[cherry405]

I only use IE to check how my sites look in that browser. That's what I was doing today, and I decided to quickly check my email and the forum I post on. As soon as the forum loaded, Kaspersky alerted me: it had detected "Trojan-Downloader.JS.Agent.ab." Of course I immediately deleted it, closed IE and disconnected from the internet. I scanned with Kaspersky, Ad-Aware and Spybot... nothing was detected. I thought my system was clean so I went back online. Enter trojan. I don't know if this is normal or not (believe it or not, this is the first malware problem I've had... as far as I know. I'm very careful about what sites I visit and what I download), the trojan has only appeared when I tried to access that one forum, and only when I load IE, not Firefox or Opera, or at least that's the only instance where it's detected by Kaspersky. Please help me.

Logfile of HijackThis v1.99.1
Scan saved at 6:38:43 PM, on 26/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B9B1B7E-3DB7-4333-97AE-5B355AF72292}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by cherry405, 31 May 2006 - 10:46 PM.

[Advertisements]

Work through the following and we'll see what it throws up:

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido Anti-Malware from here and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
**If you already have Ewido installed, update it and go to 2)**

In the 'Additional Options' window, uncheck:
'Install required for automatic updates (background guard)'.

When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
Double click the Ewido Desktop icon.
In the main screen, on the left hand side, click Update.
In the following screen, click Start Update

A progress bar will show how the update is going. When it has finished updating, close it.

If you have problems with the updater, you can manually update Ewido.
Click here and save ewido-signatures-full-current.exe to your Desktop.
All you need to do then is to double-click it, click Install and then, when it has finished, Close.

Ewido Anti-Malware is designed to be used to both scan for and remove malicious files and also to run alongside, but not replace, your existing anti-virus program to give an added layer of protection.
However, as the real-time protection may interfere with the fixing of your PC, this function will have been disabled as long as you followed the installation instructions correctly.
At the end of the trial period, Ewido will revert to a stand-alone scanner which you can keep and update for free and use in a similar way to Ad-Aware SE Personal.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now online button.

2) Download F-Secure's BlackLight from here and save it to your Desktop.

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.

2) Run Ewido.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Boot into Normal Mode.

7) Locate and double click blbeta.exe to run it.

Click the Scan button to begin. When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.

Post a new HJT log, the Ewido log AND a description of how your PC is running.

[Noviciate]

Work through the following and we'll see what it throws up:

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido Anti-Malware from here and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
**If you already have Ewido installed, update it and go to 2)**

In the 'Additional Options' window, uncheck:
'Install required for automatic updates (background guard)'.

When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
Double click the Ewido Desktop icon.
In the main screen, on the left hand side, click Update.
In the following screen, click Start Update

A progress bar will show how the update is going. When it has finished updating, close it.

If you have problems with the updater, you can manually update Ewido.
Click here and save ewido-signatures-full-current.exe to your Desktop.
All you need to do then is to double-click it, click Install and then, when it has finished, Close.

Ewido Anti-Malware is designed to be used to both scan for and remove malicious files and also to run alongside, but not replace, your existing anti-virus program to give an added layer of protection.
However, as the real-time protection may interfere with the fixing of your PC, this function will have been disabled as long as you followed the installation instructions correctly.
At the end of the trial period, Ewido will revert to a stand-alone scanner which you can keep and update for free and use in a similar way to Ad-Aware SE Personal.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now online button.

2) Download F-Secure's BlackLight from here and save it to your Desktop.

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.

2) Run Ewido.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Boot into Normal Mode.

7) Locate and double click blbeta.exe to run it.

Click the Scan button to begin. When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.

Post a new HJT log, the Ewido log AND a description of how your PC is running.

[cherry405]

Thank you for helping me, I really appreciate it.

I followed all of your instructions, here's the results of the scans. My comp is as fast and reliable as ever, I'm not getting any more trojan alerts.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:42:19 PM, 26/05/2006
+ Report-Checksum: D9EF57EF

+ Scan result:

No infected objects found.


::Report End

05/26/06 23:50:37 [Info]: BlackLight Engine 1.0.36 initialized
05/26/06 23:50:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/26/06 23:50:37 [Note]: 7019 4
05/26/06 23:50:37 [Note]: 7005 0
05/26/06 23:50:41 [Note]: 7006 0
05/26/06 23:50:45 [Note]: 7011 1760
05/26/06 23:50:45 [Note]: 7026 0
05/26/06 23:50:46 [Note]: 7026 0
05/26/06 23:50:46 [Note]: 7015 332
05/26/06 23:50:46 [Note]: 7015 5
05/26/06 23:50:46 [Note]: 7015 1544
05/26/06 23:50:46 [Note]: 7015 5
05/26/06 23:50:46 [Note]: 7015 1948
05/26/06 23:50:46 [Note]: 7015 5
05/26/06 23:50:51 [Note]: FSRAW library version 1.7.1015
05/26/06 23:52:36 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 12:00:11 AM, on 27/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B9B1B7E-3DB7-4333-97AE-5B355AF72292}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by cherry405, 27 May 2006 - 02:55 AM.

[Noviciate]

The scans are all clean so I guess Kaspersky was on the ball. If this happens again with that Forum then i'd be having a word because it's either a false positive or there's an issue that needs addressing.
Enjoy the rest of the weekend.