Daily Viruses/Trojans from the internet

My son & I recently built him a computer from scratch. It has a DFI NFII Ultra Infinity mobo, AMD Athlon XP 2500+ / Barton cpu, 9600XT graphics card, Zonet ZFM5620 modem, Windows XP SP1, 80GB Western Digital hd and CD/RW drive. He uses McAfee antivirus, SpyBot, Spyware Blaster, Allera System Cleaner and Avant Browser. We installed Microsoft's security update CD to make sure everything was current, along with updating Microsoft Office 2000.
Every time he goes on line, he ends up with McAfee saying that a virus or trojan was found (W32/Korgo.worm.v, Sasser worm, HideExec,Reg/LowZones trojan, etc.). My computer is set up the same way, with no viruses or trojans. What am I overlooking? He doesn't need to go to any sites, just be connected to the internet.
SpyBot comes up with spyware from the games he plays:
1 MediaPlex cookie
1 Alexa Related c:\WINDOWS\Web\related.htm
12 Aureate (5 System 32 Files, 5 Registry values & 2 Registry keys)
5 DSO Exploit (Registry changes)
3 Radiate (2 Directories & 1 Registry key)
6 Wild Tangent (4 Directories, 1 library file & 1 Registry key)
I didn't make any changes on those, as I'm not sure the impact it may have on his game playing.
Any suggestions you may have would be appreciated.
Barry

 

Barry - several of the viri you mention are the result of a system that isn't current on the XP hotfixes & patches. Sasser and Korgo, especially, shouldn't be able to succeed in an attack on a system that has MS04-011 (the lsass vulnerability) patch installed. I imagine the others are somewhat the same.

The DSO exploit that Spybot finds is not a real problem but is mostly a Spybot reporting bug. Just make sure the version he runs is v1.3 and if he still has v1.2, you can get the newer one downloaded, uncheck any protections from 1.2 and uninstall it then install and update 1.3. Be sure to check the icon for immunization and then the green arrow to complete the immunizing.

Especially with a gamer, he needs as much protection as is reasonable so I'd also suggest Ad-aware (similar to spybot as a removal tool but the two of them each find things the other misses) and spywareblaster which is a passive blocker (install, immunize, and just update monthly or something) that is now dealign with over 3000 known bad items.

You can find all of those in Quicklinks (in my signature).

But the reality is that not all baddies will be seen by any of the above. Probably a good idea to also download a copy of Hijackthis, unzip it to a folder of its own (so not a temp folder and not directly to the desktop) and run it to generate a log file and post that here so we can have a look. Probably find a few other items that need to go away.

 

I agree with you Newt

I believe the first item of business after installing ANY version of Windows is to go to the Windows Updates and get ALL of the Updates ( at least the Critical ones )

If I remember correctly ( which may raise a question. ) there are quites a few with some that would apply to various gaming software.

Barry

At this time I suggest that you DELETE ALL that Spybot finds. Better to have a game not run than all of that TRASH hanging around in the reg.

And get the Windows Updates installed.

BillyBob

 

In addition to all the above suggestions, a firewall is in order, or at least turn on the one in XP. I prefer the former.

 

A couple more thoughts...

When using Windows Update, you need to run it multiple times. I have found the need for multiple runs on every PC that we have reloaded. This is especially true if you also use Office Update.
More importantly, NEVER attach a PC to the Internet to do your initial patching. Always protect & patch from a secure network, or from CD BEFORE hitting the Internet.

Here's the order I use to prepare our network PCs:
- Install base OS & SP (we use Win2K for the most part)
- Install anti-virus software (from CD)
- Install Spybot, Ad-aware, iespyad reg files & HOSTS from mvps.org (from CD)
- Install firewall (from CD)
- Set MSIE Security level to High (on most PCs)
- Change MSIE Privacy => Advanced setting to block all Third Party cookies
- Reboot
- Connect to the Internet
- Update Spybot & Ad-aware includes/def files
- Run Windows Update
- Run Office Update
- Reboot
- Run Windows Update
- Run MS Baseline Security Analyzer (MBSA 1.21)
- Fix MBSA finds (these are sometimes things WU doesn't find)
- Install other apps
- ...

With an average of around 20 minutes before an unpatched system is infected with malware, my suggestion is NEVER attach a new or reloaded PC to the Internet until you have anti-virus, anti-malware and a firewall loaded.
If you attach and then try to update, you're most likely NOT going to beat the continual port/vulnerability scans being run by hackers. Oh, and just in case you don't believe this is true, Secunia, SANS and PC Computing all published articles on this topic over the last couple of months. They all recommend patching and protecting before attaching to the Net.

 

In addition to the excellent suggestions about not connecting to the internet until your antivirus and firewall programs are installed, I would also recommend the purchase and installation of a good router. It will offer hardware protection and the bad guys won't even be able to see your computer or scan all its open ports. A simple 4 port DSL router with built-in firewall, by a major manufacturer, for example, can be found for less than $50.

 

Thanks for all the suggestions. This is a lot of work. I'm doing the best I can in my spare time. I am seeing a reduction in the viruses and trojans, but they aren't totally gone yet. When I've gone through all your suggestions, I'll let you know the results. I don't think the router suggestion will do us any good, as out here in the country we only have access to 24 Kbps modems. I had trouble when I put the security clearance on high (I couldn't even access Windows Updates), so I put it back to medium. I put in Windows Updates in my trusted sites, but it still didn't work. Unless you can give me an easy understanding of how to set this up, it seems that it will get in my way more than help. The MBSA is very interesting and helpful, though some of the things it comes up with I don't even use, or when I get to the website, it says that there is a more current version and to get it from Windows Updates (so I assume I already have it). I'll do the Hijackthis as soon as I finish going through everything else. I may not be able to finish everything up till this weekend.
Thanks again,
Barry

 

Barry,
The Security Settings for MSIE can be tricky, BUT they do make browsing safer. The main gist of the HIGH setting is to disallow ActiveX, java apps and browser takeover by third party domains. If you're not interested in tweaking the settings, I would definitely suggest installing Spyware Blaster from javacool. It rejects ~3,000 known ActiveX and java nasties. Granted, it's not as safe as rejecting ALL ActiveX/java (unless added to Trusted Sites) -- but it is a very good program to use on personal PCs.

IF you decide to tweak the HIGH Security Setting on MSIE, the best way is to add websites you trust to the Trusted Sites tab. This is done by clicking Tools => Internet Options => Security => Trusted Sites => Sites. UNcheck the requirement for https:// and then enter the site you want to trust (ie: http://*.windowsupdate.microsoft.com). Then, click Add. You're done -- and the site will now be accessible (if you haven't tweaked the Trusted Sites default security level).

This change can be made on the fly, so it's not painful. When I find a site I trust (one that uses ActiveX or Java), I simply follow the steps above and reload the page. Then, browse on...

Barry, the payoff in using all of the steps above [previous post & this one] -- on my own three PCs -- has been:
- Nearly six months of browsing at will
- Several Ad-ware/Spybot scans weekly
- ZERO malware infections
- ZERO virus infections
- ZERO trojan infections
- Less than 50 tracking cookies
These results are across three PCs being used in excess of 700 hours on the Internet (in 6 mths). Your mileage may vary.

NOTE: Spyware Blaster is installed on two of the three boxes; plus a few more tweaks to the MSIE settings & the registry; plus the additions of WinPatrol (2 of the 3 PCs), Spybot's HOSTS file; Spybot's TeaTimer; Spybot's Browser Helper and NIS2004 Firewall/Antivirus/Internet Security.

 

I've already installed Browser Hijack Blaster, Spyware Blaster, Spybot w/teatime & b9, along with McAfee antivirus. I followed the instructions you gave regarding setting up the trusted sites, but it didn't work. I still couldn't get on Windows Updates. That is the reason I returned it to a medium setting. I have the same on my computer and have no problems.

 

Barry,
Some trojans open ports that allow other pests in behind your back (past your firewall and antivirus). Until you have a totally clean machine, you should keep it offline and work to rid it of ALL the problems. Maybe after you run updated antivirus, adaware and spybot (you must go online for brief periods to do the updates), then post a hijackthis log as Newt suggested (directions are in the stickeys at top of spyware forum). The experts here can look at the log and advise.

