1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[WinXP SP2]Problems with backdoor spyware

Discussion in 'Malware and Virus Removal Archive' started by xiaoyenzi, 2006/11/15.

  1. 2006/11/15
    xiaoyenzi

    xiaoyenzi Inactive Thread Starter

    Joined:
    2006/10/26
    Messages:
    7
    Likes Received:
    0
    Hi all,

    I've tried to search the forum and couldn't find something that can solve my problems here. So I decided to open a new thread and post my problems here. Few days ago, my computer was infected by some kind of virus which made my CPU usage became 100%, and I checked that was a process named spoolsv.exe. I've done some google research and found that it's suppose to be a system file and some said it was a spoof name of the actual system file. So, what I did was reformat my C drive which has all the system files.

    Everything seems ok, untill yesterday. My computer started to act weirdly. I was surfing the net and after some time, I suddenly couldn't access to the Internet, couldn't sign in to messenger as well. I scanned my computer with free AVG Anti-Spyware and found that it is infected by several spyware. I've also run HJT, but I don't know how could I totally remove all these spyware.

    Here is my HJT log:
    Logfile of HijackThis v1.99.1
    Scan saved at 6:37:54 PM, on 11/15/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svcchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [msvcc25] svcchost.exe
    O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://milky-cherry.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe



    And here is the report from AVG Anti-Spyware:
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 6:57:02 PM 11/15/2006

    + Scan result:



    C:\System Volume Information\_restore{67F21CBE-BC1F-437C-A044-C53EC9B6F884}\RP12\A0007393.exe -> Backdoor.IRCBot.xn : No action taken.
    [888] C:\WINDOWS\System32\svcchost.exe -> Backdoor.Rbot.aeu : No action taken.
    C:\WINDOWS\system32\.exe -> Backdoor.Rbot.bni : No action taken.
    C:\System Volume Information\_restore{67F21CBE-BC1F-437C-A044-C53EC9B6F884}\RP12\A0006404.exe -> Backdoor.SdBot.awk : No action taken.
    C:\System Volume Information\_restore{67F21CBE-BC1F-437C-A044-C53EC9B6F884}\RP12\A0006403.exe -> Backdoor.SdBot.ayk : No action taken.
    C:\System Volume Information\_restore{67F21CBE-BC1F-437C-A044-C53EC9B6F884}\RP12\A0006405.exe -> Backdoor.SdBot.azb : No action taken.
    :mozilla.54:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
    :mozilla.47:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.48:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.49:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.50:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
    :mozilla.56:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.57:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.58:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
    :mozilla.59:C:\Documents and Settings\Apple\Application Data\Mozilla\Firefox\Profiles\nkvj4fhs.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.


    ::Report end


    Any advice on removing the infection?
    Thank you in advance.
    :)
     
  2. 2006/11/15
    TeMerc

    TeMerc Inactive Alumni

    Joined:
    2006/05/13
    Messages:
    3,226
    Likes Received:
    4
    Hello and welcome to WindowsBBS Forums.


    Well once a system is reformatted, nothing survives that. It's possible that if you saved any data and reinstalled some of that data, that it was infected. Or perhaps you opened an email or went surfing without first getting patched up at WU.

    Ok, but based on the Ewido report, you did not let it quarantine anything, and it did seem to find a couple of files too.

    I'd run the Ewido scan again and let it quarantine all it finds. Once that has been run, and you have rebooted the system, post another HJT log file for us to review and we'll see what remnants need attention.

    If you did actually let AVG quarantine those items, then let us know and we'll attend the fixing needed based on the log you posted above.
     

  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.