1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

worm/sybot

Discussion in 'Windows XP' started by wendytyo, Sep 21, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wendytyo

    wendytyo Thread Starter

    Joined:
    Jun 6, 2001
    Messages:
    129
    Hi can anyone help me i have a worm/spybot C:/system volume information restore i am posting hijackthis log please any one help on how to get rid of this would be helpful thanks wendy

    Logfile of HijackThis v1.97.2
    Scan saved at 9:05:50 PM, on 9/21/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\kdx\KHost.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jody Drake\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MSConfig] NRRQQDSAWN.EXE
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: root.bat
    O4 - Global Startup: TFTP1516
    O4 - Global Startup: TFTP1560
    O4 - Global Startup: TFTP1656
    O4 - Global Startup: TFTP1976
    O4 - Global Startup: TFTP612
    O4 - Global Startup: TFTP636
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/kontiki/kontiki/current/kdx.cab
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    You have much more than a worm in your Restore folder.

    Do this for a start:

    Start your computer in Safe Mode, launch Windows Explorer, and navigate to your Global Startup folder, typically C:\Documents and Settings\All Users\Start Menu\Programs\Startup.

    Remove the following files you'll find in there:

    TFTP1516
    TFTP1560
    TFTP1656
    TFTP1976
    TFTP612
    TFTP636


    Now run Hijack This, and have it fix the following:



    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)

    O4 - HKLM\..\Run: [MSConfig] NRRQQDSAWN.EXE



    Restart your computer normally.

    Do a Find Files for and delete that NRRQQDSAWN.EXE file (it may not be there any more)

    About these files in your Startup folder, they are installers for the notorious MSblaster worm, which in turn means your computer is wide open to all manner of malicious exploits.

    You're running a positively antiquated version of Internet Explorer.

    It would be a VERY good idea to upgrade to Internet Explorer 6.0 SP1.
    Next, go to the Windows Update site, and download and install ALL security patches on offer, ESPECIALLY the RPC vulnerability patch, the Cumulative updates for IE and OE, and the Java/VM update.
    That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

    Also, do you have any information on the following startup entry?

    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

    Does this sound familiar?

    http://forums.gamespot.com/gamespot/board/message?board.id=gs_techsupport&message.id=2443

    As for the SpyBot worm in your Restore folder, that's the least of your problems:

    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check Turn off System Restore.
    5. Click Apply, and then click OK.
    6. Restart the computer.

    All data, including your virus, will be purged from the restore folder.

    7. Run your antivirus once more.

    After rebooting, re-enable System Restore, and create a fresh Restore point right away.


    Good luck,
     
  3. wendytyo

    wendytyo Thread Starter

    Joined:
    Jun 6, 2001
    Messages:
    129
  4. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    What you should do, is run Hijack This, and have it fix this item:

    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe

    And as you don't know what exactly it is, would you please send me a copy of the contents of that C:\WINDOWS\kdx folder for analysis, please?
    If it is indeed a baddie, we'd certainly like to forward copies to the developers ASAP!

    We'd appreciate it! :)

    I'll keep you posted on what it is, and on what to do with it (although maybe not right away, as it's already 4.20 AM over here... :( )
     
  5. wendytyo

    wendytyo Thread Starter

    Joined:
    Jun 6, 2001
    Messages:
    129
    Thanks tony i sent the file requested let me know what it is also what is a baddie
     
  6. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Thanks Wendy.

    What you sent me was not the file itself, but the contents of one them.

    It's indeed part of a former KonTiki install, more precisely the Secure Delivery Plug In

    It's OK to have Hijack This fix that item, then restart your computer, and delete that KDX folder
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166483

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice