View Full Version : Agobot and Sdbot - Help Please
Hi, trying to fix a freinds Sony Laptop. I have managed to rid it of a couple of Sasser varients, however I am stuck with:
"IRC/Backdoor.SdBot.22.AA" in C:\windows\system32\windates.exe
and
"Worm/Agobot.20.AN" in C:\windows\system32\sysconf.exe
I have tried Norton Antivirus several times but it does not seem to want to register on the Internet or update its database. AVG has been quite happy to find them but can not get rid of, or even move, the offending items.
Several hours on and I am out of ideas, is it a format and start from scratch or is there anything else I can do?
I am reasonable competent at tinkering but am no expert.
Cheers
TeeS
Tees
Try
http://www.f-secure.com/v-descs/sdbot_mb.shtml for sdbot
http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=59264 for agobot
You could also consider using AVG as an anti virus programme, Sygate as a firewall and Mailwasher to vet your e mailsallowing the opportunity to be rid of virus attachnments and others before opening your e mail programme. Spybot and Adaware are also necessary today as a means of getting rid of spyware.
Make sure you regularly use the free update facility offered by some of these utilities
All are good and better still free.
E-Liam
24th Jul 2004, 10:01
Hi TeeS,
Please download 'Hijack This!' from here (http://www.thespykiller.co.uk/), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply.
This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.
Cheers
Liam
---------------------------------------------------------------------------------
A member of the Alliance of Security Analysis Professionals (http://asap.maddoktor2.com/) since 2004.
Hi, Thanks everyone
Liam, here is the report;
Logfile of HijackThis v1.98.0
Scan saved at 11:39:18, on 24/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\WINDOWS\System32\windates.exe
C:\WINDOWS\System32\sysconf.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\rasautou.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [Microsoft Windows Updater] windates.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] windates.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows Updater] windates.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
E-Liam
24th Jul 2004, 12:12
Hi TeeS,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button…
O4 - HKLM\..\Run: [Microsoft Windows Updater] windates.exe
O4 - HKLM\..\Run: [Video Process] sysconf.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] windates.exe
O4 - HKLM\..\RunServices: [Video Process] sysconf.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] windates.exe
O4 - Global Startup: Exif Launcher.lnk = ?
Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.
Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files...
C:\WINDOWS\System32\windates.exe
C:\WINDOWS\System32\sysconf.exe
Then please boot back into normal mode and download AdAware 6 181 from here (http://www.lavasoftusa.com/support/download/).
Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts.
Now to set it up for optimum performance...
Make sure the following settings are configured. Remember that ON=GREEN.
From main window click Start | Activate in-depth scan.
Then click Use custom scanning options | Customize and have these options switched ON...
Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files
Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..
Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.
and uncheck..
Automatically try to unregister objects prior to deletion.
Then click Proceed, to save your settings.
Now click the Scan button.
When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them.
Next, reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.
Click on Updates | Download Updates, and follow the prompts.
Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.
Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.
Cheers
Liam
Liam, thanks for the info, it will be this evening before I can get the time to do that, otherwise I have to pay for a divorce!!
Appreciate your effort.
Cheers
TeeS
Liam
Think I have done that, here is the latest log.
Logfile of HijackThis v1.98.0
Scan saved at 01:44:15, on 25/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Cheers
TeeS
E-Liam
25th Jul 2004, 09:31
Hi TeeS,
That's a clean log. :ok:
I assume that AVG no longer gives you any warnings now?
Cheers
Liam
Sadly, I just re-booted and AVG came straight up with a warning of "Worm/Lovsa.A" in C:\Windows\system32\TFTP2024. The system then tried to shut down, I aborted the shutdown with a "shutdown.exe -a" command.
This is the latest log. Any ideas?
Logfile of HijackThis v1.98.0
Scan saved at 16:32:19, on 25/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\System32\ICO.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net
O15 - Trusted Zone: *.Sony-europe.com
O15 - Trusted Zone: *.Sonystyle-europe.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{517A7010-78D0-4FCE-8BF7-A27BEA4F725F}: NameServer = 195.92.195.94 195.92.195.95
Cheers
TeeS
E-Liam
25th Jul 2004, 18:37
Hi TeeS,
If AVG has recognised it, it should have been able to delete it??
This virus is a year old, and to be honest I thought I'd seen the last of it. It seems strange that it resides as TFTP2024, as that is usually an indication of the Spybot virus. :confused: :)
I do notice that you haven't got SP1 for either IE or XP, so your machine is in severe need of some Windows updates.
I'll assume that it is Lovsan for now, so the first thing you need to do is to download the Fixblast (http://securityresponse.symantec.com/avcenter/FixBlast.exe) tool. Next, switch off system restore, close all programs and run fixblast.
Reboot and set a new restore point. See here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
) for info.
Once done, you need to go here (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp) and download the security patch. It'll be in one of the cumulative patches in the next bit of info now, but I'd get it anyway.
Then it's vital that you go here (http://v4.windowsupdate.microsoft.com/en/default.asp), click Scan for updates in the main frame, and download and install all CRITICAL updates recommended. If you're on dial-up, then it'll take a while (SP1 for XP alone is around 4 hours at 56K) so I'd do it overnight, or when you're at work. Check also, to see whether you have to download any separately, as is the case with SP1 for XP.
Then reboot a couple of times and let me know if you still have any reports coming up.
Cheers
Liam
Liam, once again thanks for your help. Your instructions left the machine much more stable, I then ran AVG, AdAware and SpyBot again. Both AVG and Spybot removed yet more items! I reloaded Norton Internet Security and this time it managed to complete its live update. Norton found TFTP2740 W32.Spybot.worm and deleted it.
The machine now seems clean and I have also found a directory with what appears to be service packs 1 and 2, I will give those a go and then hand the machine back to its owner - apparently he recently bought it second hand and has only used it on the Internet for less than an hour.
Thanks again
TeeS
E-Liam
26th Jul 2004, 09:50
You're welcome TeeS, :ok: :)
Cheers
Liam