• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Olz

Trojan Horse Downloader.Agent.BR and res://

4 posts in this topic

Hi. I have got AVG antivirus, and each time i start my computer it finds a "Trojan Horse Downloader.Agent". It finds some viruses and removes them to a vault directory. I also tried with AdAware (Build 6.181, Reference Number : 01R326 01.07.2004) in safe mode, it finds alot of CoolWeb something and removes them. The next time i start my browser it has been hijacked again ( the res://btugr.dll/index.html#96676 shows up). I have been setting up Internet Explorer, following this sites instructions, and installet the programs that detects hijack attempts.

 

In a normal boot mode, myHijackThis log looks like this:

 

Logfile of HijackThis v1.98.0

Scan saved at 19:48:49, on 01-07-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programmer\Apache Group\Apache2\bin\Apache.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\RoamMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Programmer\Apache Group\Apache2\bin\Apache.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\1XConfig.exe

C:\Programmer\Synaptics\SynTP\SynTPLpr.exe

C:\Programmer\Synaptics\SynTP\SynTPEnh.exe

C:\Programmer\ASUS\ASUS Live Update\ALU.exe

C:\Programmer\ASUS\Power4 Gear\BatteryLife.exe

C:\WINDOWS\ATK0100\Hcontrol.exe

C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\BtUsrBdg.exe

C:\WINDOWS\System32\BTSetBootKey.exe

C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programmer\D-Tools\daemon.exe

C:\Programmer\PestPatrol\PPControl.exe

C:\Programmer\PestPatrol\PPMemCheck.exe

C:\Programmer\PestPatrol\CookiePatrol.exe

C:\Programmer\MSN Messenger\MsnMsgr.Exe

C:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\Programmer\Internet Explorer\iexplore.exe

C:\Documents and Settings\Kristian\Skrivebord\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btugr.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://btugr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://btugr.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\btugr.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\btugr.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://btugr.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = blank:page

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = blank:page

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = blank:page

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = blank:page

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5E4FAFEB-6671-6BD8-FDD1-95B62936A37D} - C:\WINDOWS\ieyn.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmer\ASUS\ASUS Live Update\ALU.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Power_Gear] C:\Programmer\ASUS\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [bTUSRBDG] BtUsrBdg.exe

O4 - HKLM\..\Run: [bTSETBOOTKEY] BTSetBootKey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programmer\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1030

O4 - HKLM\..\Run: [iCQ Lite] C:\Programmer\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmer\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmer\PestPatrol\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\Programmer\PestPatrol\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\Programmer\PestPatrol\CookiePatrol.exe

O4 - HKLM\..\Run: [msuz32.exe] C:\WINDOWS\system32\msuz32.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "c:\programmer\steam\steam.exe" -silent

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Programmer\ICQLite\ICQLite.exe -trayboot

O4 - Startup: Internet.url

O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmer\ICQLite\ICQLite.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\MSMSGS.EXE

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-0504.exe

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab27571.cab

O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-0104.exe

 

Can anyone help?

 

Kristian

Share this post


Link to post
Share on other sites

Hello please download About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.

 

 

Ducky

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 23:27:41, on 06-07-2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Programmer\Synaptics\SynTP\SynTPLpr.exe

C:\Programmer\Synaptics\SynTP\SynTPEnh.exe

C:\Programmer\ASUS\Power4 Gear\BatteryLife.exe

C:\WINDOWS\ATK0100\Hcontrol.exe

C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINDOWS\System32\BtUsrBdg.exe

C:\WINDOWS\System32\BTSetBootKey.exe

C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programmer\MSN Messenger\MsnMsgr.Exe

C:\Programmer\Apache Group\Apache2\bin\Apache.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Programmer\Apache Group\Apache2\bin\Apache.exe

C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\RegSrvc.exe

C:\WINDOWS\System32\RoamMgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\ATK0100\ATKOSD.exe

C:\WINDOWS\System32\1XConfig.exe

C:\Documents and Settings\Kristian\Skrivebord\hijackthis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = blank:page

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = blank:page

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = blank:page

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = blank:page

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5E4FAFEB-6671-6BD8-FDD1-95B62936A37D} - C:\WINDOWS\ieyn.dll (file missing)

O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmer\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [synTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ASUS Live Update] C:\Programmer\ASUS\ASUS Live Update\ALU.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Power_Gear] C:\Programmer\ASUS\Power4 Gear\BatteryLife.exe 1

O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [bTUSRBDG] BtUsrBdg.exe

O4 - HKLM\..\Run: [bTSETBOOTKEY] BTSetBootKey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] C:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programmer\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe" -lang 1030

O4 - HKLM\..\Run: [iCQ Lite] C:\Programmer\ICQLite\ICQLite.exe -minimize

O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programmer\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Programmer\PestPatrol\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\Programmer\PestPatrol\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\Programmer\PestPatrol\CookiePatrol.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "c:\programmer\steam\steam.exe" -silent

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Programmer\ICQLite\ICQLite.exe -trayboot

O4 - Startup: Internet.url

O4 - Global Startup: Monitor Apache Servers.lnk = C:\Programmer\Apache Group\Apache2\bin\ApacheMonitor.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Opslag (HKLM)

O9 - Extra button: ICQ 4.0 (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab27571.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab27571.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab27571.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A590956F-AE99-4419-BB39-3C721276C625} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-0504.exe

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab27571.cab

O16 - DPF: {F9408298-9658-482C-8B02-93F09A80225F} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...InkCSP-0104.exe

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0