Jump to content


Photo

Downloader.Agent.AL


  • This topic is locked This topic is locked
2 replies to this topic

#1 Ztilb

Ztilb

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 12:57 PM

I got this Downloader.Agent.AL and tried to remove it...

Can you please take a look at my log and see if everything is alright??

Thanks


Logfile of HijackThis v1.97.7
Scan saved at 11:23:13, on 19-07-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Programas\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\KM9801U\MMHotKey.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\WindUpdates\WinUpdt.exe
C:\Program Files\WindUpdates\WinKA.exe
C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\PROGRA~1\KM9801U\HokHIDKC.EXE
C:\Programas\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Programas\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programas\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Testes\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programas\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programas\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [KM9801U] C:\PROGRA~1\KM9801U\MMHotKey.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE USB
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Programas\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programas\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: RAID Tool.lnk = C:\Programas\VIA\RAID\raid_tool.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...0f91b20c15a3e0e
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8020.6032523148
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://D:\html\IntraLaunch.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 26 July 2004 - 03:11 PM

Hello Ztilb,

You have still a few bad things to remove.

Please print a copy of the thread for your easy reference.

Suggest you get the new Version 1.98 of HijackThis.
http://www.spywarein.../hijackthis.zip

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - Global Startup: officejet 6100.lnk = ?

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - 05855565abe08139a2080b:c7857c068f27d7cc50f91b20c15a3e0e" target=_blankhttp://public.windupdates.com/get_file.php...0f91b20c15a3e0e

*
Next, reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.
*
Reboot, on restart, restart in "Safe Mode".

How To
1 - Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
2 - When the Windows Advanced Options menu appears, select an option, and then press ENTER.
3 - When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.
*
Then delete the following files or folders as indicated in BOLD below:

NOT ALL OF THESE MAY STILL SHOW

C:\Program Files\WindUpdates\WinUpdt.exe <-- Folder and files
C:\Program Files\WindUpdates\WinKA.exe <-- Folder and file should be gone.
C:\Program Files\WindowsSA\omniscient.exe <-- Folder and file should be gone.
*
Reboot in normal mode.
*
Check/Remove any remaining malware.

Download Spybot Version 1.3 from: http://www.safer-net...p?page=download

1. Install Spybot S&D Version 1.3, accepting the Default Settings

Note: When doing the installation do not "tick" TeaTimer yet. We'll turn that on after we're done. You'll see what I mean during the installation process. It's a small resident program
part of Spybot and works as a prevention for registry changes and some other things.
But if it's running while we're doing fixes it'll pop up warnings about what we want to do
during any manual fixes.

2. Go to Start > Programs >Spybot - Search & Destroy and choose 'Spybot S&D - easy mode'
3. Close ALL windows except Spybot S&D
4. Click the button to 'Search for Updates' and download and install the Updates.
5. Next click the button 'Check for Problems'
6. When Spybot is complete, it will be showing 'RED'
entries 'BLACK' entries and 'GREEN' entries in the window
7. Put a check mark beside the RED entries ONLY.
8. Choose 'Fix Selected Problems' and allow Spybot to fix the RED entries.
9. REBOOT
*
You are not presently running the latest copy of Internet Explorer (The SP 1 version).
I suggest you get it from this site: http://v4.windowsupdate.microsoft.com/ and follow the intructions for the download. When installed return to the site and install all of the latest security patches that will protect your computer.

Internet Explorer SP1. and all updates to February 2004 are included in this free CD from Micorsoft. If you have a slow connection or are not pressed for time you can order it and install later. You must use the update site for any updates issued after that date.
How to obtain and use the Windows Security Update free CD (February 2004)
http://support.micro...om/?kbid=833242
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051
*
Run HijackThis and post a fresh log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 September 2004 - 10:36 AM

Topic closed - No response since July.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button