PDA

View Full Version : Trojans and all sorts



geezer34
2006-04-03, 11:23
Hi guys,

Trying to remove a load of nasties from a new (to me) laptop.

Managed to get rid of a fair bit but still have a number of things on it that look bad from hunting / spy bot runs. Have a number of suspect files still around ie:

veracrus, sk02, smart, mousepad7, keyboard7, yaz, zan...

heres my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 09:11:12, on 03/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\T3pBbmRFbQ\command.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINDOWS\update\wuauclt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\scdhost.exe
C:\windows\mousepad7.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [1337 virus] explore.exe
O4 - HKLM\..\Run: [AdobeReaderPro] scdhost.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] scdhost.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\lvrq0995e.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3pBbmRFbQ\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe



Cheers

Rawe
2006-04-03, 19:41
Hello and welcome.. Lets get started. :)

You have few infections there, please stick to it and we'll get 'em.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.

Before continuing with the fix there is something you must do:

Click Start -> Run and type in: services.msc
Check that the following service is running and that its startup is set to automatic:
Runas
Next your machine needs to be offline, manually disconnect the network cable if necessary.
Your antivirus, and every other security software MUST be disabled.

Now continue:

Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Re-launch your Anti-virus/Firewall protection.
Re-connect back to the internet.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :bigthumb:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

geezer34
2006-04-04, 11:50
Thanks for that.

I had to uninstall AGV for look2Me-destoryer to work, but have reinstalled once done.

Hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 09:44:36, on 04/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\T3pBbmRFbQ\command.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINDOWS\update\wuauclt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\scdhost.exe
C:\windows\mousepad7.exe
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [1337 virus] explore.exe
O4 - HKLM\..\Run: [AdobeReaderPro] scdhost.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKLM\..\RunServices: [AdobeReaderPro] scdhost.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3pBbmRFbQ\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe

look2Me-destroyer log:



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/4/2006 9:37:08 AM

Infected! C:\WINNT\system32\ir2ml5f11.dll
Infected! C:\WINNT\system32\cnfgnt.dll
Infected! C:\WINNT\system32\cvmpobj.dll
Infected! C:\WINNT\system32\dnrgsnap.dll
Infected! C:\WINNT\system32\dzdskmgr.dll
Infected! C:\WINNT\system32\icircl.dll
Infected! C:\WINNT\system32\icrnonce.dll
Infected! C:\WINNT\system32\ildkcs32.dll
Infected! C:\WINNT\system32\ir2ml5f11.dll
Infected! C:\WINNT\system32\irp4l57q1.dll
Infected! C:\WINNT\system32\ithlpapi.dll
Infected! C:\WINNT\system32\kpdusr.dll
Infected! C:\WINNT\system32\mansspc.dll
Infected! C:\WINNT\system32\mgnsspc.dll
Infected! C:\WINNT\system32\nolanui.dll
Infected! C:\WINNT\system32\pxofmap.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\ir2ml5f11.dll
C:\WINNT\system32\ir2ml5f11.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\cnfgnt.dll
C:\WINNT\system32\cnfgnt.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\cvmpobj.dll
C:\WINNT\system32\cvmpobj.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\dnrgsnap.dll
C:\WINNT\system32\dnrgsnap.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\dzdskmgr.dll
C:\WINNT\system32\dzdskmgr.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\icircl.dll
C:\WINNT\system32\icircl.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\icrnonce.dll
C:\WINNT\system32\icrnonce.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ildkcs32.dll
C:\WINNT\system32\ildkcs32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ir2ml5f11.dll
C:\WINNT\system32\ir2ml5f11.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\irp4l57q1.dll
C:\WINNT\system32\irp4l57q1.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ithlpapi.dll
C:\WINNT\system32\ithlpapi.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\kpdusr.dll
C:\WINNT\system32\kpdusr.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mansspc.dll
C:\WINNT\system32\mansspc.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mgnsspc.dll
C:\WINNT\system32\mgnsspc.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\nolanui.dll
C:\WINNT\system32\nolanui.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\pxofmap.dll
C:\WINNT\system32\pxofmap.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0DCA56CA-B5E0-48F4-B7BA-90FAC1B3550E}"
HKCR\Clsid\{0DCA56CA-B5E0-48F4-B7BA-90FAC1B3550E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{52D3BBD2-4DD6-4985-AB36-8A5B9423C95B}"
HKCR\Clsid\{52D3BBD2-4DD6-4985-AB36-8A5B9423C95B}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Whats the next step :D

Rawe
2006-04-04, 15:16
Nice job; lets continue :bigthumb:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install Ewido Anti-malware
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click Update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://www.ewido.net/en/download/updates/)

==

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

4. Once in Safe Mode, Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.

==

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:

geezer34
2006-04-04, 17:47
OK looks like its all coming together!

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 15:36:56, on 04/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINDOWS\update\wuauclt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [1337 virus] explore.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [1337 virus] explore.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\T3pBbmRFbQ\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe

edwido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:29:35, 04/04/2006
+ Report-Checksum: 120B547A

+ Scan result:

C:\windows\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\windows\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\WINNT\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINNT\system32\scdhost.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\T3pBbmRFbQ\asappsrv.dll -> Adware.CommAd : Cleaned with backup
C:\WINNT\T3pBbmRFbQ\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINNT\Temp\i53.tmp -> Adware.SurfSide : Cleaned with backup


::Report End


Looks like a couple of files still kicking around and fingers crossed all will be well and I'll attempt a connection to the net from the laptop!. I assume I can delete the C:\WINNT\T3pBbmRFbQ folder and the file left in there, as well as the keyboard71 and newname dat files in c:\windows?

Can I remove Ewido?

Appreciate your help

Rawe
2006-04-04, 19:17
Yes, please do. :)

==

Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.

Unzip the content to your Desktop (a folder named delcmdservice)
Double-click on the delcmdservice folder
Double-click on delreg.bat to launch the tool
When the tool has finished, please reboot your computer.

==

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.


@echo off
sc stop "Windows Update Service"
sc delete UpdateSvc

Double-click on Removeservice.bat. A window will pop up and close. This is normal.

==

Create a folder on your desktop called Sysclean.

Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.

Go to http://www.trendmicro.com/download/pattern.asp and download the Official Pattern Release for windows to your desktop.

This file will be called lptXXX.zip (XXX represents the version number)

Unzip lptXXX.zip and you'll get a file lpt$vpn.XXX.

Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.

Turn off your antivirus which is installed on your system because it can interfere with the Sysclean-scan.

Open the sysclean-folder and double-click sysclean.com.
Check: "Automatically clean or delete detected files."
Click "Scan".
When the scan is finished, select: "View log".

Copy and paste this log in your next reply. ;)

geezer34
2006-04-04, 23:06
OK done this step. Again I removed AVG. Yet to reinstall this, and will wait until I get the all clear until I do so. I'll remove Ewido when the machine is clear as well :-)

HIjack log:

Logfile of HijackThis v1.99.1
Scan saved at 20:59:55, on 04/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINDOWS\update\wuauclt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Windows Update Service (UpdateSvc) - Unknown owner - C:\WINDOWS\update\wuauclt.exe

Sysclean log:



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2006-04-04, 20:44:50, Auto-clean mode specified.
2006-04-04, 20:44:50, Running scanner "C:\Documents and Settings\oz\Desktop\Sysclean\TSC.BIN"...
2006-04-04, 20:45:10, Scanner "C:\Documents and Settings\oz\Desktop\Sysclean\TSC.BIN" has finished running.
2006-04-04, 20:45:10, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows 2000(Build 2195: Service Pack 3)

Start time : Tue Apr 04 2006 20:44:51

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\oz\Desktop\Sysclean\tsc.ptn" (version 726) [success]
WORM_SDBOT.PE[virus found]
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Run","explore.exe") success
-->delete registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Runservices","explore.exe") success
-->modify registry data("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Ole","EnableDCOM") success

Complete time : Tue Apr 04 2006 20:45:04
Execute pattern count(3005), Virus found count(1), Virus clean count(1), Clean failed count(0)

2006-04-04, 20:47:22, An error occurred while scanning file "C:\Documents and Settings\oz\NTUSER.DAT": Access is denied.
2006-04-04, 20:47:22, An error occurred while scanning file "C:\Documents and Settings\oz\ntuser.dat.LOG": Access is denied.
2006-04-04, 20:47:28, An error occurred while scanning file "C:\Documents and Settings\oz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-04-04, 20:47:28, An error occurred while scanning file "C:\Documents and Settings\oz\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-04-04, 20:48:27, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2006-04-04, 20:49:22, An error occurred while scanning file "C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb": Access is denied.
2006-04-04, 20:49:22, An error occurred while scanning file "C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log": Access is denied.
2006-04-04, 20:49:22, An error occurred while scanning file "C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\default": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\default.LOG": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\SAM": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\SAM.LOG": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\SECURITY.LOG": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\software": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\software.LOG": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\system": Access is denied.
2006-04-04, 20:50:03, An error occurred while scanning file "C:\WINNT\system32\config\SYSTEM.ALT": Access is denied.
2006-04-04, 20:50:44, An error occurred while scanning file "C:\WINNT\Temp\JET3A8C.tmp": Access is denied.
2006-04-04, 20:50:44, An error occurred while scanning file "C:\WINNT\Temp\JET4652.tmp": Access is denied.
2006-04-04, 20:50:46, Running scanner "C:\Documents and Settings\oz\Desktop\Sysclean\VSCANTM.BIN"...
2006-04-04, 20:56:35, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/4/2006 20:50:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 309 (111741 Patterns) (2006/04/03) (330900)
Command Line: C:\Documents and Settings\oz\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\oz\Desktop\Sysclean

C:\RECYCLER\S-1-5-21-1659004503-1563985344-1060284298-1002\Dc14.exe [TROJ_ADCLICKR.AJ]
11826 files have been read.
11826 files have been checked.
10531 files have been scanned.
19037 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/4/2006 20:56:35
---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-04, 20:56:35, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/4/2006 20:50:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 309 (111741 Patterns) (2006/04/03) (330900)
Command Line: C:\Documents and Settings\oz\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\oz\Desktop\Sysclean

Success Clean [TROJ_ADCLICKR.AJ]( 1) from C:\RECYCLER\S-1-5-21-1659004503-1563985344-1060284298-1002\Dc14.exe
11826 files have been read.
11826 files have been checked.
10531 files have been scanned.
19037 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/4/2006 20:56:35 5 minutes 46 seconds (346.42 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-04, 20:56:35, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 4/4/2006 20:50:47
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 309 (111741 Patterns) (2006/04/03) (330900)
Command Line: C:\Documents and Settings\oz\Desktop\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\oz\Desktop\Sysclean

11826 files have been read.
11826 files have been checked.
10531 files have been scanned.
19037 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 4/4/2006 20:56:35 5 minutes 46 seconds (346.42 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-04-04, 20:56:35, Scanner "C:\Documents and Settings\oz\Desktop\Sysclean\VSCANTM.BIN" has finished running.

Rawe
2006-04-05, 14:12
Your log is starting to look better ;)

Run a scan with HijackThis and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKLM\..\Run: [Microsoft (R) Windows Update Service] C:\WINDOWS\update\wuauclt.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now, close ALL other open windows except for HijackThis and hit FIX CHECKED.

==

Click Start -> Run and type in:

services.msc

Click "OK".

In the services window find service; Windows Update Service

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

Next, please click Start -> Run and type in: sc delete UpdateSvc

Hit ok.

==

Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.zip).

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\update\wuauclt.exe
C:\WINNT\web\related.htm


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

==

Post back with one more HijackThis log. :bigthumb:

geezer34
2006-04-06, 11:25
Sorry about the slight delay in getting back to you - away on business.

Ok I've followed your instruction. I got the following error msg when trying to do sc delete UpdateSvc "Cannot find file sc (or one of its components) Make sure the path and filename are correct and that all required libraries are available"

I see that the update servce is still listed in the services window although its now disabled... Can you confirm what registry Key I should delete and I'll do a manual delete :-) I think that this should be HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UpdateSvc as this refers to C:\windows\update\wuauclt.exe which we have now removed.

I also see that the windows\update folder is still on my machine. This is empty so I believe I can delete this, along with "Killbox folder and files?

btw I never got a PendingFileRenameOperations prompt.

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 09:05:03, on 06/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\internat.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

Cheers

Rawe
2006-04-06, 12:15
Lets try deleting the service like this.
Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete an NT service"
Copy and paste this in: UpdateSvc
Click "ok", then reboot

And yes, go ahead and delete that folder with Killbox ones.

How's the system running? :)

geezer34
2006-04-06, 14:05
That worked and fyi it did remove the registry key I refered to...

Thanks for all your help. Its been an interesting experience :scratch:

Once I get home tonight I'll connect the laptop to the net and then get all updates, firewalls etc.

At the moment it looks like its running great. My other half has been nagging me for ages to get a laptop that she can use so she will be happy that she now has a fully functioning toy!

Thanks again.

Rawe
2006-04-06, 16:59
You're welcome :)

I suggest getting the SP4 update for your Operating System.

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
Spywareguard (http://www.wilderssecurity.net/spywareguard.html) <= SpywareGuard offers realtime protection from spyware installation attempts.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)

geezer34
2006-04-07, 10:54
Hi There,

Final query with you if I may...

I connected to the net last night but seem to be getting a sporadic connection. I can try and get to a site ie google.com and am presented with a site cannot be found message. Clicking refresh a couple of times will eventually load the site. I connected through through the same adsl line with another PC and no problems were encountered at all.

Could there still be something hanging around that is contributing to this issue on the laptop?

Thanks

Rawe
2006-04-07, 16:02
Well, we can check if there is. But I don't think anything serious or major.

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

geezer34
2006-04-10, 11:07
I ran the check and had the all clear.

Cheers for your advice....

Rawe
2006-04-10, 14:55
Since this issue is now resolved, this Topic has been archived. Should you need it reopened for any reason, please PM an Staff member with it's address and request. This only applies to the Original poster. Glad we were able to help. :)