 

Ad-Aware log

Lavasoft Ad-Aware Personal Build 1.03
Logfile created on:Thursday, September 02, 2004 8:55:03 PM
Using definitions file:SE1R6 30.08.2004
References detected during the scan:

We may need these other scans at some point but for now they just make the thread hard to follow so deleting them all except the Hijackthis log. Newt

 

Hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 9:34:00 PM, on 9/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\winupdate.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\sstray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\msg32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Firetrust\Benign\B9.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Avant Browser\avant.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Documents and Settings\Darren\Desktop\security\HijackThis.exe

O1 - Hosts: 127.98.9.1 surfsideexpress.com.b9
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe "
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Services] C:\msg32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] winupdate.exe
O4 - HKLM\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [b9] C:\Program Files\Firetrust\Benign\B9.exe /minimize
O4 - HKCU\..\Run: [Win32 USB2 Driver] winupdate.exe
O4 - HKCU\..\RunOnce: [Win32 USB2 Driver] winupdate.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C347220B-2ED1-48E1-9B2A-6D81604D7140}: NameServer = 66.81.7.70 66.81.0.252

 

I hope all the logs were helpful. Please let me know what the next steps would be. There are still viruses coming up (something bot). I believe it is connected to the3 MBSA download (tripod.com cookie). It is pretty clean other than that.
Thanks for the help,
Barry

 

Well, you have WORM_SDBOT.ER for sure and it does just what sparrow warned about - opens your system up to attacks. I'm a little surprised his AV app isn't seeing anything.

Also, if there is a firewall with the version of McAfee you have, use it. Otherwise get a firewall.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
- spyware stuff you got from Alexa. Sorta surprised it hasn't hijacked the home page.

I'm reluctant to go into a long shopping list of recommendations here since I can't get a good feel for whether your son wants a clean system or just to surf along until it stops running, clean it up enough to function, and keep that cycle going.

For now,
- an online AV scan since I'm not at all sure McAfee is functioning. May have been disabled by one of the baddies.
- a firewall (plenty of free ones available)
- an idea of just how clean you/he want the PC

 

He'd like a clean system, but wants to be able to play his games also. Hopefully we don't have to start from scratch and reinstall everything. That is very time consuming. McAfee always catches and removes the SDBOT, and it is clear after scanning. The Browser Hijack Blaster saves the home page. I'll do an online AV scan, to see if there is any difference. That seems to be the only virus at this time. He is using the WinXP Firewall.

 

I think I realized what one of my main problems was. I didn't turn off system restore, so the computer kept reinfecting itself. I'm not getting any viruses or trojans anymore. I'll see if that continues. I would like to remove whatever isn't necessary for my son to operate this computer, allowing him to do his school work and play his games. I did the virus scan on line and everything showed up clean. I've cleaned this computer so many times, in so many ways, it must be sterilized by now. At least it is working well. Other than cleaning up the non-essentials, I only have one more issue related to a game controller, but that will be another thread. Thanks for all the help,
Barry

 

Barry,

That's great. Now would be a great time to make a Ghost image of the system disk on the other disk (hope you partitioned the HDD) for future backup. With Ghost you can restore to a known clean disk in minutes instead of days. I do it as soon as all the software is in place and before going online. I've only used it once to restore from a disaster, and I became a convert.

 

How do I go about doing this ghost image? Do I need to put another partition on that drive? The second drive is only 12GB and set up for Win98SE rather than XP and isn't set up with an NTFS partition. I guess I could also burn it on CDs if I knew how to do so and knew how to restore it from CDs. Any help would be appreciated.

 

The second drive should have plenty of room. I use the Norton's Ghost that comes with system works, but you can also purchase it separately. It runs in dos so it's independent of windows (tho you can set it up in windows if desired).
It will be a learning experience, but well worth your while.

It comes with a very good .pdf file of instructions.

The NTFS is not a problem; it handles that as well as FAT.

 

It's a new variant of SDBOT

Newt wrote:

>>Well, you have WORM_SDBOT.ER for sure and it does just what sparrow warned about - opens your system up to attacks. I'm a little surprised his AV app isn't seeing anything.
<<

No, it isn't WORM_SDBOT.ER (the registry key name is wrong for that one), it's a new SDBOT variant that most of the AV vendors don't yet protect against. See http://www.sophos.com/virusinfo/analyses/w32forbotg.html. One of my clients' computers was infected with this last Thursday. The symptoms are:

1. Task Manager shows one or more tasks called winupdate.exe running;
2. Registry entrie2 of the form "Win32 USB2 Driver = winupdate.exe ".

To fix it:

1. Disconnect from the net, boot into Safe Mode With Command Prompt and delete the file winupdate.exe (length 137k) in the windows system (or system32?) directory.
2. Boot in normal mode and use regedit to search for "winupdate.exe ". Delete all keys with "USB2" in the name and "winupdate.exe" in the value.
3. Use your AV software to find and delete any other viruses/trojans that it has let in.
4. Connect to the net (preferably via a firewall) and use Windows Update to patch the vulnerability.
5. Reboot and check that the trojan didn't infect your machine again before Windows Update completed.

DC