Trojan horse backdoor.agent.ba

[freekdestoute]

Hello ALWIL/avast!/everyone,

I am plagued by a trojan horse called backdoor.agent.ba . It was first detected by my AVG-antivirusscanner, but not removed.

Just downloaded and run avast! Home Edition, but it also is not able to remove this hindering trojan horse. It finds it (on my comp: WINDOWS/system32/mskbh.dll) but gives error 3221225506, instead of offering to clean/delete...

Do you know about this highly pesky trojan yet..? Can I expect an update to be of any help..?

Thanks in advance,

Freek de Stoute, Amsterdam

[whocares]

hi,
try a scan with avast in SafeMode (F8-Boot) or a boot-time scan with avast; move the file to the chest then..

you might also want to post a logfile of hijackthis: http://hjt.klaffke.de/en

Also read here:
http://forum.avast.com/index.php?board=4;action=display;threadid=5168

 

[vojtech]

error 3221225506 - it is Access Denied. Try modifying security properties of the file to allow full control to everyone and then running the boot time scan again.

[petlamb7]

Hi everyone

Just to let you know that I'm having the same problems.

My computer was turning itself off and on again continuously.
It got as far as showing the desktop with a message from AVG's resident shield - it had found BackDoor.Agent.BA in file
C:\Windows\System32\sqlm.dll, then it would just restart again.

After trying to get into the computer via safemode/system restore (which was unsuccessful) I somehow managed to stablise it.
I then ran AVG, the only option was to move it to the virus vault but it was unable to move it.

I've searched in every way I could possibly think to find the file - showing hidden files, searching in safe mode etc.  but it doesn't seem to exist!

While in safe mode I wasn't able to run AVG.(? Not sure if that's another problem!)

I then ran avast! home which didn't find it (However it did find others which I've now moved to the chest).  Afterwards I ran avast! boot check and it found something wrong with the sqlm.dll file but gave the error message 3221225506 and no other options.  

As I can't find the file I can't change any of the security properties.

I've tried other online scans which haven't found the virus.

I agree with Silvio that it's very strange that AVG don't recognise such a virus on their own website.

(All the time AVG's resident shield doesn't go away)

I'd be very grateful for any help!!
Thanks,
Petlamb7

Here's a copy of my HJT log.
Logfile of HijackThis v1.97.7
Scan saved at 15:32:58, on 14/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Suzi\Messenger\YPager.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://uk4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.yahoo.co.uk
O2 - BHO: (no name) - s - (no file)
O2 - BHO: (no name) - SlimBho2.dll' - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Documents and Settings\Owner\My Documents\Suzi\Messenger\ycomp.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D81AB57B-7327-4347-B7C7-9EF7CA87CE09} - C:\WINDOWS\System32\SlimBho2.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Documents and Settings\Owner\My Documents\Suzi\Messenger\ycomp.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Freeserve Connection Kit.lnk.disabled
O4 - Global Startup: hp center.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O4 - Global Startup: RealDownload.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O13 - Home Prefix: c:\searchpage.html?page=
O13 - Mosaic Prefix: c:\searchpage.html?page=
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{52578E6F-92D1-404C-86F7-55305022735A}: NameServer = 195.92.195.95 195.92.195.94

[niko]

Hi Petlamb7,
I see concerning your running processes that AVG and AVAST! run both.
Maybe it wil be better to desactive AVG for scanning properly your hdd...
@+

[DavidR]

There is too much potential for conflict running two AVs, you will probably have received a message when you installed avast! saying that there was another AV installed.

Uninstall AVG it really is an inferior product, I should know when I uninstalled AVG, avast found several viruses that had been living happily under AVG.

There are many ex AVG users on this forum.

It would also appear that you have remnants of Norton as well.

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

If you haven't already got a spyware/adware program, check out Spyware Blaster + Guard  

HTH David