PDA

View Full Version : TrojanDownloader.Win32.Agent.bq



coolcatco888
2006-09-28, 08:20
Hi,
I recently got this adware on my computer. I can detect it with Yahoo Anti-Spy and I have deleted parts of it with SpyBot. TeaTimer blocks the main processes from running but I get an alert from TeaTimer everytime I open Internet Explorer. I used hijackthis to delete 1 registry key but everytime I open Internet Explorer it comes back. My system is not clean but that is the only problem I have now. Its not doing anything but my computer is a little slower now and I just want it cleaned.

Spybot and Anti-Spy are the only spyware/adware cleaners I trust. I do not want to try anyothers because they make claims but really they are just spyware too. If there is some way to make Spybot detect and remove the files/registry keys listed below that would be great!:)

I have done some research and here's what I found on one adware encyclopedia:

Source: http://www.pestpatrol.com/spywarecenter/pest.aspx?id=453088440



TrojanDownloader.Win32.Agent.bq
________________________________________________
Executable Files:
d3zi32.exe
ipfc.exe
appgo.exe
apitu.exe
addqw.exe
addod32.exe
javane32.exe
ntrk.exe
sdkqq.exe
mfcvy32.exe
addde32.exe
%windows%\netwl.exe
%windows%\sdkdw.exe
%windows%\ntdx.exe
%windows%\sysiw32.exe
%windows%\sdkyb.exe
%windows%\atlri.exe
%windows%\crui32.exe
syscu32.exe
wincu.exe
%system%\appgn32.exe
%system%\appee32.exe
%system%\appdj32.exe
%system%\apiwm32.exe
%system%\appql.exe
%system%\iest.exe
%system%\ieqy32.exe
%system%\atlrc32.exe
%system%\atldu.exe
%system%\ipxw32.exe
%system%\javaiy.exe
%system%\ntqv32.exe
%system%\netem.exe
%system%\msjj32.exe
%system%\sysnk32.exe
%system%\winfv.exe

DLL Files:
%windows%\addji32.dll
%system%\wincc.dll
%system%\syswl32.dll
%system%\sdksm.dll
%system%\sdkox.dll
%system%\sdkce.dll
%system%\netgn32.dll
%system%\javazw32.dll
%system%\iphn32.dll
%system%\apppq32.dll
%system%\appno32.dll
%system%\appln.dll
%system%\addqk32.dll
sysed32.dll
%windows%\iemu.dll
%windows%\d3fh.dll
%windows%\atlyu32.dll
%windows%\appcr.dll
%windows%\appaf32.dll
%windows%\apihu.dll
%windows%\msob32.dll
srvyb.dll
linkoptimizer.dll
ipih32.dll
d3bu.dll

Registry Items:
HKEY_CLASSES_ROOT\clsid\{066ee2b8-9f1b-1de8-3f16-1df8edc8b2d9}
HKEY_CLASSES_ROOT\clsid\{0e40f81f-5b9f-c516-9b3d-6d5155dbf8d3}
HKEY_CLASSES_ROOT\clsid\{12c95af8-1a4a-38a0-a207-683930a96603}
HKEY_CLASSES_ROOT\clsid\{184726fc-0a5f-1c4b-02d0-96c8a7ec9d84}
HKEY_CLASSES_ROOT\clsid\{2340fd3f-b793-52d4-1f14-efc67354939c}
HKEY_CLASSES_ROOT\clsid\{241b9fe2-4d00-a805-25bc-b7c142661d24}
HKEY_CLASSES_ROOT\clsid\{2a3986ed-10f0-f704-adfe-27c0e5f32369}
HKEY_CLASSES_ROOT\clsid\{2b24be16-52fc-8459-1c5c-7c3b92ce9431}
HKEY_CLASSES_ROOT\clsid\{32d93e0d-e3b3-1317-5c87-5b79e434d004}
HKEY_CLASSES_ROOT\clsid\{3af01463-b83a-dfe1-346d-3c8c35e97cf4}
HKEY_CLASSES_ROOT\clsid\{3f105f58-8c2b-13b6-0383-77e66d7e7fa5}
HKEY_CLASSES_ROOT\clsid\{3fd0125d-aadf-25ea-92ca-13874588a1cd}
HKEY_CLASSES_ROOT\clsid\{4002aa02-402d-46f5-18d3-929fcc430c3d}
HKEY_CLASSES_ROOT\clsid\{4529cede-9b19-0a97-a8eb-fd4c0e1e70c2}
HKEY_CLASSES_ROOT\clsid\{5ac10c19-6012-8f21-4cb9-8697c487c368}
HKEY_CLASSES_ROOT\clsid\{63e7fe7b-1c87-c3a1-e69d-3202daa17674}
HKEY_CLASSES_ROOT\clsid\{69882595-b103-49fe-bcaf-15ce4376766f}
HKEY_CLASSES_ROOT\clsid\{76823114-4c71-b278-4b35-205c8ec21e56}
HKEY_CLASSES_ROOT\clsid\{7b8e64b1-197b-ed9c-a445-fe3d27877ac9}
HKEY_CLASSES_ROOT\clsid\{8827b4b3-3b54-9bfa-ee4b-a0c38be10b19}
HKEY_CLASSES_ROOT\clsid\{9254df52-1f77-e079-a770-c085ff81be08}
HKEY_CLASSES_ROOT\clsid\{9254f668-d36b-cadd-7f24-278697dd83ea}
HKEY_CLASSES_ROOT\clsid\{9b85460c-d10b-35b3-18c1-dbd86afe557b}
HKEY_CLASSES_ROOT\clsid\{a35bad35-84b0-4800-5fd0-a6d89f1c69b6}
HKEY_CLASSES_ROOT\clsid\{a6a537e1-a69b-6c58-00ac-b6c4e8539037}
HKEY_CLASSES_ROOT\clsid\{c0b7ddaa-5ac6-ff54-df8d-ceadf8e7ea23}
HKEY_CLASSES_ROOT\clsid\{cb88eaf8-bf98-ec43-13e9-61cc8ee8c97a}
HKEY_CLASSES_ROOT\clsid\{cd02d512-2399-f8d2-24ee-c9901ac146ed}
HKEY_CLASSES_ROOT\clsid\{d772b290-2c86-27f0-89b6-1f3edd30d4aa}
HKEY_CLASSES_ROOT\clsid\{d81b14c0-63f6-b7df-ed9d-d74a3a197627}
HKEY_CLASSES_ROOT\clsid\{e0ae89e6-0065-8993-dabf-a0de398d6009}
HKEY_CLASSES_ROOT\clsid\{e3a77057-d10b-b02a-d823-22e020c583b5}
HKEY_CLASSES_ROOT\clsid\{f21964cf-4a8b-21d0-30fb-cba9536a5cf1}
HKEY_CLASSES_ROOT\software\classes\clsid\{0feb4b06-f5f0-e4fa-18ef-60fd7dbc8b42}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\ext\stats\{184726fc-0a5f-1c4b-02d0-96c8a7ec9d84}
HKEY_LOCAL_MACHINE\software\microsoft\currentversion\run crew.exe
HKEY_LOCAL_MACHINE\software\microsoft\currentversion\run javaww32.exe
HKEY_LOCAL_MACHINE\software\microsoft\currentversion\run mfcvy32.exe
HKEY_LOCAL_MACHINE\software\microsoft\currentversion\run netiu32.exe
HKEY_LOCAL_MACHINE\software\microsoft\currentversion\run sysnf32.exe
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks {184726fc-0a5f-1c4b-02d0-96c8a7ec9d84}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks {2340fd3f-b793-52d4-1f14-efc67354939c}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks {9254f668-d36b-cadd-7f24-278697dd83ea}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks {ad057e36-3e90-9c24-a714-a8ade460fbf9}
HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\urlsearchhooks {e0dd7a95-1df5-210a-c8d1-d9ab86bd9109}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{184726fc-0a5f-1c4b-02d0-96c8a7ec9d84}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{2340fd3f-b793-52d4-1f14-efc67354939c}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9254f668-d36b-cadd-7f24-278697dd83ea}

Files:
addde32.exe
addod32.exe
addqw.exe
apitu.exe
appgo.exe
d3bu.dll
d3zi32.exe
ipfc.exe
ipih32.dll
javane32.exe
kkvdp.log
mfcvy32.exe
netgn32.dll
netwl.exe
nlyvm.log
linkoptimizer.dll
ntrk.exe
only sex website.url
sdkqq.exe
sdkyb.exe
search the web.url
seven days of free porn.url
%windows%\sysiw32.exe
%windows%\sdkdw.exe
%windows%\sdkyb.exe
%windows%\iemu.dll
%windows%\msob32.dll
%windows%\netwl.exe
%windows%\ntdx.exe
%windows%\addji32.dll
%windows%\apihu.dll
%windows%\appaf32.dll
%windows%\appcr.dll
%windows%\atlri.exe
%windows%\atlyu32.dll
%windows%\crui32.exe
%windows%\d3fh.dll
srvyb.dll
syscu32.exe
sysed32.dll
syswl32.dll
wincu.exe
%system%\addqk32.dll
%system%\apiwm32.exe
%system%\appdj32.exe
%system%\appee32.exe
%system%\appgn32.exe
%system%\appln.dll
%system%\appno32.dll
%system%\apppq32.dll
%system%\appql.exe
%system%\atldu.exe
%system%\atlrc32.exe
%system%\ieqy32.exe
%system%\iest.exe
%system%\iphn32.dll
%system%\ipxw32.exe
%system%\javaiy.exe
%system%\javazw32.dll
%system%\msjj32.exe
%system%\netem.exe
%system%\netgn32.dll
%system%\ntqv32.exe
%system%\sdkce.dll
%system%\sdkox.dll
%system%\sdksm.dll
%system%\sysnk32.exe
%system%\syswl32.dll
%system%\wincc.dll
%system%\winfv.exe

tashi
2006-09-28, 20:18
Hello :)

Open Spybot>Help>About
Let us know the version and latest detection update please, also your Operating System.

Thanks.

coolcatco888
2006-10-01, 02:00
Hello :)

Open Spybot>Help>About
Let us know the version and latest detection update please, also your Operating System.

Thanks.


Latest Update: 2006-09-22 Windows XP

Also, one thing I forgot to add is that this adware also targets and deletes SDHelper.dll which is Spybot's spyware blocker browser helper.

-Thanks for your reply!:D:

tashi
2006-10-01, 03:05
Hi there.

You didn't give us the version of Spybot-S&D, 1.3 or 1.4. ;)

Please follow the instructions in this sticky topic so someone can take a look at the system.

"BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the malware forum:
Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Once you have posted a helper will advise you as soon as available.

Regards. :)

coolcatco888
2006-10-06, 05:10
Version 1.4 for sure, Sorry for the late reply

coolcatco888
2006-10-06, 05:42
Also, is there anyway for teatimer to unblock processes?

Because I tried deleting that URLSeachhook missing thing and teatimer blocked that change. I want to delete it

Thank You!:D: