1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

What the heck is this? "Win32/Agent.BDSK trojan"

Discussion in 'Virus & Other Malware Removal' started by Fury1995, Feb 6, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Derek,

    I get the error message each and every time anything my systems tries to access anything... upon boot up (before windows loads) I get several boxes, after Windows loads ... I get several for each service in my startup file.......even while idling.

    for example:
    JAVE.EXE - Unable To Locate Component"
    This application has failed to start because mshbobjq.dll was not found. Re-installing the application may fix this problem

    That occurred while I was typing this.

    Trying to access anything at all. I just tried to open the add/remove programs in Control Panel. Same error:

    rundll32.exe - Unable To Locate Component"
    This application has failed to start because mshbobjq.dll was not found. Re-installing the application may fix this problem



    I have also experienced during every scan you instructed me to perform where the box reports an error associated with those applications as well.



    for example:

    CFSCRIPT.EXE- Unable To Locate Component
    This application has failed to start because mshbobjq.dll was not found. Re-installing the application may fix this problem

    I have also just noticed something else that looks odd. On the browser bar, to the left of the web address where you would normally see a "e" (the internet explorer "e") there is a different image that appears to look like a "biohazard symbol" - red and tri-pointed. Any idea what that is?


    Thanks - Kenny
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    try gmer again but make sure ESET is disabled before running it
     
  3. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Disabled Eset. I also received the error box opening GMER..... (always twice). Clicked "OK" through the error boxes and GMER continued. Enabled Eset after.

    Log below:


    GMER 1.0.14.14536 - http://www.gmer.net
    Rootkit scan 2009-02-12 12:58:01
    Windows 5.1.2600 Service Pack 3


    ---- Devices - GMER 1.0.14 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
    AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

    ---- EOF - GMER 1.0.14 ----

    Derek... GMER automaticall starts the scan when I open the file under the "Rootkit" tab. It doesn't allow me to choose what to scan. The "Scan" button is always disabled within GMER. I can only click "Copy". Is this performing correctly?

    Kenny
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    no you aren't doing it right

    it always does a quick scan & then when it finishes at the top press the arrow buttons & the rootkit/malware tab should be available, then press scan

    but if something is affecting all .exe files that will include gmer
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    it might be the version you downloaded was corrupt

    try to download a new version
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    we are going to try something

    first download the attached desktop.zip

    unzip it & there are 2 files inside

    a replacement mshbobjq.dll which is a dummy to hopefully stop the alerts & get programs working

    right click it & select copy & go to C:\windows\system32 find a blank spot & right click & select paste

    then double click the other file ( find.bat) & post the log it makes
     

    Attached Files:

  7. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Derek,

    I used the link from your previous post. I also tried to go to the main page to find an updated version. I downloaded the most current version listed (gmer114). I disabled Eset. Opened the zipped file (gmer). Double clicked GMER. The auto scan started. I can see the Rootkit tab at the top. It is definitely selected. It does not allow me to click the scan button at all so lonf as the Rootkit tab is selected. I can only click copy or save....


    Kenny
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    lets hope what I have said to do in last post will help
     
  10. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Derek,

    I could unzip the files and copy the dummy file mshbobjq.dll to C:\windows\system32.

    find.bat opened a another window with a system32 command prompt and blinking curser. Nothing happened, the window closed after a few moments and no log was produced.


    Yes, that is my thread as well. I have not received a reply or responded to anyone from that forum. Please close that for me.

    Thanks

    Kenny
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    create a folder on desktop called find

    download this revised find.zip & unzip into that folder

    then run find.bat

    I am just about to go out & give a lecture so won't be back on until the morning
     

    Attached Files:

    • find.zip
      File size:
      220 bytes
      Views:
      1
  12. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Derek


    Here's the log:



    FileDigitalSignVerify 1.2

    Copyright (C) 2007-2008 Smallfrogs

    KZTechs.COM - www.KZTechs.com



    FileDigitalSignVerify is used to verify digital signatures on specified files.



    Status Name of signer File Path

    -----------------------------------------------------------

    0x800b0100 - C:\WINDOWS\system32\imm32.dll

    -c----w 110,080 2004-08-10 10:00:00 C:\WINDOWS\$NtServicePackUninstall$\imm32.dll
    ------w 110,080 2008-04-14 00:11:54 C:\WINDOWS\ServicePackFiles\i386\imm32.dll
    ----a-w 110,592 2008-12-30 01:24:34 C:\WINDOWS\system32\imm32.dll

    Entries: 3 (3)
    Directories: 0 Files: 3
    Bytes: 330,752 Blocks: 646



    Hopefully I will catch you before you leave.... again thanks for inputing so much time into my problem...
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    we have a fix now for this

    first there should have been a zip file created inside the find folder with a copy of the infected dll causing this

    please do this

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    the imm32.zip from inside the find folder on desktop

    then combofix has been updated to deal with this one now so

    Delete any existing version of ComboFix you have sitting on your desktop

    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything unless told to do so while we are fixing your problem.
     
  14. Fury1995

    Fury1995 Thread Starter

    Joined:
    Oct 8, 2005
    Messages:
    105
    Derek,

    I have uploaded the file as requested to spykiller. I have deleted the previous version of Combofix and downloaded the new version. Combofix is running now(I am on an alternate computer)

    BTW, the dummy dll fixed the popup errors.

    Also, is this a new virus? Do I get to name it? ;-)

    Will post back in a few minutes with the results..

    Kenny


    Edit to add: Is Combofix supposed to shut down and restart my system while running?
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    55,904
    First Name:
    Derek
    didn't it make an imm32.zip file there
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - heck Win32 Agent
  1. akacool15
    Replies:
    0
    Views:
    331
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/798107

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice