web pretty quickly, but others are written and uploaded straight to posts for use by the patient. It just means that sometimes scripts will have to be C&P'd into people's registries. All good stuff, and it works elsewhere..
I'm happy to do this if anyone wants though.. The site wouldn't get swamped in them, as there aren't many security problems arising. (Relative to TSG, TSF or CC) Certainly though, this latest batch of CWS variants would be nigh on impossible to fix otherwise.
We could trial run Whiz's HJT, and if you think it detracts from the general ethos of the site, then we can leave it out.
Your call Evo, and I'll agree whichever way.
HJT. Yes or No?
Cheers
Liam
Thanks for that..
It's just that in the first instance I always ask for a Hijack This log.. and so will any Security Forum worth it's salt. For any nerds they make great reading (who, me?)
, but for general interest I would think that most don't want to see more than one or two. The other problem is attaching files to the posts. Most tools get out on the web pretty quickly, but others are written and uploaded straight to posts for use by the patient. It just means that sometimes scripts will have to be C&P'd into people's registries. All good stuff, and it works elsewhere..
I'm happy to do this if anyone wants though..
The site wouldn't get swamped in them, as there aren't many security problems arising. (Relative to TSG, TSF or CC) Certainly though, this latest batch of CWS variants would be nigh on impossible to fix otherwise.We could trial run Whiz's HJT, and if you think it detracts from the general ethos of the site, then we can leave it out.
Your call Evo, and I'll agree whichever way.
HJT. Yes or No?
Cheers
Liam
The Oracle
Joined: Aug 2001
Posts: 2,902
Likes: 0
From: Naples, Florida U.S.A.
whiz,
Do let Stinger try to remove the pests. If that does not help resolve the situation, it is time to use Liam's "Hijack This!" so we can see where the problem is located in your system.
If we do not find it there, it is time to do a fresh install of WinXP on top of itself to sever the ties of the Malware with WinXP. (Then we can run all the programs, i.e. HouseCall, Ad-Aware, Spybot, Stinger, etc. and remove every pest in your system.)
Take Care,
Richard
Do let Stinger try to remove the pests. If that does not help resolve the situation, it is time to use Liam's "Hijack This!" so we can see where the problem is located in your system.
If we do not find it there, it is time to do a fresh install of WinXP on top of itself to sever the ties of the Malware with WinXP. (Then we can run all the programs, i.e. HouseCall, Ad-Aware, Spybot, Stinger, etc. and remove every pest in your system.)
Take Care,
Richard
Joined: Mar 2001
Posts: 216
Likes: 0
From: Cardiff ex GLA
Richard, E-Liam
Many thanks for taking the time and effort to help, much appreciated.
Evo,
I fully understand and will comply with whatever you decide regarding HJT
Richard,
I tried the stinger, but it found nothing
Awaiting instructions for the next move, oh and can someone please tell me what a hijack is ?
Edited to say I have downloaded the latest adaware update and scanned the system. 3 problems found, one of which was the usual possible browser hijack ... deleted 3 items and redid scan, possible browser hijack still there
Many thanks for taking the time and effort to help, much appreciated.
Evo,
I fully understand and will comply with whatever you decide regarding HJT
Richard,
I tried the stinger, but it found nothing
Awaiting instructions for the next move, oh and can someone please tell me what a hijack is ?
Edited to say I have downloaded the latest adaware update and scanned the system. 3 problems found, one of which was the usual possible browser hijack ... deleted 3 items and redid scan, possible browser hijack still there
Last edited by whiz; 2nd July 2004 at 08:29.
Joined: Jan 2004
Posts: 357
Likes: 0
From: Bracknell UK
Here goes then..
Hi Whiz,
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
A new version has just been released, so once you've got the program opened up, click on config | Misc Tools | Check for updates on line and follow the prompts.
Cheers
Liam
Hi Whiz,
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
A new version has just been released, so once you've got the program opened up, click on config | Misc Tools | Check for updates on line and follow the prompts.
Cheers
Liam
Joined: Mar 2001
Posts: 216
Likes: 0
From: Cardiff ex GLA
E-Liam,
Ive done as asked but for some reason it wont let me post the reply here, its telling me I am using too many images, but all Im doing is pasting the file directly from the notepad
Ive done as asked but for some reason it wont let me post the reply here, its telling me I am using too many images, but all Im doing is pasting the file directly from the notepad
Last edited by whiz; 2nd July 2004 at 10:35.