I've been tag-teaming repairs on a backdoor Trojan identified by Ewido as sdbot.add with my daughter. Initial infection was due to clicking on an embedded link in a AIM IM message. Since a number of days have passed and several scans have been performed, I will provide a bit of extra narrative.

At the time of infection, CA Internet Security Suite (Anti-Virus, Anti-Spam, PestPatrol and Firewall) was running and updated. It did not trigger on the event.

A tremendous increase in the amount of modem and router activity was observed by my daughter and Ad-Aware and Spybot were run. They did not detect anything other than cookies with the exception of Spybot which detected and fixed a Win Security Firewall setting and four instances of Fun Web Products which have not been fixed in either normal or safe mode or upon reboot.

Performed an online BitDefender scan which did not produce any result. Downloaded AVG Free for continued use on the PC in conjunction with CA's antivirus. After the AVG Free scan also did not produce a result, downloaded, updated and ran current version of Ewido…which alerted to sdbot.add.

Subsequent Ad-Aware and Spybot scans come back clean (except for Fun Web Products) and there were only two entries from HJT logs that have been removed:

O4 - HKLM\..\Run: [rpcc] rpcc.exe
O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe (file missing)

Additional online antivirus scan with Panda and anti-malware with Prevx1R also came back clean.

However, anytime that the PC in on the home network, the modem and router are getting slammed with SMTP, IRC and HTTP traffic.

I've been around the block using most of the common defensive and cleaning tools working on office, acquaintance and home PCs, but this one has me stumped, as I am not seeing anything in the HJT logs or scans that is raising additional red flags. Manual inspection of the running services and registry have also not provided any additional clues.

A cursory look at files in the root of C: found the following files both dated during the initial period of infection, but not detected by any of the online or installed AV's:

l762.exe (7kb) scanned with VirusTotal

Antivirus Version Update Result
AntiVir 6.35.1.0 08.04.2006 TR/Dldr.Small.dib.7
Authentium 4.93.8 08.03.2006 no virus found
Avast 4.7.844.0 08.02.2006 no virus found
AVG 386 08.03.2006 no virus found
BitDefender 7.2 08.04.2006 no virus found
CAT-QuickHeal 8.00 08.04.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 08.04.2006 no virus found
DrWeb 4.33 08.04.2006 Trojan.DownLoader.9899
eTrust-InoculateIT 23.72.86 08.03.2006 no virus found
eTrust-Vet 12.6.2324 08.04.2006 no virus found
Ewido 4.0 08.04.2006 no virus found
Fortinet 2.77.0.0 08.03.2006 suspicious
F-Prot 3.16f 08.03.2006 no virus found
F-Prot4 4.2.1.29 08.03.2006 Possibly a new unknown PE_Virus!Maximus
Ikarus 0.2.65.0 08.04.2006 no virus found
Kaspersky 4.0.2.24 08.04.2006 Trojan-Downloader.Win32.Small.dib
McAfee 4822 08.04.2006 no virus found
Microsoft 1.1440 08.04.2006 no virus found
NOD32v2 1.1692 08.04.2006 a variant of Win32/TrojanDownloader.Small.DIB
Norman 5.90.23 08.04.2006 Suspicious_F.gen
Panda 9.0.0.4 08.04.2006 Suspicious file
Sophos 4.08.0 08.04.2006 no virus found
Symantec 8.0 08.04.2006 no virus found
TheHacker 5.9.8.186 08.04.2006 no virus found
UNA 1.83 08.03.2006 no virus found
VBA32 3.11.0 08.03.2006 no virus found
VirusBuster 4.3.7:9 08.04.2006 Trojan.DL.Small.Gen.16

Sysload32.exe (7kb) (scanned with VirusTotal)

Antivirus Version Update Result
AntiVir 6.35.1.0 08.04.2006 TR/Dldr.Small.dib
Authentium 4.93.8 08.03.2006 no virus found
Avast 4.7.844.0 08.02.2006 no virus found
AVG 386 08.03.2006 no virus found
BitDefender 7.2 08.04.2006 no virus found
CAT-QuickHeal 8.00 08.04.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 08.04.2006 no virus found
DrWeb 4.33 08.04.2006 Trojan.DownLoader.9899
eTrust-InoculateIT 23.72.86 08.03.2006 no virus found
eTrust-Vet 12.6.2324 08.04.2006 no virus found
Ewido 4.0 08.04.2006 no virus found
Fortinet 2.77.0.0 08.03.2006 suspicious
F-Prot 3.16f 08.03.2006 no virus found
F-Prot4 4.2.1.29 08.03.2006 Possibly a new unknown PE_Virus!Maximus
Ikarus 0.2.65.0 08.04.2006 no virus found
Kaspersky 4.0.2.24 08.04.2006 Trojan-Downloader.Win32.Small.dib
McAfee 4822 08.04.2006 no virus found
Microsoft 1.1440 08.04.2006 no virus found
NOD32v2 1.1692 08.04.2006 a variant of Win32/TrojanDownloader.Small.DIB
Norman 5.90.23 08.04.2006 Suspicious_F.gen
Panda 9.0.0.4 08.04.2006 Suspicious file
Sophos 4.08.0 08.04.2006 no virus found
Symantec 8.0 08.04.2006 no virus found
TheHacker 5.9.8.186 08.04.2006 no virus found
UNA 1.83 08.03.2006 no virus found
VBA32 3.11.0 08.03.2006 no virus found
VirusBuster 4.3.7:9 08.04.2006 Trojan.DL.Small.Gen.16

I may need some advice on running rootkit tools or logging hidden processes. I shall post the most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:01 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CyberPatrolNew] "C:\Program Files\SurfControl\CyberPatrol\cphq.exe" /m
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107010274280
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks in advance for your assistance in resolving this matter.

Welcome to the forum polydactyl

To prevent conflicts You should only have one antivirus installed at a time.

I assume you have deleted l762.exe and Sysload32.exe ?

Are rpcc.exe and taskms.exe present in the windows dirrectory ?

Run aimfix and post its log
http://jayloden.com/aimfix.htm

Thanks for the reply Lonny.

Normally, I just run the CA security suite, but since this incident both the antivirus and the firewall are disabled when the backdoor/trojan is active. Currently, we are in the second period of remission since 7/27. Pattern seems to be three days on, three days off.

Sysload32.exe and l762.exe were renamed by the F-Secure scan and then I deleted.

The rpcc.exe and taskms.exe do not exist in C:\Windows

I re-ran the AimFix and it was clean, but I'll post the log from when I ran it the first time.



AIMFix version: 1.6.81.1745 (Aug 1 2006 17:45:53)
SeDebug Privilege set successfully

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

BlockRemove(): Now checking for Block-Checker: .5
BlockRemove(): Block-Checker not found
IMNamesRemove(): Now checking for IMNames: .2
IMNamesRemove(): IM Names not found
CleanMstc(): mstc not found
C:\Data found, attempting to remove...
quarantine(): C:\Data quarantined
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\againstthecuffs\info.htm quarantined
Profile for againstthecuffs edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\audioposterteens\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for audioposterteens edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\cleosmacktra\info.htm
Profile for cleosmacktra edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\eye4n1c8alawt\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for eye4n1c8alawt edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\fakefakefuneral\info.htm
Profile for fakefakefuneral edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\fuzzypeach4328\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for fuzzypeach4328 edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\harveyboy911\info.htm
Profile for harveyboy911 edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\immaaccident\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for immaaccident edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\kelseyweleypoo\info.htm
Profile for kelseyweleypoo edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\kelseywelseypoo\info.htm
Profile for kelseywelseypoo edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\kelseywelsypoo\info.htm
Profile for kelseywelsypoo edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\roycisnerosfubx\info.htm
Profile for roycisnerosfubx edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\skanksicklesx\info.htm quarantined
Profile for skanksicklesx edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\soccercat1015\info.htm
Profile for soccercat1015 edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\sweetascandy9105\info.htm
Profile for sweetascandy9105 edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\taintedtoaster19\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for taintedtoaster19 edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\thewaterworks\info.htm
Profile for thewaterworks edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\tickticktickxx\info.htm
Profile for tickticktickxx edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xbleedingxem0x\info.htm quarantined
Profile for xbleedingxem0x edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xbleedingxemox\info.htm
Profile for xbleedingxemox edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xgetyourgunxxx\info.htm
Profile for xgetyourgunxxx edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xmryoureonfire\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for xmryoureonfire edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xohsooemox3\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for xohsooemox3 edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xthewaterworks\info.htm could not be quarantined: Cannot create a file when that file already exists.Profile for xthewaterworks edited to remove possible virus code.
quarantine(): C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xxlovexrhymesxx\info.htm quarantined
Profile for xxlovexrhymesxx edited to remove possible virus code.
quarantine(): Attemtped to Quarantine nonexistent file C:\Documents and Settings\Kelly\Application Data\Aim\exdpcvjf\xxnekoxxpeachxx\info.htm
Profile for xxnekoxxpeachxx edited to remove possible virus code.

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

Reboot requested by user


AIMFix version: 1.6.81.1745 (Aug 1 2006 17:45:53)
SeDebug Privilege set successfully


AIMFix version: 1.6.81.1745 (Aug 1 2006 17:45:53)
SeDebug Privilege set successfully

***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

BlockRemove(): Now checking for Block-Checker: .5
BlockRemove(): Block-Checker not found
IMNamesRemove(): Now checking for IMNames: .2
IMNamesRemove(): IM Names not found
CleanMstc(): mstc not found

***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
----------------------------------------------------------

Thanks again Lonny for your assistance.

Since you mentioned this service
O23 - Service: Task Manager Message Service (TSKMS) - Unknown owner - C:\WINDOWS\taskms.exe (file missing)

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.


In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Here you go, Lonny. Thanks again.


SDFix Version 1.03
************************

Scan Time/Date:

05:58 AM
Tue 08/08/2006

Microsoft Windows XP [Version 5.1.2600]
Running from directory:
C:\Documents and Settings\Kelly\Desktop\SDFix\SDFix

Stage One...

Exporting Service Information:

Service Name
**************

Service File Path
*******************

Deleting Services
*******************


Repairing SDBot Registry Changes....

Adding Reg Key To Run On Reboot

Stage One Complete...

Rebooting!

Stage Two...

Removing Malware Files and Registry Entries
***********************************************

Registry Cleaning Finished...

Checking For Malware Files...


Backing Up and Deleting Files....

Finished :)

Logfile of HijackThis v1.99.1
Scan saved at 6:06:24 AM, on 8/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SurfControl\CyberPatrol\cphq.exe
C:\Program Files\DropBox\DropBox\DropBox.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\SurfControl\CyberPatrol\cpserver.exe
C:\Program Files\SurfControl\CyberPatrol\cpACtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpCCtrl.exe
C:\Program Files\SurfControl\CyberPatrol\cpkbinst.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CyberPatrolNew] "C:\Program Files\SurfControl\CyberPatrol\cphq.exe" /m
O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107010274280
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Traffic remains quiet this morning and with the exception of running the F-Secure online scan between the time of the original post and your first reply, there have not been any additional remedial actions taken on this machine.

Is this remission/hibernation of the backdoor activity typical? I am hestitant to uninstall AVG until I know that the CA Internet Security Suite is no longer compromised.

Great that no files were found, sd fix will have corrected some registry
itmes that bot changed so it was good to run it anyway.

If you start CA's uninstall does it offer a repair option ? i would do that even if it appears to be running ok.


Is this remission/hibernation of the backdoor activity typical? I dont know, keep an eye out for unusul activity over the next couple weeks, Post back in a couple days please.

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.