Backdoor.Trojan HJT Log - jayhawk - Please Help

Unknown
edited August 2004 in Spyware & Virus Removal
I have a nasty virus I just can't shake. Any help would be appreciated. I have used Spybot and Ad-Aware, and also use Symantec's Enterprise Edition. I followed Symantec's recommendation for getting rid of Backdoor Trojan viruses - go into safemode, run scanner, turn off computer, power off, back on, scan again, but it doesn't detect any virus at all. As soon as I go back into regular mode I receive the following virus message when I take many actions (open browser, open certain folders, etc.):

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\SYSTEM32\LOGAO.DLL
Location: C:\WINDOWS\SYSTEM32
Computer: JAYHAWK
User: Owner
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Mon Jul 19 19:57:11 2004

I am also using Ad-Watch (pay version of Ad-Aware) and I receive many pop-up alerts for Search Bar / SearchAssistant trying to add a sp.html file to a Temp folder and change my default browser home page. I spend as much time just clicking the Block button on the Ad-Watch alert so that is also a pain.

Here's my HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 7:30:17 PM, on 7/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\NavNT\DefWatch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\hphmon04.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\software\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: (no name) - {03F93C22-F222-4174-8258-3DD2D341FA8F} - C:\WINDOWS\System32\algpfca.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [dshrrdv] C:\WINDOWS\System32\bcqkgs.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.41.182.19:50502/activex/AxisCamControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O18 - Filter: text/html - {0B79AE4E-6F23-4680-A655-303A96AC653C} - C:\WINDOWS\System32\algpfca.dll
O18 - Filter: text/plain - {0B79AE4E-6F23-4680-A655-303A96AC653C} - C:\WINDOWS\System32\algpfca.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\logao.dll

I would really love help ridding my computer of this virus and browser hijack so I can move on to the next one:). Thanks for any help you can provide.

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    This guy is with me, so be sure to take care of him :)
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    okay, start with getting rid of the following:



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about_:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about_:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: (no name) - {03F93C22-F222-4174-8258-3DD2D341FA8F} - C:\WINDOWS\System32\algpfca.dll

    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)

    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
    O4 - HKLM\..\Run: [dshrrdv] C:\WINDOWS\System32\bcqkgs.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll

    O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll

    O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
    O18 - Filter: text/html - {0B79AE4E-6F23-4680-A655-303A96AC653C} - C:\WINDOWS\System32\algpfca.dll
    O18 - Filter: text/plain - {0B79AE4E-6F23-4680-A655-303A96AC653C} - C:\WINDOWS\System32\algpfca.dll
    O20 - AppInit_DLLs: C:\WINDOWS\System32\logao.dll



    Then, boot into safe mode, and manually delete the following folders and files:


    C:\Program Files\Common Files\WinTools\
    C:\WINDOWS\DHUpdt.exe
    C:\WINDOWS\dhbrwsr.exe
    C:\WINDOWS\System32\logao.dll
    C:\install.cab
    C:\WINDOWS\System32\algpfca.dll
    C:\WINDOWS\alchem.exe
    C:\Program Files\OfferApp\
    C:\WINDOWS\System32\bcqkgs.exe
    C:\Program Files\Altnet\

    Then, reboot, run adaware and spybot again, and then post a new HJT log here.
  • jayhawk
    edited July 2004
    I ran through the checklist you provided. When in safemode I deleted those files and folders that you recommended that existed. I also then ran ad-aware and spybot both in safemode and in regular mode. I'm still receiving the following virus message:

    Scan type: Realtime Protection Scan
    Event: Virus Found!
    Virus name: Backdoor.Trojan
    File: C:\WINDOWS\SYSTEM32\LOGAO.DLL
    Location: C:\WINDOWS\SYSTEM32
    Computer: JAYHAWK
    User: Owner
    Action taken: Clean failed : Quarantine failed : Access denied
    Date found: Mon Jul 19 21:48:16 2004

    New HJT Log:

    Logfile of HijackThis v1.98.0
    Scan saved at 10:10:07 PM, on 7/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\PROGRA~1\NavNT\vptray.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\SecCopy\SecCopy.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\NavNT\DefWatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\Documents and Settings\Owner\My Documents\software\HiJackThis\hijackthis\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
    O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://68.41.182.19:50502/activex/AxisCamControl.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O20 - AppInit_DLLs: C:\WINDOWS\System32\logao.dll

    I can't even seem to get through the HJT removal process before the virus reappears.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    That "logao.dll" is the reloader. We need to get rid of that.

    See, the appinit registry entry is an obscure one, but very effective for virus and trojan writers. Basically, it tells the OS a list of things to do whenever an "application" is initialized. That means that ANY EXECUTABLE THAT IS RUN will launch the dll, which will then re-infect the system. We have to:

    A) Kill that dll's active process
    B) Remove the appinit registry entry that calls it up
    C) Delete the actual reloader.

    One thing we can do to monitor the live infection is to run FileMon (from www.sysinternals.com) and it will "capture" in real time, all file activity on the system. Let it run, try to delete logao.dll file with it, and then end the filemon capture. You will probably see the exact point where the file is being reloaded. Let's start with that. Capture some of the filemon log and paste any relevant portions into this thread.
  • jayhawk
    edited July 2004
    I started running Filemon and it sure captures a lot of activity. When you say to delete logao.dll do you mean:

    1. Using HiJackThis results select it from the list and try to fix/delete the file
    2. Using File Explorer find the file (C:\WINDOWS\System32\logao.dll) and delete it (I was able to see the file before in Safemode but I don't see it in Regular mode).

    Also, should I be running Filemon in Safe or Regular Mode to capture the info you need?
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    try using hijack this to delete the file, and then "use the computer" for a second, while still capturing. Open IE, close it, open a window or something, close it. Chances are, the reloader will poke its head up.
  • jayhawk
    edited July 2004
    I downloaded and ran Filemon and captured about 45,000 lines in a brief capture session. I ran HiJackThis to delete the logao.dll file and took a few actions after deletion to get the virus to pop up again. I have included select sections from the log file where the logao.dll file appears. I left out the majority of the log file where HiJackThis was deleting the logao.dll - I can post any more if needed.

    1291 9:01:43 PM HijackThis.exe:360 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL SHARING VIOLATION Options: Open Access: All
    1292 9:01:43 PM HijackThis.exe:360 OPEN C:\ SUCCESS Options: Open Directory Access: All
    1293 9:01:43 PM HijackThis.exe:360 QUERY INFORMATION C:\ SUCCESS Attributes: DHSA
    1294 9:01:43 PM HijackThis.exe:360 QUERY INFORMATION C:\ SUCCESS FileFsAttributeInformation
    1295 9:01:43 PM HijackThis.exe:360 CLOSE C:\ SUCCESS
    1296 9:01:43 PM HijackThis.exe:360 CLOSE C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL SUCCESS
    1297 9:01:43 PM HijackThis.exe:360 CREATE C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL SUCCESS Options: Overwrite Access: Delete
    1298 9:01:43 PM HijackThis.exe:360 OPEN C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\ SUCCESS Options: Open Access: 00000000
    1299 9:01:43 PM HijackThis.exe:360 CLOSE C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.DLL SUCCESS
    1300 9:01:43 PM Rtvscan.exe:1648 OPEN C:\ SUCCESS Options: Open Directory Access: All
    1301 9:01:43 PM Rtvscan.exe:1648 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: WINDOWS
    1302 9:01:43 PM Rtvscan.exe:1648 CLOSE C:\ SUCCESS
    1303 9:01:43 PM Rtvscan.exe:1648 OPEN C:\WINDOWS\ SUCCESS Options: Open Directory Access: All
    1304 9:01:43 PM Rtvscan.exe:1648 DIRECTORY C:\WINDOWS\ SUCCESS FileBothDirectoryInformation: SYSTEM32
    1305 9:01:43 PM Rtvscan.exe:1648 CLOSE C:\WINDOWS\ SUCCESS
    1306 9:01:43 PM Rtvscan.exe:1648 OPEN C:\WINDOWS\SYSTEM32\ SUCCESS Options: Open Directory Access: All
    1307 9:01:43 PM Rtvscan.exe:1648 DIRECTORY C:\WINDOWS\SYSTEM32\ SUCCESS FileBothDirectoryInformation: LOGAO.DLL
    1308 9:01:43 PM Rtvscan.exe:1648 DIRECTORY C:\WINDOWS\SYSTEM32\ NO MORE FILES FileBothDirectoryInformation
    1309 9:01:43 PM services.exe:972 WRITE C:\WINDOWS\SYSTEM32\config\AppEvent.Evt SUCCESS Offset: 339832 Length: 456
    1310 9:01:43 PM services.exe:972 WRITE C:\WINDOWS\SYSTEM32\config\AppEvent.Evt SUCCESS Offset: 340288 Length: 40
    1311 9:01:43 PM Rtvscan.exe:1648 OPEN C:\WINDOWS\System32\shfolder.dll SUCCESS Options: Open Access: All

    ================

    12634 9:01:50 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS FileInternalInformation
    12635 9:01:50 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\KERNEL32.DLL SUCCESS
    12636 9:01:50 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
    12637 9:01:50 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Attributes: A
    12638 9:01:50 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS
    12639 9:01:50 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
    12640 9:01:50 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS FileInternalInformation
    12641 9:01:50 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS
    12642 9:01:50 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Options: Open Access: All
    12643 9:01:50 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Attributes: N
    12644 9:01:50 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS
    12645 9:01:50 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LSASS.EXE SUCCESS Options: Open Access: All
    12646 9:01:50 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LSASS.EXE SUCCESS Attributes: A
    12647 9:01:50 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LSASS.EXE SUCCESS
    12648 9:01:50 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\MSVCRT.DLL SUCCESS Options: Open Access: All

    =====================

    13116 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
    13117 9:01:54 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Attributes: A
    13118 9:01:54 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS
    13119 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS Options: Open Access: All
    13120 9:01:54 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS FileInternalInformation
    13121 9:01:54 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOCALE.NLS SUCCESS
    13122 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Options: Open Access: All
    13123 9:01:54 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Attributes: N
    13124 9:01:54 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS
    13125 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL ACCESS DENIED NT_AUTHORITY\SYSTEM
    13126 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS Options: Open Access: All
    13127 9:01:54 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS Attributes: N
    13128 9:01:54 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS
    13129 9:01:54 PM svchost.exe:1524 OPEN C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS Options: Open Access: All
    13130 9:01:54 PM svchost.exe:1524 QUERY INFORMATION C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS FileInternalInformation
    13131 9:01:54 PM svchost.exe:1524 CLOSE C:\WINDOWS\SYSTEM32\MSVBVM60.DLL SUCCESS

    ==================

    13466 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 0 Length: 16384
    13467 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 8060928 Length: 16384
    13468 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 0 Length: 16384
    13469 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 540672 Length: 16384
    13470 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 5718016 Length: 16384
    13471 9:01:56 PM spoolsv.exe:444 WRITE C:\WINDOWS\SYSTEM32\config\software SUCCESS Offset: 0 Length: 4096
    13472 9:01:56 PM spoolsv.exe:444 SET INFORMATION C:\WINDOWS\SYSTEM32\config\software.LOG SUCCESS Length: 1024
    13473 9:01:56 PM spoolsv.exe:444 OPEN C:\WINDOWS\System32\logao.dll ACCESS DENIED NT_AUTHORITY\SYSTEM
    13474 9:01:56 PM spoolsv.exe:444 OPEN C:\WINDOWS\System32\logao.dll ACCESS DENIED NT_AUTHORITY\SYSTEM
    13475 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22822912 Length: 4096
    13476 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22806528 Length: 4096
    13477 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22896640 Length: 4096
    13478 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22867968 Length: 4096
    13479 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22888448 Length: 4096
    13480 9:01:56 PM lsass.exe:984 READ C: SUCCESS Offset: 22884352 Length: 4096
    13481 9:01:56 PM P2P Networking.:1376 QUERY INFORMATION C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS Length: 7815168
    13482 9:01:56 PM P2P Networking.:1376 QUERY INFORMATION C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat SUCCESS

    =====================

    29100 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\DRIVERS\DXG.SYS SUCCESS FileBasicInformation
    29101 9:02:31 PM iexplore.exe:3516 CLOSE C:\WINDOWS\SYSTEM32\DRIVERS\DXG.SYS SUCCESS
    29102 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\DRIVERS\DXG.SYS SUCCESS Length: 68992
    29103 9:02:31 PM iexplore.exe:3516 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL Options: Open Access: All
    29104 9:02:31 PM iexplore.exe:3516 OPEN C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Options: Open Access: All
    29105 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Attributes: N
    29106 9:02:31 PM iexplore.exe:3516 SET INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS FileBasicInformation
    29107 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL BUFFER OVERFLOW FileFsVolumeInformation
    29108 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS FileInternalInformation
    29109 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Length: 57344
    29110 9:02:31 PM iexplore.exe:3516 QUERY INFORMATION C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Length: 57344
    29111 9:02:31 PM iexplore.exe:3516 READ C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Offset: 0 Length: 256
    29112 9:02:31 PM iexplore.exe:3516 READ C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Offset: 24 Length: 256
    29113 9:02:31 PM iexplore.exe:3516 READ C:\WINDOWS\SYSTEM32\LOGAO.DLL SUCCESS Offset: 512 Length: 256


    I hope these pieces provide you some clues. Thank you so much for all of the troubleshooting you are doing to help. I really appreciate it.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    okay, click start --> run and type "regedit"

    go to the top of the tree ( "My computer" ) and hit CTRL-F to "find"... type in "logao.dll" and lets try to find where the hook is for this thing.

    what a bitch this is! :D
  • DexterDexter Vancouver, BC Canada
    edited July 2004
    Try downloading PRCView: http://www.xmlsp.com/pview/prcview.htm

    It is very good at ending processes, and identifying where they were launched from. Ity may help you kill the logao.dll and allow you to delete it. Make sure to try it in normal mode first, then in safe mode, to compare the processes.

    Dexter...
  • jayhawk
    edited July 2004
    Based on primesuspect's last request I am attaching a screen shot that includes the regedit results of a find on "logao.dll". Thanks also Dexter - I will check out PRCView.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    delete that value completely. Highlight "appinit_DLLS" and push the delete key. Search for any other registry entry that contains that same string (logao.dll) and delete them as well.
  • t.j
    edited July 2004
    I've been following this one because I've been having the same problem as jayhawk, except my dll is named sqllbne.dll. I can tell you that deleting the AppInits_DLLs will likely not work. At least it didn't in my case. I was able to delete it, but refreshing with pf5, it showed right back up. This one has been giving me serious fits.
  • jayhawk
    edited July 2004
    t.j was right on. I deleted the logao.dll, run a search on the same dll and it immediately reappears. Almost any action I take after a potential removal it comes back. I have not tried PRCView yet but I feel there are so many processes that are kicking off the virus.
  • Vidmax
    edited July 2004
    Hello,

    I'm new here. I found these forums by searching the internet to find a way to get rid of a nasty virus. I have found several other peoples posts in various forums the last couple days with the same problem. Everyone seems to have a different name for the virus but have the same problems. Mine is called MSF.dll and a lowercase version msf.dll (C:\WINDOWS\System32\msf.dll). From the minute I boot up, to using web broweser, email, and just about anything I get about 8 pop ups from NAV telling me that a backdoor.trojan called MSF.dll is found and access is denied. I too tried all the suggested steps for removing backdoor trojans at Symantec's website to no avail. If I spend 5 minutes doing stuff on my computer I will have over 100 pop up windows from NAV for the MSF.dll to click through and close. It sucks bad hehe. I hope someone can fix this sucker soon.

    Matt
  • dodododo Landisville, PA
    edited July 2004
    Has anyone tried a different virus scanner? I've found http://housecall.trendmicro.com was able to remove some viruses that norton didnt pick up. give it a shot...


    ~dodo
  • Vidmax
    edited July 2004
    dodo,

    I just went to trendmicro and used their free online scan and it didnt find my MSF.dll trojan backdoor. It did find 2 in a sun/java folder and I deleted them, then a few minutes later files were being backed up all over my desktop. 4, then 8, then 12..they kept multiplying. I highlighted and deleted them and they havent come back...weird.

    Matt
  • Vidmax
    edited July 2004
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.agent.b.html


    jayhawk,

    I just went to symantec's site and manually downloaded the latest virus definitions using intellegent updater. This virus is now identified as backdoor.agent.b and they are aware of it now. Go there and get the latest definitions and folow this link to removal process. I am doing it now. Hope it works hehe.
  • Vidmax
    edited July 2004
    Ok I think my backdoor.agent.b is gone. I followed all the steps for removal on symantecs site but the scan didnt find anything. I then followed all the steps again in safe mode and the scan still didnt find anything. Then I rebooted in normal mode and when I went to launch internet explorer the virus noticed popped back up, but this time NAV was able to delete it, when previously it would only say access denied. I've launched several other applications and no sign of the virus. Hopefully its gone. This one was a major pain hehe.

    Of note: in the instructions on removing it said there would be a line called "(my random dll name which was MSF).dll, StreamingDeviceSetup" in hkey_local_machine\software\microsoft\windows\currentversion\run that I was to delte, but I didnt have that in there. Only the other registry entry that was noted to make a change to was. Even a search on the registry didnt find any string like "StreamingDevice". Oh well..hopefully this one doesnt come back. Good luck Jayhawk.
  • gibbonslgibbonsl Grand Forks AFB
    edited July 2004
    i am going to throw out a sugestion and a question

    do you have system restore active?

    if it comes back turn it off then run the scan
  • Vidmax
    edited July 2004
    I did have system restore on. I turned it off whenever I was trying to get rid of the virus. I turned it off on this last successful pass at removing it. It is now back on and the virus hasnt come back after several reboots and the using of applications.
  • jayhawk
    edited July 2004
    Hallelujah! I followed the same procedure Vidmax recommended above and had almost exactly the same results when using the Symantec fix. All seems to be clear. Thanks to primesuspect and the others for providing so much assistance. I have learned a lot with this one interaction on short-media and look forward to learning more.
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2004
    Well the good thing is that you came here with a new one for us, and now we know how to fix it. I'm sure this one will be popping up more and more :(

    Cheers! :D
  • hines86
    edited July 2004
    unfortunatly, this fix has not worked for me yet. The difference I had was that Norton told me there were no updates to install when the last update I had was 21 July and the latest update is 22 July. I am going to play around with it a little more after work today, so I'll chime in if I get it to work.

    Also of note...this may or may not be related to the virus, but I get a blank page every time I go to Windows Update to retrieve the latest patches. Thought that was a bit odd.
  • Vidmax
    edited July 2004
    Hines86,

    The last update I believe was Friday July 23rd. Did you go to Symantec's site and manually download the latest definitions using the intelligent updater on the site (not the live update function in your NAV)?

    Also, the About:Blank problem is another issue of a web page hijaker you might have, probably coolwebsearch. I had this one too. Download CWShredder and run it. Its good to also have a couple different Spyware programs to check for hijacked registry entries, usually ones that cause your home page to be redirected. There are some posts in these forums about "About:Blank" and web page hijacking and some recoomended solutions and programs to use.
  • hines86
    edited July 2004
    No, i was lazy and did the update from NAV itself. I'll give that a try when I get home.

    I don't seem to have a problem with the about:blank issue, as my home page hasn't changed at all. Maybe after the virus is gone it will work again.
  • hines86
    edited July 2004
    I finally got rid of the virus. My solution was a little different, as I had to go into safe mode and delete the *.dll file manually. It was wierd because Norton recognized the virus as a backdoor.agent.b type, but it still was not able to access it or delete it (and yes I did do the live update on Symantec's website). I also tried doing this before Symantec knew about the virus, but for some reason, the *.dll file was not found while in safe mode. Oh well, I'm just happy this is over with. This has been such a thorn in my side. Thanks to all who helped out.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited August 2004
    Also, for the logao.dll removal see the link below:

    http://forum.flyordie.com/thread.jsp?forum=4&thread=12531&message=118368&tstart=0&trange=15118368

    The reason folks are having issues is that this is a loader dll that loads an app, in this case a trojan, using AppInit.dll. Second, this file is attrib'd to read only. XP protects such.

    Run the recovery console, from CD.

    Navigate to the directory the .dll is in, with a

    cd c:\windows\system

    or a

    cd c:\windows\system32

    (it should be in one of those two places)

    Easiest kill of the dll is to do an

    attrib -r logao.dll
    followed by a
    ren logao.dll BADJUNK.dll

    and then enable SpyBot S&D to run on restart\reboot and then restart windows. Symantec has issues with killing this particular beast if NAV is run as user privileges, and if read-only files are hidden to user running NAV, then you get NAV unable to access the file concerned or being scanned for. One way around this is to do this:

    run NAV with admin privileges.

    OR

    Run Spybot S&D with admin privileges at restart\reboot time, and in that run mode it grabs the file and kills it before AppInit.dll is used to register things as admin privileged processes (in this case you have a trojan registered also, as an admin privileged process as Windows starts up), AS WINDOWS is early in start process and before the file is "protected." This is partly for Prime and partly for mods and partly for users. I use regedt32.exe to deprivilege processes I know are trojans by pulling thier AppInit entries, in safe mode as administrator, restart, and go BACK into safe mode, and then run Spybot S&D in "run at reboot" mode and restart yet again. then SpyBot S&D can kill the thing. This process works for many things like this, trick is to know what file to kill the AppInit entry for.

    Further notes for all:

    Even in very Late July and August, there have been definition updates for both SpyBot and AdAware. Spy Bot as to version of program is not being revised, but as to defs there are some additions. What Spybot can do if you let it run in run at restart\reboot is in essence what I will do sometimes in the regedt32 and then restart series, it can pull the registry entry based on detection defs, then it can remove the file on restart\reboot before Widnows protects it by lolading things as apps that you do NOT want protected.

    NAV also has a run at restart\reboot option deep in its configs, (varies by version, as to exactly where that is) and can kill things sometimes better if allowed to run at restart\reboot after being told to run in "bloodhound" mode as to heuristics also. IF NAV has not been disabled by a malware that can disable the running of NAV right, then it in fact can act more like SpyBot when set this way. It will take LONGER, but it can in fact kill things that normal scanning will not let it kill by setting these two mode\option settings together and then restarting and letting it do a deep examination kill.

    I have had to use recovery console or command line interface booting and run DOS mode scanners also to kill things that Windows scan runs cannot kill ude to user privileges limiting the apps ability to kill. One reason I like F-Prot is it comes WITH one such, and you can invoke it from recovery console or from a Command Console\Prompt boot in some cases (depends on Windows version which the Command mode is called).

    Second, I automatically get many trojan defs for F-Prot each week, some Bot defs, and almost every virus known in the WORLD is defined into the defs within 48-72 hours here on my boxes in US. That beats, for me anyways, having to go to Symantec's website, then manually downloading and installing defs to get 1-3 day old defs instead of weekly snapshots, then running NAV with the new defs.

    HTH some or many of you who read this thread.
This discussion has been closed.