Uh Oh !! Please Hellpp !!! Pt. 2

[skoolgirl]

HI All !!

I'm actually coming from another Avast ! board to this one because it's been determined that it is a worm that is keeping me from updating Avast, AVG, and Spysweeper. It also appears to have hijacked my browser at least once.

The below info** is the last posting i did to the last board. If you are able to help me, please feel free to chime in ! Believe me, your help is and will be appreciated. I'm going to Panda now for a free scan (and hopefully a clean), then i'll come back here and see what's up.

In case you're interested, or you think it may help further, here's the original thread:
http://forum.avast.com/index.php?topic=20745.0

Thank you in advance for your help  !
--skoolgirl


**Thanks for all of the info !!

Timcan suggested that i go to Kaspersky and do their online scan. I'm glad i did, because Kaspersky found at least part of what the problem is.

IT IS A WORM !!!

Kaspersky calls it Trojan-Downloader.BAT.Ftp.ab. They didn't seem to have too much info, though. It appears to be a downloaded script that allows the W32/Sdbot worm or the Rhbot worm to run and do what it's going to do.

BitDefender calls it Backdoor.BotGet.FtpB.Gen. Here's the link to the info:
http://www.bitdefender.com/VIRUS-43596-en--Backdoor.BotGet.FtpB.Gen.html

Panda calls it W32/Sdbot.ftp. Here's the link to the info:
http://enterprises.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=vis&idvirus=56244

McAfee calls it W32/Sdbot.worm. Here's the link to the info:
http://vil.nai.com/vil/content/v_100454.htm

So....

Kaspersky doesn't appear to be able to clean this out, but Panda says their free scanner will. I'm going to their site after this to use their scanner and see what shakes out. I'm also going to flip between the three links listed above and see what, if anything, i can figure out in terms of getting this mess out of the registry, and out of my PC.

I appreciate the help of everyone who pitched in here thus far. While i could see why some people may have thought it was a conflict between the antivirus softwares, i just didn't think so for a few reasons:

1) This all started happening on the same day.
2) Spysweeper was also affected on the same day, and that's antispyware. I just don't believe in coincidence.
3) Both A-V programs have been in my PC for well over 6 months. I would think that any conflict between the two would have happened well before now, and
4) The only thing i was doing differently on my PC around this time was downloading.

I'm guessing that whatever worm is doing it's thing in here has somehow messed with my ports so that the A-V's and Spysweeper can't connect to the servers to update.

BTW..the error messages and logs from AVG and Avast both referenced problems with the server..that's where i got that from. Otherwise, i wouldn't have had any idea why the programs were not updating  .

Thanks to everyone who helped out; i really appreciate it. Hey..if you want to hang out and help me try to weed through all of this stuff (because i am not too proud to admit that i am almost completely without a clue here     ), i'd be more than appreciative. Of course, i'm aware that you all have lives, so i won't be mad if you choose not to hang out  . I'm just hoping that the Panda freescan can do what i need done.

Either way..thanks to all who helped me out on this, and to anyone who wants to continue to help me out. It's greatly appreciated !

--skoolgirl

 

[FreewheelinFrank]

Hi skoolgirl,

I suspect this malware is protected by a rootkit, so no online scanner will remove it.

Can you post a HijackThis! log for us?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

The type of rootkit used by this malware is usually a Windows service which hides malware processes but doesn't hide itself, so it may well show up in the log. If so, it can be removed.

If you are running avast! and AVG together, this is a bad idea because they can conflict and cause problems.

[Spiritsongs]

   Hi skoolgirl :

      First off, NEVER have 2 different AVs on the same
      computer, even if one is "disabled" . You have an AV
      & at least one antiPSYWARE program; however, to
     "complement" these should have an anti-TROJAN program
      and we generally recommend the good & FREE "Ewido"
      from www.ewido.net/en . There is a tutorial at :
      www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
      Weatherbug is definitely has adware & some consider
      spyware; for an adware & spyware free weather program
      use what I have, namely WeatherPulse from :
      http://tropicdesigns.net/weatherpulse.php .
      HijackThis logs are best reviewed by HijackThis Experts,
      who are found on antiSPYWARE forums; therefore, I
      recommend the Experts at www.landzdown.com .
      P2P Programs are notorious for putting spyware on Users
      machine; would be a lot safer IF you uninstalled whatever
     you have, then download the "cleaner" Shareaza from
     www.shareaza.com .

[ardvark]

@ FreewheelinFrank...

The HJT Log is at the other post plus I had her run a copy of Blacklight and it found nothing.

@ skoolgirl...

Ouch I suspected as much. I suspect that you may have to end up reformating the hard drive and reinstalling XP. Damage done by viruses is usually very hard to patch up. However, before that
and after you are able to get the trojan and it's processes (including registry entries) removed from your system you could try running the "chkdsk /r" command at the "run" option in the start menu. This might help but make sure you have a copy of XP (not a restore CD) on hand before you try.

For more info...

http://www.pegasus-afs.com/eSupport/using_CHKDSK.htm

You can also look into...

http://www.michaelstevenstech.com/XPrepairinstall.htm

Good luck

[skoolgirl]

You know what

YOU GUYS ROCK  !!!!

Thanks for all of your help and support. I really appreciate it.

Here's an update:

Panda's online scanner found AND removed the W32/Sdbot.ftp worm. I unchecked system restore, ran the scanner again, and nothing was found. I went back and ran Kaspersky's online scanner again for good measure, and this time, nothing was found; everything came up clean  .

However..i still have some concerns.

I still can't update Avast. Not only am i getting an error message, i'm now getting an icon in the taskbar that looks like a circle made up with a red arrow and a green arrow. I've never seen that before, and i tried to right and left click it to no avail. After the error message came up, that's when the icon disappeared. Any idea what that icon is ??

