trojan irc backdoor sdbot 144 BE

Mauro-Nahoum · March 2005

Hi, all. I have been hit by that #@f#! and my Norton just told me it could not remove it. I d/l AVG and it said the same. I went to Trendmicro's page and ran an online check that found "msgfix.exe" in several places, mainly at WINNT, and again it was said "unremovable". Before I despair, can anyone give me a helping hand?
I am running Win 2000 5.0 Service Pack 4.
Tnx.

Mauro-Nahoum · March 2005

Guys, sorry for not reading the tips before posting. I had never heard of HJT before. I did my homework and now send the log for you. Tnx again for any help. Here it goes:

Logfile of HijackThis v1.99.1
Scan saved at 23:27:38, on 17/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymTray.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Java\jre1.5.0\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Arquivos de programas\Anti-BO\Anti-bo.exe
C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
C:\Arquivos de programas\Soulseek\slsk.exe
C:\ARQUIV~1\3M\PSNLite\PSNGive.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msmonk32.exe
C:\Arquivos de programas\Folding@Home\winfah.exe
C:\WINNT\system32\msgfix.exe
C:\Arquivos de programas\Folding@Home\FahCore_82.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msgfix.exe
C:\Arquivos de programas\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjub.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpppta] C:\Arquivos de programas\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [iTunesHelper] C:\Arquivos de programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msgfix.exe
O4 - HKLM\..\RunServices: [duck] duck.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe
O4 - Startup: Folding@Home 5.03.lnk = C:\Arquivos de programas\Folding@Home\winfah.exe
O4 - Startup: Soulseek.lnk = C:\Arquivos de programas\Soulseek\slsk.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Anti-BO v1.5b.lnk = C:\Arquivos de programas\Anti-BO\Anti-bo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Arquivos de programas\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CE77209-DEC0-4CE4-A947-DF1BBB80F818}: NameServer = 200.244.149.23,200.244.149.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = criacaso.lannet
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\system32\DRIVERS\dcfssvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Serviço de proteção automática do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: smyhh - Unknown owner - \\200.179.203.177\ADMIN$\duck.exe" -service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe

Mauro-Nahoum · March 2005

Hi, my friends. Here is an update:

I have tried some of the techniques Symantec and McAfee and AVG list for the original problem. I had to stay online for that period. None worked.

Then I got a tip to make an online scan by Trendmicro's House-Call. Just to be informed that I was infected not only by the first plague but also with W32.HLLW.GAOBOT.GEN, BLOODHOUND.PACKED and W32RANDEX.

I turned the comp off and there it lies, waiting for some good soul to help. I thank you for any saving method available. I'll try anything. Thanks in advance for the cooperation.

P.S.: "they" do not allow me anymore to reach sites that deal with viruses, so I can only imagine I'll have to do it by hand and not connected. Should I send you the HJT log once more?

Buckeye_Sam · March 2005

Download and run Stinger.
http://download.nai.com/products/mcafee-avert/stinger.exe

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

O4 - HKLM\..\Run: [Configuration Loader] msgfix.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msgfix.exe
O4 - HKLM\..\RunServices: [duck] duck.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfix.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINNT\system32\msgfix.exe
C:\WINNT\system32\msmonk32.exe
duck.exe

Reboot your computer to go back to normal mode and post a new log.

Mauro-Nahoum · March 2005

Ok, I will do it tonight, step by step.
And if we are totally successful, I will post it from there.
Thanks for your time and concern.
Mauro

Mauro-Nahoum · March 2005

Hello, Buckeye_Sam.

This is a quick report of what I did yesterday, following your instructions (and others from Symantec, also).

Here we go:

Before doing what you suggested, and following Symantec's specific instructions on how to deal with GAOBOT, I did:

1. a scan with their own specific tool from a CD, to no avail: the message was "cannot create report: virus not found". I did it both in normal and safe modes, same answer;

2. used their manual removal instructions and in "safe mode" I restored the Windows Hosts file, by deleting all entries in the Hosts file but "127.0.0.1 localhost"; saved the results in Notepad, as ordered;

3. tried to reverse changes in the registry:

a. looked for changes in HKEY_LOCAL_MACHINE\Software|Microsoft\Windows\CurrentVersion\Run.
Found none.

b. went to HKEY_LOCAL_MACHINE\Software|Microsoft\Windows\CurrentVersion\RunServices.
Found none also.

c. went to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
searched for the value: "-service"; found one at
"Image Path"= "C:\WINNT\System32\lms.exe" -service
and according to their instructions, deleted this subkey.
Other "-service" results did not have the "face" Symantec was after, so I left them there.

I exited and went to normal mode to keep going on, now with "your" set of instructions, and still NOT CONNECTED.

