Can not remove trojan horse dropper

Hi,
Attn: oshwyn5
I checked high and low regarding the info you provided about the viruses and can not locate anything related...

Note: In my previous log, I ran Ewido again and posted it's findings...Guess we are not out of the woods yet...

 

Hi,
As I seek to destroy the enemy, I ran the PCShieldUp scan on common ports and service ports and passed both tests...

In my search for more clues and answers I came across info about worms using the IRC to allow it's creators to control a computer using the vulnerability in the DCOM RPC...Could the backdoor worms that have been removed be one of the problems we are dealing with and if so I'm not so sure on how to prevent that at this point because disabling them I believe will affect security issues within...Further info seems to recommend the FTP server, telnet and Web Server be disabaled as they are avenues of attack. While I try to find out the relationship of them all and how they will affect or help my situaution, your assistance will still be greatly appreciated...

 

Hi,
The final Chapter...I ran the following:
AVG.....................Found 0
Ewido...................Found 1 (trojan rootkit agent.ae)
Spybot.................Found 0
AdwareSE.............Found 0

I finally was able to uninstall Windows Service Pack 2 because after I downloaded it, the computer took almost 2 min's to boot up...The computer boots up much faster and shuts down faster as well...

I wish to thank everyone who assisted me with one of the toughest encounters I have had personally

I believe we can close this chapter with pride...Thank you again

 

I am probably breaking the posting rules, but I am exhausted...
I just finished reading all of the posts. WOW ! ! !

I JUST HAD TO SAY
What a great job by all of you. CONGRATULATIONS !

WHAT A GREAT FORUM!!

 

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43542

http://www.sophos.com/virusinfo/analyses/trojrootkitaa.html

It would appear that removing it is sufficient.
Did you have ewido remove it?

 

Sorry for the delay. We aren't quite done yet.
TheSpyKiller forum is just a place to upload files for examination by myself and other member malware removal specialists. I asked for those files because they are connected to services that are not listed in a central database we use for identifying rogue services.
Please download and save the following file to the desktop, double click it to extract the contents, then open the folder and double click the zipit.bat file to run. If it finds any of the files it's looking for, it will create the file C:\Windows\zipit.zip which I would like for you to attach to an email to me.

http://noahdfear.geekstogo.com/zipit.exe

Now download the following file to the desktop and run it in safe mode.

http://noahdfear.geekstogo.com/delfiles.bat

Copy the following commands to notepad and save.

sc delete Microsoft System Management BIOS Driver
sc delete Sound Service
sc delete Windows Process Moniter
sc delete wtaskbarmngr

While in safe mode, click start>run and copy each of those commands into the run dialog box, hitting enter after each.

Open HijackThis, scan and place a check next to the following entries if present, then click fix.

O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

Reboot to normal mode and do a search of the drive for the file msnpg.exe, deleting any found.

Please do an online scan with Panda ActiveScan, allowing it to clean anything it finds. Save the scan log and post it's contents, along with a new HijackThis log.

 

Hi,
I did not mean to close out, just figured with that trojan as my last bump in the road I would persue it and not have anyone work harder than everyone already has...

Attn: Kal...I know everyone including myself appreciates your message and wanted to convey my thanks to you for taking notice...Some times it's nice to know someone out there (except the man above), is watching over us.

Attn: Oshwyn5...Thanks for that info, I will add it to my arsenal including the info I obtained from www.sysinternals.com about rootkit revealers...Also, in answer to your question, Ewido did in fact find and remove that trojan where it's other competitor AVG "did not "...

Attn: noahdfear, your assiatnce has been valuable and I will attempt to apply your suggestion(s) later this evening and post back...

 

Hi,
Attn: Noahdfear...I downloaded the zipit.exe program, and extracted the file you wanted me too...But I can not seem to locate anything that it extracted so I can "t email it to you...Let me describe what I think is the problem:
In the Extracted box it says: C:\Documents and Settings\Owner\Desktop and I do believe you wanted it extracted to C:\Windows but it does not give me that option...After I opened the Icon (zipit.exe), There are two files listed:
(1) zipit/zip.exe and, (2) zipit/zipit.bat...I clicked on the second one and it extracts but after that I see nor find anything else.

When I go to your second suggestion "delfiles.bat" the page that comes up says: Sorry,the requested page is not available.

As for downloading and running Panda Active Scan, I tried that last night and because they have Mozilla instead of Internet Explorer it will not run...

I did a search for "msnpg.exe" and none were found at this time...

In the HijackThis, I checked off what you advised me to do as all were present...

 

Try the delfiles.bat link again. I found the problem and fixed it.

With the zipit.exe file on the desktop, double click to run, then click start. It should extract to a folder named zipit on the desktop, with the two files inside. Note: both files need to be in the folder for it to work. Make sure you run it before you run the delfiles.bat

Did you run the commands given before fixing those entries in HJT?

Internet Explorer is installed by default and can be accessed via the Start>All Programs menu, to run the Panda scan.

 

Hi,
I guess I did do the zipit program right but thought I missed something but what you told me to do was done, guess I was expecting to see something else...I'll re-try the delfiles now...

Also, I would like to bring to your attention that when I booted up the computer earlier, a screen popped up saying the time of day clock stopped, click F1 to continue and F2 to run set up...I choose F2 and had to manually re-set the date and time...Never, ever seen that before...

P.S... Zone Alarm keeps asking if I want to allow or deny "mssmbios.exe" and because of our dealings with that particular file I keep denying it access...Should I keep doing so or shall I allow it in ???

 

When I clicked on the delfiles.bat to download this is what came up on the screen.


attrib -r -h -s C:\WINDOWS\mssmbios.exe
attrib -r -h -s C:\WINDOWS\winmon.exe
attrib -r -h -s C:\WINDOWS\taskbarmngr.exe

del /q C:\WINDOWS\mssmbios.exe
del /q C:\WINDOWS\winmon.exe
del /q C:\WINDOWS\taskbarmngr.exe

cls
EXIT

 

Sounds as though you clicked 'run' or 'open' when downloading. You need to click Save when downloading, and place it on the desktop.

The zipit.zip is going to zip a copy of mssmbios.exe for me and the delfiles.bat is going to delete it. Make sure to run the zipit first, and the delfiles.bat in safe mode.

 

Hi,
I will try it again but just so you know, all I did was click on the link you gave and "bang" up on the screen came what I sent you...I did not have a chance to do anything else...I tried it again and the same thing happened...

 

Hmmm.....try right clicking the link instead, then select 'Save Target As' to see if allows you to save it.

 

Hi,
It worked that time by right clicking it and then I booted into safe mode but the only thing that happens in safe mode with it is, a quick screen flashes and that's it...After a couple of more tries, I booted back to normal mode and even thou it's not what you told me to do, I clicked on the desktop icon and the same thing happened...

Note; I ran Ewido again and it continues to find the same backdoor trojan.

 

Was the zipit.zip file created in C:\Windows? Please email it to me if it was.

The delfiles.bat did what it was supposed to do.

Please run the Panda scan and post the report, as well as a new HijackThis log. I'll check in tomorrow.

 

Hi,
Do not recall noticing if the zip file was created in C:\Windows, guess I'll have to run it again later on today along with a new Hijack log.

As for Panda, your advice on how to get it to run in Internet Explorer worked and here's what it said:
Virus.............. 0 .............. 0 cleaned
Spyware......... 4 .............. 0 cleaned
Hacking tools... 1 .............. 0 cleaned
Dialers............ 0 .............. 0 cleaned
Security risks... 0 .............. 0 cleaned
Suspicious files. 0 .............. 0 cleaned

 

Hi,
Until I get the chance to do the zip.it and hijack log, the question I have is (as I obviously have not done it yet),but will doing a "netstat -an" check reveal any un-authorized ports running by this backdoor trojan ??? Or because it hides itself, the likely hood of them showing up running on one of the ports is very un-likely ???

 

Logfile of HijackThis v1.99.1
Scan saved at 2:54:22 PM, on 9/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\HJT\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{739B062A-E2D3-4492-87DA-2D1D5502C488}: NameServer = 207.217.77.82 207.217.120.83
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

 

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:24:48 PM, 9/21/2005
+ Report-Checksum: 16E4CCB3

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\system32\hpdriver.sys -> Trojan.Rootkit.Agent.ae : Cleaned with backup


::Report End