Sign in to follow this  
FullZombie

MySpace/AIM Virus

Recommended Posts

That probably would not be a bad idea. If the entries don't show on HijackThis in safe mode, go ahead and delete the files anyway and then in normal mode you should be able to see the entries on the log to delete.

Share this post


Link to post
Share on other sites

I tried in normal, but there were some files (most notably the cfg32.exe and cfg32a.exe files) that I could not delete. In Safe Mode, I was able to kill them. Here's the new HijackThis log after a reboot.

 

-----------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 6:03:30 PM, on 5/15/2006

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\mHotkey.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\eMachines\Desktop\antiv\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147654398013

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147654389045

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe (file missing)

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

 

-----------------------------------------------------------------------------

 

How do I look, now? :unsure:

 

-Full Zombie

Share this post


Link to post
Share on other sites

Scan with HijackThis and *fix* this one:

O23 - Service: Microsoft DLL Registration Component (DLLReg) - Unknown owner - C:\WINDOWS\regsvr32.exe (file missing)

 

If it won't fix or still appears in the Hijackthis scan, please go to Start > Run and type in the box: services.msc

 

Scroll down and find the service name:

Service: Microsoft DLL Registration Component (DLLReg)

 

If it is running, please first *stop* the service and then change the start type to disabled.

 

Then try fixing it again and it should go.

 

Let me know how you make out.

Share this post


Link to post
Share on other sites

I found and disabled it (it was not running), and reran HijackThis... but now it's not in the HijackThis log. I did check it to be fixed in my previous runs of HijackThis, but now it's not there at all to check. Is this good or bad?

 

-Full Zombie

Share this post


Link to post
Share on other sites

No, that's good it if is no longer there. That was the entry in the registry and the file was previously removed by Ewido...however!

 

FYI, what that entry and file were:

 

C:\WINDOWS\regsvr32.exe -> Backdoor.SdBot.aad : Cleaned with backup

 

SDbot backdoor remote access trojans = very bad! That means the computer was open to a remote attacker and anything on the PC could have been compromised or stolen. They often contain keyloggers and password stealers as well as send out from the infected PC... credit card info, personal information, anything stored on that PC. If you girlfriend had anything of a sensitive nature she needs to take any and all precautions with her accounts, credit cards, financial info, etc. Change all accounts and passwords.

 

In many cases, the security settings may have also been reset by the attacker to allow reaccess to the machine or future infection by malware.

 

Most often, the only way to be sure it's trustworthy is to reformat/reinstall (if that is possible - you would need the install CDs and backup important data to removable media, but scan all of it before reloading).

 

What is a backdoor or remote access trojan?

Read this article.

Danger: Remote Access Trojans

http://www.microsoft.com/technet/security/...o/virusrat.mspx

 

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

 

When should I re-format? How should I reinstall?

http://www.dslreports.com/faq/10063

Share this post


Link to post
Share on other sites

Well, we don't do ANY banking with this PC, and most of the passwords have been changed. Others are being changed as I type this.

 

I'm reading what I can of the links you gave now, and will continue to read them when I have time, but what I'm wondering is this... Is it possible that something was put on my computer that will allow the hacker that originated this virus/worm to get back in without me knowing? And if so, what can I do to properly protect myself from this?

 

And of course, THANK YOU! :unsure: Thanks very, very much for all of your help. I still feel like a pretty green novice, but I think I've learned a lot. Thanks!

 

-Full Zombie

Share this post


Link to post
Share on other sites

One last thing... we got the virus from a friend who was infected and it sent itself via AIM. He got it from a friend of his that was similarly infected. I'm not certain how far the chain goes back to the originator of the program, but I was curious what the chances are that the original hacker even knew that my particular computer had the virus on it. Would something have been sent to them to let them know?

 

-Full Zombie

Share this post


Link to post
Share on other sites
Well, we don't do ANY banking with this PC, and most of the passwords have been changed. Others are being changed as I type this.
Good!

 

Is it possible that something was put on my computer that will allow the hacker that originated this virus/worm to get back in without me knowing? And if so, what can I do to properly protect myself from this?
Yes, quite possible. When you read the links you will see that the best protection is a reformat/reinstall. Protection from future attacks on a fresh install is prevention in the first place. I think I gave you that in one of my replies already (and a lot of this would apply to remote access trojans, virus, etc. as well):

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

Advise your gf about clicking on links in instant messages, email, etc. Even if they appear to come from a trusted friend, it could be that the friend's PC is infected and the virus/trojan is sending the link without the friend's knowledge (of course, that is how all of this works....social engineering fools many people)

 

And of course, THANK YOU! :unsure: Thanks very, very much for all of your help. I still feel like a pretty green novice, but I think I've learned a lot. Thanks!

 

-Full Zombie

You're quite welcome :)

Glad we could help!

Share this post


Link to post
Share on other sites
One last thing... we got the virus from a friend who was infected and it sent itself via AIM. He got it from a friend of his that was similarly infected. I'm not certain how far the chain goes back to the originator of the program, but I was curious what the chances are that the original hacker even knew that my particular computer had the virus on it. Would something have been sent to them to let them know?

 

-Full Zombie

Usually, it connects to a remote IRC channel and her PC announced it's presence to any attacker watching.

 

Sometimes, the PC will send the info from her PC OUT to a server owned by the hacker.

 

All of this is done without any traces of what was sent and is all unknown to the PC owner. That's the dangerous part about remote access trojan.

 

There are thousands of variants of the SDbot trojan. :unsure:

 

Having the latest Windows critical security updates, an uptodate Antivirus program should help in most cases for future prevention, but some safe computing habits and watching out for social engineering tricks used in email and instant messages are also critical. She got fooled by a trojan into clicking on that link and got her own PC infected.

 

What Antivirus program are you using and is it a current version? Is it on automatic updates? It is also possible the trojan damaged that and the firewall as well. That is also typical of the SDbot variants.

Share this post


Link to post
Share on other sites
Sign in to follow this