Options

TrojanDownloader in comm.dll Found

Unknown
edited December 2004 in Spyware & Virus Removal
Hi there,

I have run Yahoo Anti-spy and it found TrojanDownloader.Win32.Agent.bf residing in comm.dll belonging to my aol browser.

Although the Anti-spy has given me an option to remove the bugger and I did, after uninstalling/installing the aol the TrojanDownloader... appeared after the very first Anty-spy scan. Seems like it is being regenerated, bless it!

May I ask you spyware folks to look at my hijackthat log file and see whether you can find and keys I need to remove to get rid of the bugger?

Logfile of HijackThis v1.99.0
Scan saved at 4:00:39 PM, on 12/16/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Program Files\NAVNT\navapw32.exe
E:\utilities\WinZip\WZQKPICK.EXE
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.aol.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.britanniatabletennisclub.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\utilities\GetRight\xx2gr.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NAVNT\defalert.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = E:\utilities\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{138DD176-5AC7-4B4C-8969-28006D5A67AA}: NameServer = 195.93.32.134
O17 - HKLM\System\CS1\Services\Tcpip\..\{138DD176-5AC7-4B4C-8969-28006D5A67AA}: NameServer = 195.93.32.134
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NAVNT\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NAVNT\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NAVNT\npssvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe



Many thanks,


alex2002

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited December 2004
    I don't see anything too bad in your log and Yahoo anti-spy is notorious for finding things that aren't there. I'd get rid of it and install Adaware and Spybot. Keep them updated and run them often and you should stay clean.



    But do an online virus scan here just to be sure.
    http://housecall.trendmicro.com/




    Just a few minor things that I would remove with hijackthis.

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
  • alex2002
    edited December 2004
    Thanks for a prompt reply, folks.

    As for the Yahoo's Anti-spy, it is not the only anti-spy tool that detected the damn TrojanDownloader sitting in my comm.dll. Can we please have a go on it?

    alex2002
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited December 2004
    Download and install AVG anti-virus.
    http://free.grisoft.com/softw/70free/setup/avg70free_296a409.exe

    Once you install it you'll need to disable your Norton antivirus before running it. Make sure you get all updates and then run it. Post back here what it finds.
Sign In or Register to comment.