AceBot Trojan virus

Question

I understand I have this new virus. I can get on the internet but my desktop freezes if I try to work there. I have tried the 'HiJackThis--Killbox' advice but don't find the necessary abnormal lines in HiJackThis, so have not been able to accomplish anything. Running Norton Antivirus, SpybotS&D, AdAware, SpySweeper and Panda Activescan does not help. I looked into doing a repair reinstall, but it seems beyond my capabilities.

Bertha2 · Answer

Sometimes files are tricky to delete and Killbox usually tkes care of those However I dont use Killbox when I fix Dr Watson so not sure what is happening there!!   Bertha2

ky331 · Answer

bertha2,   i wouldn't be surprised if the article john is referring to is one that i've just read recently myself.... while i can not personally vouch for their technique, the article seems to contend that the sp2/dr.watson problem is caused by the acebot trojan... and moreover, asserts that by correcting only three (3) lines in the HiJackthis log (one in O2, one in O4, one in O23) --- in conjunction with KillBox... the problem will be fixed.   (unfortunately, since the file names involved can vary, it's not a simple matter to assert, in advance, the specific files to look for in those 3 lines) (also, i have to wonder why they said to use both killbox and hjt... i would have thought hjt could have handled it all)   Message Edited by ky331 on 04-13-2005 10:30 AM

Bertha2 · Answer

Hey John,

Can you elaborate on your problems and clarify exactly what advice you received and what it stated ?

Ky331 if your about could do with your research in relation to the trojan/virus in question here (you seem to be able to always come up with something:smileyvery-happy:)

Bertha2

ky331 · Answer

to anyone reading this: this article is intended purely for the intellectual interest of Bertha2 (and/or perhaps some of the HJT experts).   It is *NOT* intended as an actual recommendation to anyone.  Please do *NOT* try to attempt anything that's indicated here. This article may be removed, at any time, without notice, upon Bertha's request.     Bertha2:   Here are the 'highlights' of that article; 'I' refers to the author, not me:   AceBot trojan virus   It takes various forms, some forms in which I have identified as positive links are:mscf.exeipdo32.exeprotect32.exeprotect32.dllntip32.dll mssg.exe msse.ini logging.ini (Look at file names, these things love latching onto either mscf.exe, or they throw 32 somewhere into their name) Now, what exactly causes the DrWatson Postmortem Debugger error? Its pretty simple. The makers of the virus have ILLEGALLY violated Microsoft's Copyright Policies, they use the Microsoft Logo, and alerts for Windows XP SP2.So, what happens is, this virus adds itself as a Network Security Service (usually this is where you will find mscf.exe) which 100% interferes with SP2's Security Service (The thing that comes up and says your virus protection isnt found, or updates or off, or your firewall is off). Basically, the virus HiJacks the SP2 Alert's job. It shows stuff like 'Spyware activity detected' and 'Your firewall may be turned off' as a spoof. How does this virus work?It works off at least 2 executable files,and a Browser Helper Object (BHO). The BHO Seems to be the main cause of instability in SP2 systems. The executables are what keep the BHO on there, so you need to kill the trifecta in order to collapse the pyramid of doom A specific example from someone's HJT log (but keep in mind, each person's case can be different): O2 - BHO : (no name) {MD5 NUMBER} - C:\WINDOWS\system32
tip32.dll O4 - HKLM\..\Run: [ipdo32.dll] C:\WINDOWS\system32\ipdo32.exeO23 : Service : Network Security Service (NSS) - Unknown - C:\WINDOWS\system32\mscf.exe Now, Open up KillBox, and change the setting to Kill on Reboot. Now, type in each file location ONE AT A TIME, and click the Red 'X', it will ask if you want to delete it on reboot, click yes, and it will ask you to reboot, click NO!After all the files are marked for deletion, put checks next to the 3 objects it found in HiJackThis, including the NSS, and remove them with HiJackThis, at the end, it will ask you to reboot, DO IT. On rebooting, the virus has been stir fried to a golden crisp Message Edited by ky331 on 04-13-2005 02:11 PM

JohnAgnew2978 · Answer

I have that, and tried it, but didn't find the 'trifecta' in the list generated by HiJackThis, so got nowhere.