1. Stinger: ran it from diskette, found no virus;
2. HJT: none of the files you mentioned were found to mark and fix, probably because I had already done some fixing the night before;
3. Safe Mode: in File Manager, I located and deleted: "duck.exe"; "msgfix.exe"; "msmonk.exe"; AND also "bcvsrv32.exe" (this one file appeared while running Stinger, in a popup by Norton telling me I had "GAOBOT", and referred to this file).
4. Ran AdAware, full system scan: the machine crashed and froze; did not accept Ctrl_Alt-Del command;
5. I resetted;
6. HJT: log again showed no traces of the entries you mentioned before (and none I could imagine as "strange", even with my small knowledge);
7. New File Manager scan: no files such as in item 3 reappeared;
8. Ran Ad Aware again, Full Syst + Deep Scanning: zero critical objects;
9. Ran AVG Free Ed.: scan returned No VIRUS!;
10. Ran Microsoft Anti Spyware Beta: zero items detected;
11. Ran Norton virus check: no infected files!!!!!

Then I CONNECTED:
1. no connections allowed to any site, via IE or Firefox; got timeouts in the update engines of the protection programs;
2. I disabled Zone Alarm (do nor know why, but I think it was the one preventing the connections, although I use it and it never had this behaviour before);
3. The connections started to flow: got to TrendMicro's site to make an online scan, that returned "no viruses";
4. Updated Norton files;
5. Ran Norton: crashed once, rebooted, crashed twice.

It was 2:20 a.m. Went to bed, mad as hell!

This morning I checked HJT and the registry entries for some of the previous clues but found none.

Could this be something about "ports" or "hosts"?
Something does not allow Norton to scan completely the files while connected.
I just cannot figure what that is. Will post last HJT log tonite.

Once more, thanks for all your patience and time. You and your pals are my best shot at this. Keep the excellent work.

Mauro-Nahoum · March 2005

I think that now things are starting to clear. Here's the promised log:

Logfile of HijackThis v1.99.1
Scan saved at 22:53:35, on 23/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Java\jre1.5.0\bin\jusched.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Arquivos de programas\Anti-BO\Anti-bo.exe
C:\Arquivos de programas\Folding@Home\winfah.exe
C:\Arquivos de programas\Folding@Home\FahCore_65.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Arquivos de programas\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cjub.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Arquivos de programas\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Arquivos de programas\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [hpppta] C:\Arquivos de programas\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hpppta.exe /ICON
O4 - HKLM\..\Run: [iTunesHelper] C:\Arquivos de programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARQUIV~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Folding@Home 5.03.lnk = C:\Arquivos de programas\Folding@Home\winfah.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Arquivos de programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Anti-BO v1.5b.lnk = C:\Arquivos de programas\Anti-BO\Anti-bo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Arquivos de programas\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Arquivos de programas\Hello\PicasaCapture.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CE77209-DEC0-4CE4-A947-DF1BBB80F818}: NameServer = 200.244.149.23,200.244.149.26
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = criacaso.lannet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = criacaso.lannet
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\system32\DRIVERS\dcfssvc.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Serviço de proteção automática do Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

And the good news is that I was finally able to scan the machine with Norton updated files and no viruses appeared (and for security I also used Stinger once more).

I think I can start to

again.

Thanks a lot for all the support.

Buckeye_Sam · March 2005

The only issue that I see is that you have two antiviruses running. This can cause a conflict. Disable one of them so it doesn't run at startup and you should be ok.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
  1. Change the Download signed ActiveX controls to Prompt
  2. Change the Download unsigned ActiveX controls to Disable
  3. Change the Initialize and script ActiveX controls not marked as safe to Disable
  4. Change the Installation of desktop items to Prompt
  5. Change the Launching programs and files in an IFRAME to Prompt
  6. Change the Navigate sub-frames across different domains to Prompt
  7. When all these settings have been made, click on the OK button.
  8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Mauro-Nahoum · March 2005

Hi, Buckeye and team!

I am back here to tell you that you seem an oracle, even at the distance!

The freezing factor, that´s exactly what happened next, and my machine would freeze constantly. My own opinion was that it could not handle smoothly AdAware, Microsoft AntiSpyware, SpywareBlaster, AVG, Zone Alarm and Norton all at the same time and I was going to ask you today which ones I should keep, when I saw your post (I was out of town).

I sticked to Norton and SpywareBlaster, for personal reasons only. I am running now for half an hour and no problem arose.

Once again, thanks a lot for your time and the attention you gave my personal issue. And congratulations on your excellent direct way of helping us poor ignorant users.
Keep it up!

trojan irc backdoor sdbot 144 BE

Comments