Also, from what i understand (and i probably don't understand it that well), the script was more like a trigger for the main worm to start acting, and the only thing that was removed from my system was the script. I don't think the main worm is even showing up in the scans.

I wouldn't be surprised at this, because it's happened to me before with the RhBot worm. Trend Micro's PC-Cillin Internet Security 2005 NEVER FOUND IT !! I found it by mistake while perusing my selective startup one day. Not only did PC-Cillin never find it, their tech people couldn't get it off !!! I went through this with the good folks over there for @ 2 months before i got tired of it and uninstalled/reinstalled the OS.

Which brings me to the next question...

I'm going to try all of the options and suggestions given to me here, and yes, from now on, I'M NOT GOING TO INSTALL BOTH AVG AND AVAST    !!! I get it, LOL !!! I will stick to Avast ONLY !!!!

However, just in case nothing i try works, is it ok to uninstall/reinstall the OS again ? I've had to do so twice within the last 18-20 months, and i want to make sure i'm not going to damage the hard drive or anything else.

In the meantime..i'm taking my butt to bed, because it's 5:15 AM where i am, and i seriously need some sleep. I'll be back here tomorrow to go to each of the links you guys provided and see what else shakes out.

For your viewing pleasure and entertainment  , the HijackThis Log is in the next posting.

I thank you all SO MUCH for your time and help. I really appreciate it. I'll be back tomorrow afternoon !!
--skoolgirl

[skoolgirl]

Ok..here's the HijackThis! Log:

*NOTE* Nothing is checked off to fix !

Logfile of HijackThis v1.99.1
Scan saved at 8:48:03 PM, on 4/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\MSNAccel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Skoolgirl\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136057227684
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab43895.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8259362C-40DA-4523-8356-C66E06308461}: NameServer = 205.171.3.65 205.171.2.65
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--skoolgirl

[galooma]

. Not only am i getting an error message, i'm now getting an icon in the taskbar that looks like a circle made up with a red arrow and a green arrow. I've never seen that before, and i tried to right and left click it to no avail. After the error message came up, that's when the icon disappeared. Any idea what that icon is ?? 

Im still concerned that your HJT logs are showing Zone Alarm yet in your first post you say you have windows firewall activated so this is an area that must be looked at .
Its a long time since i have run it myself but I always thought ZA  had more than one active process running yet yours shows only one.
you seem to be missing this C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
 That description you mention sounds similar to ZA tray icon.
What this means is the program is running but you have no interface to control it.
 Just to confirm my suspicions check your Taskmanager for an active process called VSmon.exe and end task it then try your updates.

[skoolgirl]

. Not only am i getting an error message, i'm now getting an icon in the taskbar that looks like a circle made up with a red arrow and a green arrow. I've never seen that before, and i tried to right and left click it to no avail. After the error message came up, that's when the icon disappeared. Any idea what that icon is ?? 

Im still concerned that your HJT logs are showing Zone Alarm yet in your first post you say you have windows firewall activated so this is an area that must be looked at .
Its a long time since i have run it myself but I always thought ZA  had more than one active process running yet yours shows only one.
you seem to be missing this C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
 That description you mention sounds similar to ZA tray icon.
What this means is the program is running but you have no interface to control it.
 Just to confirm my suspicions check your Taskmanager for an active process called VSmon.exe and end task it then try your updates.

Hi Cloussau.

I am missing the Zone Alarm file because i deleted the program and the file months ago after it started acting up after an update. I have attempted to delete everything related to Zone Alarm several times, and everything just won't go away (like the Zone Alarm file in the Windows system32 file. It simply will not delete. There is a TrueVector file that also will not go away).

The VSmon.exe task was running. I stopped the process. Thanks for the info.  Unfortunately, when i tried to update after stopping the process, i got another error message.

The red and green icon is an Avast icon, or at least that's what it says when i hover my cursor over it. Today it came on as soon as i connected to the Net, but i suspect that's because Avast tried to update at that time. As soon as the error message re: the servers comes up, the icon disappears.

[ardvark]

Hi  skoolgirl...

It is perfectly ok to reinstall your OS as many times as you like, you won't hurt your system

Best Regards...

[galooma]

when i tried to update after stopping the process, i got another error message

Can you tell me what that error message was?

The red and green icon is an Avast icon, or at least that's what it says when i hover my cursor over it.

that is your mail provider checking your incoming .


My suggestion is to re-install ZA and stop the vsmon.exe then try to uninstall and see if it takes it all away this time .

The only thing i can imagine stopping your outward connection is a firewall .

can you check taskmanager again and ensure you have uninstalled AVG , you should have 5 separate processes
ashWebSV.exe
ashMaiSV.exe
ashServ.exe
aswupdSV.exe
ashdisp.exe

can you confirm this

[skoolgirl]

Hi All !

It's been a minute, but i just wanted to update quickly...

Thanks to all, especially Ardvark. You were right on the money re: uninstalling and reinstalling XP. Once i realized that the main worm couldn't be found by anything i knew of, or by anything you all suggested, i knew i was going to have to uninstall/reinstall.

You really answered the question that was burning in my mind more than anything else, and that was whether or not the uninstall/reinstall would harm the hard drive. I found out elsewhere that it wouldn't, but if i'd checked back here a few days ago, i'd have known it from you  . As it was, life was happening, so i had to put off the changes to my PC for a few days.

I came back to thank everyone, and to check out the links you guys provided for the great utilities  .

So..Thanks to all for all the help you offered. I really appreciate it    !!

--skoolgirl

[ardvark]

Hi skoolgirl...

You're very welcome, I'm glad I could help