can't get rid of "Trojan-Downloader.BAT.Ftp.ab" & &, Explorer hangs ...

hi all,
i run XP pro .
I have,and used SPYBOT,AD AWARE,KASPERSKY ANTI VIRUS 6.
Symptoms are:
All is ok when i do a fresh start up and browse/surf the net for a while.Than,wierd hang ups start to happen usually when i press the history or favorites buttons at the explorer top bar.
Trying to scroll down the address bar also hangs the explorer.
Also typical hangs happen when i try to save a file after downloading or even just save a hijack this log file.
Shutting down the explorer or any other non responding program and re run them does not resolve the problem.
Only a full re start helps for a while untill the next time a hang up happens.
I did some more cleanup,but the symptoms are back
what i did was:
Run the system on safe mode,with disabled system restore.
I run the following programs:
Aboutbaster (all was OK)
CWshrader (all was OK)
AD aware SE (found some bad cookies,nothing too important...)
SpyBot (all was OK)

I then restarted to regular xp pro mode and ran Kaspersky full scan.
all was ok,but while surfing the web later an alert was made that a file called:
5/20/2006 6:19:36 PM File C:\WINDOWS\system32\fdhbe_37252.exe: deleted
was found and deleted.
Kaspersky recognaized it as :
5/20/2006 6:19:12 PM File C:\WINDOWS\system32\fdhbe_37252.exe: detected Trojan program Backdoor.Win32.SdBot.aqz

A few minutes after that the explorer started to hang up again.
if i write any address in the address bar and press enter - nothing happens.
if i press the history button or favorites - it hangs

I try to save a log file from HJT and the program hangs
I went and did a restart so i can save this next log which i did sraight after the restart.

this is my latest log:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:29 PM, on 5/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Philips\LightFrame 3\LightFrameV3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\System32\LightFrame3IECOM.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5C5FAD-E7E7-43D3-836C-54B10F913D8F}: NameServer = 62.219.186.7 192.115.106.35
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F5C5FAD-E7E7-43D3-836C-54B10F913D8F}: NameServer = 62.219.186.7 192.115.106.35
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)



help me get rid of these plese.
thank you.

 

Need to know what firewall you use and what type of web connection you have. Brief perusal of log looks ok.

 

Thank you sparrow and peteC.
I'm using the windows xp pro "built in" firewall.
I'm connected to the internet with an ADSL connection.
(with a samsung modem)

I did what peteC told me and ran a full scan with Ewido in safe mode.
The scan didn't find anything:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:37:22 PM, 5/21/2006
+ Report-Checksum: A0155308

+ Scan result:

No infected objects found.


::Report End

-------------------------------------------------------

The reason i know i had the "Trojan-Downloader.BAT.Ftp.ab " is that Kaspersky anti virus ditected it on my system,along with some other nasty stuff in the last few days. Here is the Kaspersky log from the last 2 days when i had the symptoms i talked about:
------------------------

5/20/2006 3:28:04 PM File c:\windows\system32\i: detected Trojan program Trojan-Downloader.BAT.Ftp.ab
5/20/2006 3:28:12 PM File c:\windows\system32\i: deleted
5/20/2006 6:19:12 PM File C:\WINDOWS\system32\fdhbe_37252.exe: detected Trojan program Backdoor.Win32.SdBot.aqz
5/20/2006 6:19:12 PM Security threats have been detected. You are advised to neutralize them immediately.
5/20/2006 6:19:36 PM File C:\WINDOWS\system32\fdhbe_37252.exe: deleted
5/20/2006 6:34:36 PM Process (PID 2404) tried to access Kaspersky Anti-Virus 6.0 process (PID 556), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
5/20/2006 6:34:36 PM Process (PID 2404) tried to access Kaspersky Anti-Virus 6.0 process (PID 1692), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
5/20/2006 7:34:18 PM File C:\WINDOWS\system32\fdhbe_84556.exe: detected Trojan program Backdoor.Win32.IRCBot.rh
5/20/2006 7:34:25 PM File C:\WINDOWS\system32\fdhbe_84556.exe: deleted
5/20/2006 9:00:21 PM File C:\WINDOWS\SYSTEM32\TFTP2760/PolyCrypt/UPX: detected Trojan program Backdoor.Win32.Rbot.gen
5/20/2006 9:00:21 PM File C:\WINDOWS\system32\TFTP2760/PolyCrypt/UPX: detected Trojan program Backdoor.Win32.Rbot.gen
5/20/2006 9:00:39 PM File C:\WINDOWS\SYSTEM32\TFTP2760/PolyCrypt/UPX: is not disinfected, cannot be disinfected
5/20/2006 9:00:42 PM File C:\WINDOWS\system32\TFTP2760/PolyCrypt/UPX: is not disinfected, cannot be disinfected
5/20/2006 9:00:47 PM File C:\WINDOWS\SYSTEM32\TFTP2760: deleted
5/20/2006 9:00:51 PM File C:\WINDOWS\system32\TFTP2760/PolyCrypt/UPX cannot be deleted
5/20/2006 10:12:44 PM File C:\WINDOWS\system32\TFTP2568/PE_Patch/NSPack: detected Trojan program Backdoor.Win32.Rbot.gen
5/20/2006 10:13:08 PM File C:\WINDOWS\system32\TFTP2568/PE_Patch/NSPack: detected Trojan program Backdoor.Win32.Rbot.gen
5/21/2006 12:13:14 AM File C:\WINDOWS\system32\TFTP2568/PE_Patch/NSPack: is not disinfected, cannot be disinfected
5/21/2006 12:13:19 AM File C:\WINDOWS\system32\TFTP2568/PE_Patch/NSPack: is not disinfected, cannot be disinfected
5/21/2006 12:13:28 AM File C:\WINDOWS\system32\TFTP2568: deleted
5/21/2006 12:13:29 AM File C:\WINDOWS\system32\TFTP2568/PE_Patch/NSPack cannot be deleted.

-----------------------------------------------

As of today the 22nd , i have not had any problems so far.
Maybe i got rid of the nasty stuff?!
Just in case,here is a fresh HJT log for you guys - Can you see any more things to take care off? .As you can see eventhough i checked "fix" like you asked , some of the "File Missing" lines are in the log again - How come?
:

--------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:11:45 AM, on 5/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\Philips\LightFrame 3\LightFrameV3.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:

\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:

\WINDOWS\System32\LightFrame3IECOM.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:

\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton

Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.

dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.

dll,NvStartup
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:

\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-

9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ??÷? - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:

\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://64.

186.207.89/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5C5FAD-E7E7-43D3-836C-54B10F913D8F}:

NameServer = 192.115.106.35 62.219.186.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F5C5FAD-E7E7-43D3-836C-54B10F913D8F}:

NameServer = 192.115.106.35 62.219.186.7
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program

Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-

malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1

\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton

Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:

\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner

- %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file

missing)

-------------------------------------------------------

Thank you for the quick reply guys!