ky331 · Answer

john,   IF you run/post the HJT log, there's one other thing I'd like you to do                            (if you don't run HJT, you should skip this part too)   click on START highlight RUN next to open, type REGEDIT and click on OK When the Registry Editor opens,  in the left-hand window, click on the (+) in front of HKEY_LOCAL_MACHINE                                 then click on the (+) in front of SOFTWARE                                 then click on the (+) in front of MICROSOFT                                 then click on the (+) in front of WINDOWS                                 then click on the (+) in front of CURRENTVERSION                                 then click on & highlight  the RUN  folder      (do not confuse with RUN-  ) now, in the right-hand window, under Name, look for MICROSOFT DIAGNOSTIC, and if you find it, copy down the entire DATA value next to it (it probably begins with c:\windows     carefully copy the ENTIRE name) then hit on the X, in the upper right hand corner, to close down the Registry editor.         Warning:  do not do anything else with the registry editor.  improper usage can have severe    negative consequences.   Let us know what the results are.                 Message Edited by ky331 on 04-13-2005 02:05 PM

ky331 · Answer

john,   the fact that you now say you also have the dr. watson problem (which my reply mentioned, but you hadN'T mentioned originally), means that we're on the right track.   you probably saw the same article that i did, or something very similar.   as indicated, i was posting the abridged version here purely for Bertha2 to investigate.... NOT for you, or anyone else, to try going ahead on their own.  as the article indicates, the trojan can use VARIOUS names for the bad files, and you may not actually find any of the particular ones (the 'trifecta') cited in the article --- but we should be able to locate a different 'threesome'.   are you familiar enough to run HiJackThis, and post a log here?  if you need help/instructions, I'd be happy to supply the details.   edit:  in fact, I've just posted the directions for you, further down in this thread.... Message Edited by ky331 on 04-13-2005 02:00 PM

JohnAgnew2978 · Answer

First, I began getting messages from MS Security that my antivirus wasn't working, things like that. Then, on startup, I would get a message from 'Dr. Watson post mortem debunker' that a problem had been found and my computer would be shut down. It freezes, at that point. I have to exit via ctrl-alt-del, then 'shut down.' I was forwarded a three-page message from (?) about this, obtained from a computer geek forum, explaining what it is and the recommended fix, using HiJackThis and KillBox.  Since I got it secondhand, I don't know the originator or the forum.

ky331 · Answer

You can download the latest version of HJT(hijackthis) (version 1.99.1) from

http://majorgeeks.com/download3155.html

you must create a separate folder and place it there.... people commonly use C:\HJT

The file above comes as a compressed .ZIP file... you have to UNzip it (hopefully, you have an UNzip utility built into your Windows Explorer).

After Unzipping, double click on HiJackThis.EXE

Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Then PASTE your log back here.

(don't be surprised if the moderator moves this entire thread to the new forum for HiJack Log analysis.... but maybe, it'll stay here for a while)

I'd like to see if I can detect anything in it... and I'm confident Bertha2 is also eager to help you.

WARNING: HiJack This is a VERY POWERFUL tool. Do *NOT* do anything else (in particular, do NOT use it to delete any entries) until you are advised to do so!! Improper use of this tool can severely damage your system.

Bertha2 · Answer

Hey ky331,

I have read the vast amount of information you found about AceBot Trojan and a great job you did on it to :smileyvery-happy:

As you say above I am more than eager to take a look at this persons Hijackthis Log and will be happy to help (but I'd imagine this topic my have to be moved to the Hijakcthis Board)

Bertha2

JohnAgnew2978 · Answer

A further problem: all I can do from the regular desktop is get on the Internet. Anything else, the Dr. Watson thing pops up and everything freezes. I can do better in safe mode, but can't print from there and can't get on the Internet from there. So, I can scan and make a HiJackThis log while in safe mode, but don't know how to get it from there to the Internet.

ky331 · Answer

john,   i've tried helping someone in another thread... posted a preliminary suggestion... and was advised by a third-party that, by his understanding, things weren't as simple as the 'trifecta' approach.   with assistance, i 'plowed ahead', and hopefully worked something out there.  however, the process was much more than i had realized, and i don't know that i can really continue 'in general'.  since bertha2 has been following this thread, i think it best that i opt out here, and leave things to bertha.

JohnAgnew2978 · Answer

10-4 Thanks

Bertha2 · Answer

Hey John,

Unfortuantely I have to accept the passing of the baton here form Ky331 (a great job you have done so far :smileyhappy: )

Now I would be grateful if you woudl post your Hijakchtis Log in the Hijackthis forum where I will take a look?

As for your problem you cans ave the scan it makes form safe Mode onto your Hard Drive and then reboot into normal mode and post it from there

Or you can (and I need as soon as possible) a Hijackthis Log form normal mode and this will show much more

Bertha2

JohnAgnew2978 · Answer

As I explained, I can't get a HiJack log from normal mode (I'll have to fix my problem in order to fix my problem) and I will try the other suggestion. Thanks.

Virus & Spyware

AceBot Trojan virus

Was this post helpful?