Another Backdoor.sdbot attack

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
I have read the messages of some guys having the same trouble u have and i qill post my HijackThis File Log so you guys could help me.
My PC is working really slow and i need it for work, so I aprecciate your help.
Besides.. do you have some info about NAV making something about this?
Thanks a lot for your help, EXCELENT WEBSITE
Luciano from Argentina


Logfile of HijackThis v1.97.2
Scan saved at 13:50:35, on 02/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\System32.exe
C:\WINDOWS\litleozy.exe
C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe
C:\ARCHIV~1\Save\Save.exe
C:\WINDOWS\tcposmod.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\KMaestro\Key_s.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Luciano Antozzi\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
F1 - win.ini: run=litleozy.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Archivos de programa\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Microsoft Tray] C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus] "C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe"
O4 - HKLM\..\Run: [WhenUSave] C:\ARCHIV~1\Save\Save.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe /R
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://www.geocities.com/persona27423/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
 
Joined
Oct 9, 2001
Messages
9,396
Welcome to T.S.G Luciano :) You have some bad stuff there my friend.

Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"


F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

F1 - win.ini: run=litleozy.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [Microsoft Tray] C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe

O4 - HKLM\..\Run: [WhenUSave] C:\ARCHIV~1\Save\Save.exe

O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe

O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://www.geocities.com/persona27423/loader.cab

Re boot into safe mode(by tapping the F8 key as windows boots)
and delete:
C:\Archivos de programa\Save
C:\WINDOWS\tcposmod.exe
C:\WINDOWS\litleozy.exe
C:\WINDOWS\System32\System32.exe
C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe

And i would update Norton because its just not doing its job.

Do an online A/V scan here:http://housecall.trendmicro.com/
and let us know the result.

;)
 

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
Thanks a lot $teve, i have done everything but got into one problem: when i restart in safe mode and try to delete the ´´C:\Archivos de programa\eMule\Incoming\ Hotmail_password_CRACKED.exe´´ file, it`s not there. And i couldn`t find it anywhere. so i didn`t delete it.
Except for that everything was fine. I restarted the PC and the NAV warnings about the viruses didn`t appear anymore.
The trendmicro scan resulted in 31 viruses. 30 of them i could clean and delete but one is still there, it`s called worm hybris b.
When i try to delete or clean it says it`s in use and cannot acces. I think that`s my last problem.
Juste in case I leave you another log file from hijack to check if everything is OK
Thanks again.
You guys are awesome, Luciano. ARGENTINA
Logfile of HijackThis v1.97.2
Scan saved at 14:31:23, on 03/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\Archivos de programa\Norton Internet Security\NISUM.EXE
C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\KMaestro\Key_s.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\KMaestro\WTS_KEY.EXE
C:\Archivos de programa\eMule\emule.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\WINZIP\winzip32.exe
C:\Documents and Settings\Luciano Antozzi\Configuración local\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Archivos de programa\DAP\DAPIEBar.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WheelMouse] C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus] "C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe /R
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKLM\..\RunOnce: [NAVNTSeq] C:\DOCUME~1\LUCIAN~1\CONFIG~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\LUCIAN~1\CONFIG~1\Temp\NAVNTLUProdRg.ini /s:SPW_Set_Sequence
O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
 
Joined
Jul 21, 2002
Messages
87
Steve, a quick question. It looks like he was running Norton Antivirus. How come that didn't catch his problems but the Trend on line scan did?
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
chab, could be that the virus definitions weren't up to date.
 

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
Hi Guys
Any ideas about what to do with that virus and the file i couldn`t find??
Some new info, my NAV hasn´t been working for a while, i can´t use it to scan my drives, i can´t uninstall it or reinstall it, so that´s the problem about so many viruses. It only works givving me warnings about viruses already on my drives that cannot be deleted or fixed. It suck´s.
Thanks,
Luciano from Argentina
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Not following you on the NAV problem. What happens when you try to scan? Is it even up to date?
 
Joined
Oct 9, 2001
Messages
9,396
Originally posted by chab:
Steve, a quick question. It looks like he was running Norton Antivirus. How come that didn't catch his problems but the Trend on line scan did?
chab............Norton has been missing a few things lately.No slur on Symantec,its probably their turn to follow for a change.

Also it helps if Norton is running correctly and updating.
 

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
Again guys, NAV ain´t working at all. I have been trying to uninstall it, delete it or blow it up, but i just can´t. It gives me a message that i´m not the supervisor, and can´t do anything else. Despite i am the only user, and there are no other account´s.
Thanks
Luciano
 

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
AcaCandy, I can´t update or scan. That´s why i´m using the online scans. I´m gonna read something about the troubles uninstalling the AV and Firewall, soÏ can try with another. Any recomendations about wich one I should choose??
Thanks
Luciano
 

Luchio3120

Thread Starter
Joined
Oct 2, 2003
Messages
8
Sorry i can´t answer that nitehawk, the drive is already formatted and a bunch of data lost.
I´m on my way to installing Red Hat so I will have mamy questions by that time so we´ll be meeting again.
Thanks anyway
Luciano from ARGENTINA
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top