|
Agobot and Sdbot - Help Please
Hi, trying to fix a freinds Sony Laptop. I have managed to rid it of a couple of Sasser varients, however I am stuck with:
"IRC/Backdoor.SdBot.22.AA" in C:\windows\system32\windates.exe and "Worm/Agobot.20.AN" in C:\windows\system32\sysconf.exe I have tried Norton Antivirus several times but it does not seem to want to register on the Internet or update its database. AVG has been quite happy to find them but can not get rid of, or even move, the offending items. Several hours on and I am out of ideas, is it a format and start from scratch or is there anything else I can do? I am reasonable competent at tinkering but am no expert. Cheers TeeS |
Tees
Try http://www.f-secure.com/v-descs/sdbot_mb.shtml for sdbot http://www3.ca.com/securityadvisor/n...aspx?cid=59264 for agobot You could also consider using AVG as an anti virus programme, Sygate as a firewall and Mailwasher to vet your e mailsallowing the opportunity to be rid of virus attachnments and others before opening your e mail programme. Spybot and Adaware are also necessary today as a means of getting rid of spyware. Make sure you regularly use the free update facility offered by some of these utilities All are good and better still free. |
Hi TeeS,
Please download 'Hijack This!' from here, unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. This will give me a rundown of what’s going on in your PC. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required. Cheers Liam --------------------------------------------------------------------------------- A member of the Alliance of Security Analysis Professionals since 2004. |
Hi, Thanks everyone
Liam, here is the report; Logfile of HijackThis v1.98.0 Scan saved at 11:39:18, on 24/07/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ati2evxx.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\Atiptaxx.exe C:\WINDOWS\System32\ICO.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\BT Digital Access USB\gsyno.exe C:\WINDOWS\System32\windates.exe C:\WINDOWS\System32\sysconf.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\BT Digital Access USB\vstartx.exe C:\Program Files\BT Digital Access USB\gisdnlog.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\WINDOWS\System32\rasautou.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h O4 - HKLM\..\Run: [Microsoft Windows Updater] windates.exe O4 - HKLM\..\Run: [Video Process] sysconf.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [Microsoft Windows Updater] windates.exe O4 - HKLM\..\RunServices: [Video Process] sysconf.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Microsoft Windows Updater] windates.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Exif Launcher.lnk = ? O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net O15 - Trusted Zone: *.Sony-europe.com O15 - Trusted Zone: *.Sonystyle-europe.com |
Hi TeeS,
Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. Next, close all browser windows and click the Fix checked button… O4 - HKLM\..\Run: [Microsoft Windows Updater] windates.exe O4 - HKLM\..\Run: [Video Process] sysconf.exe O4 - HKLM\..\RunServices: [Microsoft Windows Updater] windates.exe O4 - HKLM\..\RunServices: [Video Process] sysconf.exe O4 - HKCU\..\Run: [Microsoft Windows Updater] windates.exe O4 - Global Startup: Exif Launcher.lnk = ? Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK. Then boot into safe mode, (see here for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself. Next please find and delete the following bolded files... C:\WINDOWS\System32\windates.exe C:\WINDOWS\System32\sysconf.exe Then please boot back into normal mode and download AdAware 6 181 from here. Before you scan with AdAware, check for updates of the reference file by clicking Check for updates now, and following the prompts. Now to set it up for optimum performance... Make sure the following settings are configured. Remember that ON=GREEN. From main window click Start | Activate in-depth scan. Then click Use custom scanning options | Customize and have these options switched ON... Scan within archives Scan active processes Scan registryDeep scan registry Scan my IE Favourites for banned URLs Scan my host-files Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check.. Unload recognised processes during scanning. Cleaning engine. Let windows remove files in use at next reboot. and uncheck.. Automatically try to unregister objects prior to deletion. Then click Proceed, to save your settings. Now click the Scan button. When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them. Next, reboot again and download Spybot - Search & Destroy 1.3 from here: if you haven't already got the program. Click on Updates | Download Updates, and follow the prompts. Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED. Next reboot and go here, and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over. Cheers Liam |
Liam, thanks for the info, it will be this evening before I can get the time to do that, otherwise I have to pay for a divorce!!
Appreciate your effort. Cheers TeeS |
Liam
Think I have done that, here is the latest log. Logfile of HijackThis v1.98.0 Scan saved at 01:44:15, on 25/07/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\ati2evxx.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\Atiptaxx.exe C:\WINDOWS\System32\ICO.EXE C:\Program Files\BT Digital Access USB\gsyno.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Apoint\Apntex.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\BT Digital Access USB\vstartx.exe C:\Program Files\BT Digital Access USB\gisdnlog.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net O15 - Trusted Zone: *.Sony-europe.com O15 - Trusted Zone: *.Sonystyle-europe.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab Cheers TeeS |
Hi TeeS,
That's a clean log. :ok: I assume that AVG no longer gives you any warnings now? Cheers Liam |
Sadly, I just re-booted and AVG came straight up with a warning of "Worm/Lovsa.A" in C:\Windows\system32\TFTP2024. The system then tried to shut down, I aborted the shutdown with a "shutdown.exe -a" command.
This is the latest log. Any ideas? Logfile of HijackThis v1.98.0 Scan saved at 16:32:19, on 25/07/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\ati2evxx.exe C:\Program Files\Apoint\Apoint.exe C:\WINDOWS\System32\Atiptaxx.exe C:\WINDOWS\System32\ICO.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\BT Digital Access USB\gsyno.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BT Digital Access USB\vstartx.exe C:\Program Files\BT Digital Access USB\gisdnlog.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oneview.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oneview.net R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.oneview.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Oneview.net O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.oneview.net O15 - Trusted Zone: *.Sony-europe.com O15 - Trusted Zone: *.Sonystyle-europe.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{517A7010-78D0-4FCE-8BF7-A27BEA4F725F}: NameServer = 195.92.195.94 195.92.195.95 Cheers TeeS |
Hi TeeS,
If AVG has recognised it, it should have been able to delete it?? This virus is a year old, and to be honest I thought I'd seen the last of it. It seems strange that it resides as TFTP2024, as that is usually an indication of the Spybot virus. :confused: :) I do notice that you haven't got SP1 for either IE or XP, so your machine is in severe need of some Windows updates. I'll assume that it is Lovsan for now, so the first thing you need to do is to download the Fixblast tool. Next, switch off system restore, close all programs and run fixblast. Reboot and set a new restore point. See here for info. Once done, you need to go here and download the security patch. It'll be in one of the cumulative patches in the next bit of info now, but I'd get it anyway. Then it's vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended. If you're on dial-up, then it'll take a while (SP1 for XP alone is around 4 hours at 56K) so I'd do it overnight, or when you're at work. Check also, to see whether you have to download any separately, as is the case with SP1 for XP. Then reboot a couple of times and let me know if you still have any reports coming up. Cheers Liam |
Liam, once again thanks for your help. Your instructions left the machine much more stable, I then ran AVG, AdAware and SpyBot again. Both AVG and Spybot removed yet more items! I reloaded Norton Internet Security and this time it managed to complete its live update. Norton found TFTP2740 W32.Spybot.worm and deleted it.
The machine now seems clean and I have also found a directory with what appears to be service packs 1 and 2, I will give those a go and then hand the machine back to its owner - apparently he recently bought it second hand and has only used it on the Internet for less than an hour. Thanks again TeeS |
You're welcome TeeS, :ok: :)
Cheers Liam |
| All times are GMT. The time now is 13:29. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.