reddo

G'day guys, thanks for this site.
I had just finished connecting to the net yesterday after a HD rebuild and foolishly I clicked on a "Macromedia Flash Popup". Yes I know..
I got the freeware AVG6 up and running. It found 3 nasties. One it's sorted,
2 it hasn't. I now have my Firewall running (ZoneAlarm). I have yet to reinstall Service Pack 1 and will install SP2.

Trojan Horse IRC/Backdoor.SdBot.47.J
Worm Agobot

It appears to be in these areas.
C:\Windows\System32\Systesms.exe
C:\Windows\System32\MSlti64.exe

I read your "must do to help you" and I ran Adaware and your programmes in Safe mode with only the basics running. ie no messenger, no yahoo, no browser. (I have messenger, yahoo and ICQ)
Jessops is a chain of photo/camera shops that do film processing. They also put the film onto CD. Speedtouch is a brand of ADSL modem.

Here's the log.

Logfile of HijackThis v1.98.2
Scan saved at 1:40:54 PM, on 1/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack this\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "d:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\program files\ICQ\ICQ.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\INTERN~2\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Jessops Insert Detect] D:\Program Files\Jessops\Picture Suite\InsDetect.exe
O4 - HKCU\..\Run: [WebWasher] G:\WebWasher\wwasher.exe
O4 - Startup: HotSync Manager.lnk = D:\program files\Palm\HOTSYNC.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = D:\program files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Thank you for your help,
reddo

reddo

G'day,
I've just finished loading SP1a and SP2. I updated AVG-6 as well and ran a scan. I also tweaked Adaware 6 to do a deep scan and it removed a further 5 items.
After the antivirus scan, there was no detection of any bugs.
Could the service packs have over written the worms/trojans?
(I hope so!)

Detah

Just the one item jumps out at me in your log. We'll take care of it and get your system secure.
Either you already Killed the Processes (of the badguys that you mentioned) before you ran the HJT log or I suspect you have some superinvisible badguys on there. Either way, we'll take care of it now.

We will be using several anti-spyware, anti-adware and anti-hijack programs. I recommend that you keep these programs on your system permanently. Only use HiJackThis under the guidance of an expert! Print out these instructions so you may reference them without any programs open. It is very important that no programs (expecially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscan running.]
----------------------------------------------------------------
* When running HiJackThis scans or fixes, it is imperative that you close all programs especially internet browsers. HiJackThis, Spybot, AdAware and CWShredder cannot repair the badguys when these programs are open. So close them all now.
----------------------------------------------------------------
Your Operating System and Internet Explorer do not have the most recent security patches in place. Please update them now.
Update Windows and IE
To get the latest security patches, bug fixes and general updates, go to
http://v4.windowsupdate.microsoft.com/en/default.asp
Select All updates. Reboot
----------------------------------------------------------------
To show hidden files instructions
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extentions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore instructions
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot.
After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.
----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.

O1 - Hosts: 64.91.255.87 www.dcsresearch.com


Confirm that you have only the ones above then press <Fix checked>
Close HJT
----------------------------------------------------------------
* Empty your c:/windows/temp or c:/winnt/temp folder. Note: only empty the contents of the folder, leave the folder there.
* Now empty your Recycle Bin.
* Reboot in Normal Mode.
----------------------------------------------------------------
You should run an online virus scan. Select one or more of the following. Select Autoclean if you use TrendMicro. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner.
Panda aka http://www.pandasoftware.com/actives..._principal.htm
TrendMicro aka http://housecall.trendmicro.com/]
RAV Antivirus aka http://www.ravantivirus.com/scan
Reboot.
----------------------------------------------------------------
You stated that you ran AdAware. Did you configure it correctly? Check below and install Spybot and run it also.
----------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly. Run them now.

Spybot Search & Destroy instructions (~3.5MB)

• Download Spybot (written by Patrick Kolla). Click <download> from
  http://www.safer-networking.org/
  Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
  I recommend c:/program files/spybot/
• Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
• Open Spybot from Start | Programs | Spybot | Spybot S&D
• Select <Search for Updates>. Let it install all updates. This is very important!
• Select <Immunize>
• Select <Check for Problems>
• Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
• Select <Fix Selected Problems>
• Close Spybot//

Ad-Aware instructions (2563 kB)

• Download Ad-Aware SE build 1.05 (written by Lavasoft) from
  http://www.lavasoft.de/
  If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
• Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
• Open AdAware from Start | Programs | Lavasoft | Adaware.
• Select <Check for updates now>, <Proceed>
• Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
  
  • By default you begin in the <General> section. The following should be checked:
    
    • Automatically save logfile
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation - change to "7 days"
  • Click <Scanning>
    
    • Check Scan within Archives
    • Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
    • Under Memory & Registry, select all options
  • Click <Advanced>
    
    • Under Shell Integration, select "Move deleted files to Recycle Bin"
    • Under Logfile detail, select all options
  • Click <Defaults>
    
    • Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com
      
  • Click <Tweak>
    
    • Expand Scanning Engine and make sure the following are selected:
      
      • Unload recognized processes during scanning
      • Obtain command line of scanned processes
      • Scan registry for all users instead of current user only
    • Expand Cleaning Engine and make sure the following are selected:
      
      • Always try to unload modules before deletion
      • During removal, unload explorer and IE if necessary
      • Let Windows remove files in use at next reboot
      • Delete quarantined objects after restoring
    • Expand Safety Settings and make sure the following are selected:
      
      • Write-protect system files after repair (Hosts file, etc)
        
• Click <Proceed> | <Start> | select Use custom scanning options | <Next>
• When the scan is finished, rightclick on any entry and choose <Select All Objects>.
• Select <Clean>
• Close Adaware//

----------------------------------------------------------------
When you are finished, reboot and post a fresh HJT log. Do not 'Kill' any processes.

reddo

Thanks for that.
I printed it out and attacked it as you spelled out with one exception.
Try as I might I couldn't get Spybot 1.3 to work. I tried the fixes as suggested on the site to no avail. I used Spybot 1.2 though and followed its instructions.
Online antivirus (Trend Micro House Call v5.70.0) found nothing nasty.
Spybot 1.2 found nothing nasty.
Ad-Aware SE Build 1.05 found nothing nasty.
After doing all of that I rescanned with AVG 6(freeware, updated today) and it found nothing.

The log.
Logfile of HijackThis v1.98.2
Scan saved at 9:23:48 PM, on 1/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "d:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Mirabilis ICQ] D:\program files\ICQ\ICQ.exe -minimize
O4 - HKLM\..\Run: [AVG_CC] D:\program files\Internet Security\avgcc32.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = D:\program files\Palm\HOTSYNC.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm.lnk = D:\program files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

greyknight17

Your log is clean. Any problems now?

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools

reddo

G'day Greynight17,
FRED* is running like a dream. Thanks so much for your help and advice.

*FRED = effing ridiculous electronic device