1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Another Backdoor.sdbot attack

Discussion in 'Virus & Other Malware Removal' started by Luchio3120, Oct 2, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    I have read the messages of some guys having the same trouble u have and i qill post my HijackThis File Log so you guys could help me.
    My PC is working really slow and i need it for work, so I aprecciate your help.
    Besides.. do you have some info about NAV making something about this?
    Thanks a lot for your help, EXCELENT WEBSITE
    Luciano from Argentina


    Logfile of HijackThis v1.97.2
    Scan saved at 13:50:35, on 02/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.exe
    C:\Archivos de programa\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\System32\System32.exe
    C:\WINDOWS\litleozy.exe
    C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe
    C:\ARCHIV~1\Save\Save.exe
    C:\WINDOWS\tcposmod.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
    C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\KMaestro\Key_s.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\KMaestro\WTS_KEY.EXE
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\ARCHIV~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Luciano Antozzi\Configuración local\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
    F1 - win.ini: run=litleozy.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Archivos de programa\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WheelMouse] C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Microsoft Tray] C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus] "C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe"
    O4 - HKLM\..\Run: [WhenUSave] C:\ARCHIV~1\Save\Save.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe
    O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe /R
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://www.geocities.com/persona27423/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
    O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
    O17 - HKLM\System\CS1\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Welcome to T.S.G Luciano :) You have some bad stuff there my friend.

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"


    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

    F1 - win.ini: run=litleozy.exe

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKLM\..\Run: [Microsoft Tray] C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe

    O4 - HKLM\..\Run: [WhenUSave] C:\ARCHIV~1\Save\Save.exe

    O4 - HKLM\..\Run: [DSS] C:\WINDOWS\tcposmod.exe

    O16 - DPF: {8100A35F-FFA1-471F-AC9A-2A8847BE78DF} (IberoDialer Class) - http://213.201.69.103/data/dialercab/DialerDLLRTB.cab

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://www.geocities.com/persona27423/loader.cab

    Re boot into safe mode(by tapping the F8 key as windows boots)
    and delete:
    C:\Archivos de programa\Save
    C:\WINDOWS\tcposmod.exe
    C:\WINDOWS\litleozy.exe
    C:\WINDOWS\System32\System32.exe
    C:\Archivos de programa\eMule\Incoming\Hotmail_password_CRACKED.exe

    And i would update Norton because its just not doing its job.

    Do an online A/V scan here:http://housecall.trendmicro.com/
    and let us know the result.

    ;)
     
  3. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    Thanks a lot $teve, i have done everything but got into one problem: when i restart in safe mode and try to delete the ´´C:\Archivos de programa\eMule\Incoming\ Hotmail_password_CRACKED.exe´´ file, it`s not there. And i couldn`t find it anywhere. so i didn`t delete it.
    Except for that everything was fine. I restarted the PC and the NAV warnings about the viruses didn`t appear anymore.
    The trendmicro scan resulted in 31 viruses. 30 of them i could clean and delete but one is still there, it`s called worm hybris b.
    When i try to delete or clean it says it`s in use and cannot acces. I think that`s my last problem.
    Juste in case I leave you another log file from hijack to check if everything is OK
    Thanks again.
    You guys are awesome, Luciano. ARGENTINA
    Logfile of HijackThis v1.97.2
    Scan saved at 14:31:23, on 03/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\Archivos de programa\Norton Internet Security\NISUM.EXE
    C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
    C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\KMaestro\Key_s.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Archivos de programa\Norton Internet Security\ccPxySvc.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\KMaestro\WTS_KEY.EXE
    C:\Archivos de programa\eMule\emule.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\ARCHIV~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Luciano Antozzi\Configuración local\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F1 - win.ini: load=C:\WINDOWS\TWAIN_32\Vivid\VIVID.EXE
    O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Archivos de programa\DAP\DAPBHO.dll
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Archivos de programa\DAP\DAPIEBar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Archivos de programa\DAP\DAPIEBar.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WheelMouse] C:\ARCHIV~1\A4Tech\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [MessengerPlus] "C:\Archivos de programa\Messenger Plus! Extension\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\ARCHIV~1\Norton AntiVirus\Cfgwiz.exe /R
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [ATI Remote Control] C:\Archivos de programa\ATI Multimedia\RemCtrl\ATIX10.exe
    O4 - HKLM\..\RunOnce: [NAVNTSeq] C:\DOCUME~1\LUCIAN~1\CONFIG~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\LUCIAN~1\CONFIG~1\Temp\NAVNTLUProdRg.ini /s:SPW_Set_Sequence
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\ARCHIV~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Download with &DAP - C:\ARCHIV~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\ARCHIV~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/windows-ie/en/AMClient.cab
    O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
    O17 - HKLM\System\CS1\Services\Tcpip\..\{24273686-0F91-4A5C-8640-513A8C46A8F4}: NameServer = 200.45.191.35 200.45.191.40
     
  4. chab

    chab

    Joined:
    Jul 21, 2002
    Messages:
    87
    Steve, a quick question. It looks like he was running Norton Antivirus. How come that didn't catch his problems but the Trend on line scan did?
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    chab, could be that the virus definitions weren't up to date.
     
  6. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    Hi Guys
    Any ideas about what to do with that virus and the file i couldn`t find??
    Some new info, my NAV hasn´t been working for a while, i can´t use it to scan my drives, i can´t uninstall it or reinstall it, so that´s the problem about so many viruses. It only works givving me warnings about viruses already on my drives that cannot be deleted or fixed. It suck´s.
    Thanks,
    Luciano from Argentina
     
  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Not following you on the NAV problem. What happens when you try to scan? Is it even up to date?
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    chab............Norton has been missing a few things lately.No slur on Symantec,its probably their turn to follow for a change.

    Also it helps if Norton is running correctly and updating.
     
  9. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    Again guys, NAV ain´t working at all. I have been trying to uninstall it, delete it or blow it up, but i just can´t. It gives me a message that i´m not the supervisor, and can´t do anything else. Despite i am the only user, and there are no other account´s.
    Thanks
    Luciano
     
  10. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    AcaCandy, I can´t update or scan. That´s why i´m using the online scans. I´m gonna read something about the troubles uninstalling the AV and Firewall, soÏ can try with another. Any recomendations about wich one I should choose??
    Thanks
    Luciano
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    As for the one remaining virus, by any chance is that located in the System Restore Folder? If so, you will have to disable System Restore, Run the virus scan and fix it, then re-enable System Restore and set a new restore point.

    How to disable or enable System Restore in Windows XP
     
  12. Luchio3120

    Luchio3120 Thread Starter

    Joined:
    Oct 2, 2003
    Messages:
    8
    Sorry i can´t answer that nitehawk, the drive is already formatted and a bunch of data lost.
    I´m on my way to installing Red Hat so I will have mamy questions by that time so we´ll be meeting again.
    Thanks anyway
    Luciano from ARGENTINA
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Another Backdoor sdbot
  1. BrianJones5
    Replies:
    0
    Views:
    298
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169043

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice