Trojan.Downloader.BBQ....
Results 1 to 6 of 6

Thread: Trojan.Downloader.BBQ....

  1. #1
    Junior Member
    Join Date
    Mar 2005
    Posts
    9

    Trojan.Downloader.BBQ....

    hi all!
    Some of you might be coming here from my other post about Sygate Personal Firewall. Anyways I appreciate your support with this matter, and those who answered my question about Sygate.

    Anyways, I now have a new more important problem. I have downloaded a WinZip crack off of Kazaa lite, and become infected with some kind of malware. I know, I shouldn't have downloaded a crack off of Kazaa, and I now have learned the consequences with downloading cracked programs since I believe this may have happened to me once before .

    Anyways, I downloaded and opened the crack, which I even scanned with my updated antivirus program before I opened it (with advanced heuristics enabled). When I opened it, nothing happened and my Sygate started to give me weird messages telling me that someone was attempting to connect to me and that my computer was attempting to connect to: get.inetbar.com (< which I am still recieving every now and then). Thinking, this isn't normal, I posted a reply to my post about Sygate here.

    Anyways, I performed a scan with updated "Free Sypware Scanner GOLD" on my PC and it did not find anything. I also performed a scan with NOD32 Antivirus System with updated definitions and advanced heuristics enabled, and it did not find anything. So I booted up into safe mode, and performed another scan of my system with NOD32 Antivirus, and once again, it did not find anything.

    Last night, I performed a scan with BitDefender online virus scanner at bitdefender.com, and it found 2 .dll files that were located in my "C:\WINDOWS\SYSTEM" directory infected with what it called "Trojan.Downloader.BBQ" and could not clean them. It also found several files located in my "C:\My Shared Folder\" (Kazza lite's sharing folder) that I DID NOT download such as other Win program cracks/keygens like WinACE WinRAR and a couple of CD burning program cracks/keygens that were infected with the same. I DID NOT DOWNLOAD THESE. It also found 2 .tmp files in my Windows\Temp folder, along with another application that I noticed myself that did not look right. The application was named "123.exe". Sounds like a trojan to me, but the virus scanners did not seem to be picking it up (I even tried scanning it before I deleted it). Being as it would not let me delete the .dll files in SYSTEM folder, I booted into safe mode, and was able to delete them then. I also deleted ALL files that came up infected including the Temp files (including 123.exe) and files mysteriously added to the "My Shared Folder" disguised as popular program crack names.

    This to me, sounds like an undetectable trojan or virus that is using some kind of sharing application spread. But somehow my virus scanners do not seem to be picking it up even with heuristics enabled. A couple of people told me to run a program called "HiJackThis" on my PC which I did and did not do anything with any of the files as I was also told to just upload the log file here. I posted it in my other reply, and just peformed another scan and here is the entire log file:

    Logfile of HijackThis v1.98.2
    Scan saved at 2:02:04 PM, on 3/25/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
    C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\IRIVER\IRIVER MANAGER\UPDATER\UPDATER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebtown.com/freesec/thankyou.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\SYSTEM\winvbie.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\SYSTEM\msiev32.dll (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    I am just wondering if any one knows what this could be? Could this be a new virus that is currently still undetected? Also what should I do about it?

    Any help on this matter would be greatly appreciated!

    Thanks alot in advance!!!


    Peace.

  2. #2
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    I looked through your HiJackThis log and I don't see anything wrong except for your one start/search page "http://www.freewebtown.com/freesec/thankyou.htm" (I would guess it's spyware) but that wouldn't be affecting this. (However, I'm not an expert on HijackThis logs, so there is a chance I'm wrong.) And you also do not have the latest version of HijackThis. Try downloading the newest version (http://www.spywareinfo.com/~merijn/) and posting the new log from the new version.

    My recommendation (if you still think you have the virus, and it never hurts to be safe) is to scan your PC with the following Free online antivirus programs:
    Panda Active Scan - http://www.pandasoftware.com/actives..._principal.htm
    Norton Security Check - http://security.symantec.com/sscv6/d...d=ie&venid=sym
    Trend Micro Housecall (do it again) - http://housecall.trendmicro.com/

    I've never heard of NOD32 AV so I can't offer an opinion on that.

    Hope this helps.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  3. #3
    Junior Member
    Join Date
    Mar 2005
    Posts
    9
    Yes, it seems as though since I last deleted those files that my PC is loading faster again and I'm not seeing weird processes running in the task manager.

    Yes, I might not have the latest version of HiJackThis. The link that someone posted in my other thread I could not access, because it kept sending me to google.com whenever I clicked it so I had to run a search for it on Google and ended up finding one on downloads.com. Does sound like spyware to me. So I will download and run the newest version of HiJackThis and post the log here in this same reply (will just edit it). Give me a couple of minutes.

    I am also going to download and install BitDefender antivirus trial version since it seemed to be the only one that detected it and will run a scan on my PC with that. Will also try those other online virus scanners that you posted.

    EDIT: Here is a HiJackThis scan with the newest version log. BTW, I fixed that www.freewebtown.com spyware browser start page and thats why it wasn't found in this scan.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:42:52 PM, on 3/25/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
    C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\IRIVER\IRIVER MANAGER\UPDATER\UPDATER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\SYSTEM\winvbie.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\SYSTEM\msiev32.dll (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

    Peace.

  4. #4
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    Originally posted here by ryan-nyquist
    I am also going to download and install BitDefender antivirus trial version since it seemed to be the only one that detected it and will run a scan on my PC with that. Will also try those other online virus scanners that you posted.
    You can try the trial, if you like it there is a free version of BidDender AV that is permanently free for home users. (http://www.bitdefender.com/bd/site/d...php?menu_id=21) That's currently what I use. Before that I used AVG Free Edition and was very happy. The only reason I switched from it was because I want to try different AV to get familiar with them

    Also, remember to uninstall your NOD32 AV before using the BidDefender, or else you could have conflicts.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    172
    lol, isnt winzip free? www.winzip.com i think it comes standard with windows xp too

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    lol, isnt winzip free
    No it's not ........
    even your link shows the cost ..................
    you get a trial period to use it.
    and it isn't a standard fixture in XP either ..........

    ryan :
    Get and use CWShredder

    It hadn't been mentioned yet.

    luck to you.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •