Hijack log

Another thread yesterday had this new virus:

First major problem: You have a fairly new virus indicated by the file dirote.exe. Information link  from TrendMicro AV is here. Norton has nothing on this one to my knowledge, probably not AVG either.

No problem...we will kill them all without prejudice.

Run Hijackthis in new folder, scan and check the box left of these line items:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [soundtctrls] soundtctrls.exe
O4 - HKLM\..\Run: [soundcontrl] soundcontrl.exe
Comments: I am suspecting a worm here, possibly Gaobot or SDBot...unless you know what this is...check them.
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
Comments: our new bad boy.

O4 - HKLM\..\Run: [MS Sound Config 16bit] sndcfg16.exe
Comments: seeing this SDBOT worm I am now almost 100% sure the preceding two sound-named files are hostile
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AN

O4 - HKLM\..\Run: [BUSP Utility 32] busp32.exe
O4 - HKLM\..\Run: [3C93F9B4] C:\WINDOWS\System32\usmrvbdyuryihe.exe
O4 - HKLM\..\RunServices: [soundcontrl] soundcontrl.exe
O4 - HKLM\..\RunServices: [soundtctrls] soundtctrls.exe
O4 - HKLM\..\RunServices: [MS Sound Config 16bit] sndcfg16.exe
O4 - HKLM\..\RunServices: [371D6271] C:\WINDOWS\System32\usmrvbdyuryihe.exe
O4 - HKLM\..\RunServices: [BUSP Utility 32] busp32.exe
Comments: "Bad boys, bad boys...whatcha you gonna do"...OK..enough fun...random-named Trojans here as you suspected busp32.exe being one of them.

O4 - Global Startup: Digital Line Detect.lnk = ?
Comments: Useless dead link 

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders  (VERY IMPORTANTE!)

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders:

Folder:

C:\WINDOWS\System32\f0r0r     (dirote.exe virus folder)

Files:

C:\WINDOWS\System32\usmrvbdyuryihe.exe
C:\WINDOWS\System32\busp32.exe
C:\WINDOWS\System32\soundtctrls.exe
C:\WINDOWS\System32\soundcontrl.exe
C:\WINDOWS\System32\sndcfg16.exe

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Now run a full system virus scan.

Next...download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

After cleaning with Spybot and Adaware, browse a bit and post a new Hijackthis log.

After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Message Edited by Texruss on 06-06-2004 04:23 PM

Texruss, your directions are wonderfully clear and easy to follow - thank you.  A couple of questions.....

After running Hijack This and following the steps I ran a virus scan using Symantec - nothing was found.  I decided to run a House Call scan from the Trendmicro site and it found FOUR uncleanable files...I wrote down the filenames of 3 (wasn't thinking and deleted one of them).  The infected file names were

• TROJ_BOTIRC.A in c:\recycler\s-1-5-21........;
• DOS.AGOBOT.GEN in c:\windows\system32\drivers\etc\hosts
• BAT.SASSER.A in c:\windows\system32\cmd.ftp
• TROJ_BOTIRC.A ....which I deleted...think it was a windows\system32 file...

Now, what do I do about these 4 infections??  Should I take this result to be a comment about the efficacy (or lack thereof) of Symantec?

My second question results from the fact that I decided to run the Spybot S&D and Adaware on my laptop while waiting for the virus scans to complete on the known-infected desktop machine.  When I ran Adaware it came up with a number of items that it classified as malware which were from a recent installation of noadware....why would that application be considered malware?

My second question results from the fact that I decided to run the Spybot S&D and Adaware on my laptop while waiting for the virus scans to complete on the known-infected desktop machine.  When I ran Adaware it came up with a number of items that it classified as malware which were from a recent installation of noadware....why would that application be considered malware?

Maybe because of this:

http://www.netrn.net/archives2/000499.html

• TROJ_BOTIRC.A in c:\recycler\s-1-5-21........;
• DOS.AGOBOT.GEN in c:\windows\system32\drivers\etc\hosts
• BAT.SASSER.A in c:\windows\system32\cmd.ftp
• TROJ_BOTIRC.A ....which I deleted...think it was a windows\system32 file...

>Now, what do I do about these 4 infections??  Should I take this result to be a comment about the efficacy (or lack thereof) of Symantec?

Or perhaps your lack of Windows critical security updates?  Flushing the Restore Points will get rid of number 1. We will do that later. 

The HOSTS file requires special attention:

FAQ 14:  http://russelltexas.com/malware/faqhijackthis.htm

>cmd.ftp

Windows updates needed...and kill that file

Texruss

Hi again,  here's the new hijackthis log file after I installed and ran both Spybot and Adaware.

Logfile of HijackThis v1.97.7
Scan saved at 10:25:10 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wumb.org/listenLive/setup.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38056.3058333333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab

Thanks very much!

That log looks clean...any issues?

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Texruss, I was afraid you were going to show me something just like you did.....well that was a poorly spent $29.95 (Noadware.net).  Gone from my computer now, though - thanks.

I did some more searching after sending my reply to you about the 4 infected files and found a removal tool for it at http://athena.uwindsor.ca/units/its/website/itshd_downloads.nsf/0/87ca9cacacf55b6d85256e9b0054a575?OpenDocument .....hopefully I haven't been scammed again?  I didn't have time to do a rescan after I ran the removal tool but will do that.

Regarding your comments about Windows Security updates.....I went to the Windows update just Saturday night and ran every critical update that was available.  Do they hide their security updates elsewhere and not include them in the critical updates???  I am totally diligent about the windows updates - have the notification turned on and run them whenever a new one pops up......other suggestions of what I can/should be doing?

Thanks again for your prompt and thorough help!

Time to flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

You look clean and hearty congratulations! Want to stay clean like me? *;-)

1. The main cleanup programs:

(the three free programs in Items 2 and 3 bolded below are a MUST in my opinion)

Spybot Search&dDestroy, Ad-aware Run weekly - or after a heavy internet session.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).

Reboot and click on Start/Run/ type: cleanmgr

If you have problems with Disk Cleanup hanging and not completing see this page for XP users:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

From MS Help: "Disk Cleanup helps free up space on your hard drive. Disk Cleanup searches your drive, and then shows you temporary files, Internet cache files, and unnecessary program files that you can safely delete. You can direct Disk Cleanup to delete some or all of those files."

I check all the selected categories and click OK at the end of Disk Cleanup.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try this fix: http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.

3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html

4. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.

Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp

You can also start Windows Update by running Internet Explorer, pulling down Tools on top Menu bar and selecting Windows Update. Install ALL critical updates! Always!

If LiveUpdate fails (and it is prone to on MANY machines) download each patch manually from the MS advisory pages and install manually. Works for me!

5. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com

6. Beg, borrow, or buy a Software Firewall if at all possible. I use Norton Internet Security 2004 and it has saved my bacon more times than I can count. For a free software firewall turn on the fairly lame firewall in Windows XP (I say it is lame because it does not monitor or block outgoing traffic...only incoming...a serious omission if the threat occurs inside your network). Hopefully with the upcoming Service Pack 2 this flaw will be addressed.

http://www.microsoft.com/technet/community/columns/5min/5min-101.mspx#XSLTsection125121120120

A better choice for now for a free software firewall is Zone Alarm.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

7. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.

8. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.

Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt

(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a Local Settings Temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when XP and W2K users post here and place it in the Local Settings, the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)

See this link for graphical instruction: http://russelltexas.com/malware/faqhijackthis.htm

Forums for help and analysis of your Hijackthis logfile:

http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.wilderssecurity.com
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org

Good luck and safe computing!

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Hi - will flush the restore points as soon as I can.  thanks.  Regarding firewalls - does having a router serve the same purpose or is that not adequate?

Thanks for all your suggestions regarding programs that work!

plwbiz

If it is built to be a firewall router then that is a good first layer of defense...but I prefer both software and hardware firewalls.

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum