PDA

View Full Version : RBOT, need help


FedericoL
2007-09-08, 21:33
I got infected with the rbot.
I have Avast antivirus and spybot both updated.
Avast doesn't find anything nor spybot.
When I conect everithing gets slower.
I had read and complete the "procedure BEFORE Requesting Assistance".
Karpesky crashed in the middle of the online scan so I used Panda.
I need some assistance. Thanks a lot!

Panda online scan log:

Incident Status Location

Adware:Adware/StartPage.CWN Not disinfected C:\dbss.exe
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\gu4yio3e.default\cookies.txt[.gostats.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\gu4yio3e.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\gu4yio3e.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrador\Datos de programa\Mozilla\Firefox\Profiles\gu4yio3e.default\cookies.txt[ad.yieldmanager.com/]
Potentially unwanted tool:Application/ScanSpyware Not disinfected C:\Documents and Settings\Administrador\Escritorio\BAJADOS\ss_install.exe
Virus:W32/Sdbot.LCE.worm Disinfected C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\81EBGLQB\mmdmm[1].exe
Adware:Adware/StartPage.CWN Not disinfected C:\Documents and Settings\Default User\Configuración local\Archivos temporales de Internet\Content.IE5\OHAJ8LEN\db[1].exe
Adware:Adware/StartPage.CWN Not disinfected C:\WINNT\rundll32.exe
Adware:adware/ipbill Not disinfected C:\WINNT\system32\dload.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i
Virus:W32/Sdbot.LCE.worm Disinfected C:\WINNT\system32\mdm.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\o
Adware:Adware/Gator Not disinfected E:\CINE\CINE SIN RESPALDO\La Espada Mágica\DivX\install.exe
Virus:Generic Malware Disinfected E:\Soft para instalar\Gráficos\Video\CODEC\Radlight 3.03\RL3R5.EXE

-----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25:17, on 08/09/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Archivos de programa\AlwilSoft\Avast4\aswUpdSv.exe
C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
C:\Archivos de programa\AlwilSoft\Avast4\ashServ.exe
C:\WINNT\system32\dllcache\mravsc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Archivos de programa\WinPoET\WrOS.EXE
C:\WINNT\Explorer.EXE
C:\Archivos de programa\WinPoET\winpppoverethernet.exe
C:\WINNT\vsnct511.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\internat.exe
C:\Archivos de programa\Rainlendar2\Rainlendar2.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Spybot\Spybot\TeaTimer.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\AlwilSoft\Avast4\ashMaiSv.exe
C:\Archivos de programa\AlwilSoft\Avast4\ashWebSv.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\Spybot\Spybot\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Archivos de programa\WinPoET\winpppoverethernet.exe"
O4 - HKLM\..\Run: [SNCT511] C:\WINNT\vsnct511.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Archivos de programa\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Archivos de programa\Rainlendar2\Rainlendar2.exe
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Windows Driver] C:\WINNT\rundll32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Archivos de programa\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\Spybot\Spybot\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E646DBF3-CF96-4898-920A-AE0073F2DB37}: NameServer = 200.40.220.245 200.40.30.245
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\AlwilSoft\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\AlwilSoft\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\AlwilSoft\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\AlwilSoft\Avast4\ashWebSv.exe
O23 - Service: Distributed Allocated Memory Unit - Unknown owner - C:\WINNT\system32\dllcache\mravsc32.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINNT\system\svchost32.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Archivos de programa\WinPoET\WrOS.EXE

--
End of file - 5013 bytes
Mr_JAk3
2007-09-09, 17:57
Hi and welcome to the Forums :)

One or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post :bigthumb:
FedericoL
2007-09-10, 02:09
I've decided to format and reinstall.
I did it. With Avast, and Comodo personal firewall installed before connecting to the internet as the tutorial says.

Now I suspect there's something wrong with the windows Services.exe. Comodo is asking to allow or deny connections every time I try to connect to the net.

Sorry, I'm a newbie
Should I Send the HijackThis log again?
Mr_JAk3
2007-09-10, 22:53
Hello :)

Ok you can send a fresh HijacKthis log and I'll have a look.

You must allow some Windows components access to internet. It is usually wise to tick the "remember this (or similar)" box so that the program won't bug you everytime the component connects to internet.

:bigthumb: