Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Unknown little problems.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Isilwen » December 24th, 2006, 11:16 am

Oh, looking at the Kasp. report i can see that only few files are infected. Here they are:

C:\Documents and Settings\LocalService.NT AUTHORITY\Impostazioni locali\Temporary Internet Files\Content.IE5\E6VQI1EL\pro[1].exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Impostazioni locali\Temporary Internet Files\Content.IE5\E6VQI1EL\pro[1].exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Impostazioni locali\Temporary Internet Files\Content.IE5\E6VQI1EL\pro[1].exe RarSFX: infected - 2 skipped
C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Programmi\mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\03BD4982 Infected: Backdoor.Win32.Codbot.bm skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\09CC34F4.tmp Infected: Trojan.Win32.Obfuscated.z skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\103170E3.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\12D11330.EXE Infected: Backdoor.Win32.SdBot.ahx skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\15327676.htm Infected: Exploit.Win32.MS06-006.e skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\32DE1371.exe Infected: Backdoor.Win32.PoeBot.c skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\3C2E253E.htm Infected: Exploit.Win32.MS06-006.e skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\421B317F Infected: Backdoor.Win32.Codbot.bm skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\455A567B.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\57B8211D.exe Infected: Backdoor.Win32.PoeBot.c skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\61560BD9.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\623432E5.exe Infected: Backdoor.Win32.Rbot.ahn skipped
C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine\6ADF5CA3.exe Infected: Backdoor.Win32.Rbot.bdu skipped
C:\SDFix\backups_old1\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009508.exe Infected: Backdoor.Win32.SdBot.azs skipped
C:\WINDOWS\system32\Com\neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
Isilwen
Active Member
 
Posts: 13
Joined: December 24th, 2006, 4:40 am
Advertisement
Register to Remove

Unread postby Shaba » December 24th, 2006, 11:28 am

Hi

Empty this folder:

C:\Programmi\Norton Internet Security\Norton AntiVirus\Quarantine

Delete this:

C:\WINDOWS\system32\Com\neo.exe

Empty Recycle Bin.

Next I have a one wish for you that sdfix could be updated in the future for that sdbot you had:

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following line into the Step 1: Paste Text window:

C:\!KillBox\dmrproc.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next please visit SpyKillers forum here

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'SDbot files for AndyManchesta' , please then post a link to this thread and upload the requested files.cab archive from your desktop

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\Documents and Settings\LocalService.NT AUTHORITY\Impostazioni locali\Temporary Internet Files\Content.IE5\E6VQI1EL\pro[1].exe
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Isilwen » December 24th, 2006, 11:50 am

It seems that forum does not load right now. I will try again later.
I proceed to the other steps.
Isilwen
Active Member
 
Posts: 13
Joined: December 24th, 2006, 4:40 am

Unread postby Isilwen » December 24th, 2006, 12:58 pm

Again, these are the files infected, based on Kaspersky.

C:\!KillBox\dmrproc.exe Infected: Backdoor.Win32.SdBot.azs skipped
C:\!KillBox\pro[1].exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\!KillBox\pro[1].exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\!KillBox\pro[1].exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Isilwen\Desktop\requested-files[2006-12-24_16_45].cab/C:/!KillBox/dmrproc.exe Infected: Backdoor.Win32.SdBot.azs skipped
C:\Documents and Settings\Isilwen\Desktop\requested-files[2006-12-24_16_45].cab CAB: infected - 1 skipped
C:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Programmi\mirc\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\SDFix\backups_old1\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\SDFix\backups_old1\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP28\A0006597.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe/data.rar/neo.exe Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe/data.rar Infected: Trojan-Downloader.Win32.Small.edb skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP33\A0007933.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009508.exe Infected: Backdoor.Win32.SdBot.azs skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009607.exe Infected: Backdoor.Win32.Rbot.bdu skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009608.EXE Infected: Backdoor.Win32.SdBot.ahx skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009609.exe Infected: Backdoor.Win32.PoeBot.c skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009610.exe Infected: Backdoor.Win32.PoeBot.c skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009611.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009612.exe Infected: Backdoor.Win32.SdBot.xd skipped
C:\System Volume Information\_restore{D1063E4D-42E9-4FAC-81E9-9D8212AA9CEC}\RP34\A0009613.exe Infected: Backdoor.Win32.Rbot.ahn skipped


And this is Hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 17.57.39, on 24/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Programmi\Analog Devices\Core\smax4pnp.exe
C:\Programmi\Analog Devices\SoundMAX\Smax4.exe
C:\Programmi\ULi5287\ULi5287.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
C:\Programmi\lolifox\lolifox.exe
C:\Programmi\ABC\abc.exe
C:\Programmi\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmi\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programmi\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Programmi\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ULiRaid] C:\Programmi\ULi5287\ULi5287.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Programmi\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\RunOnce: [Inetreg] "C:\Programmi\InstallShield Installation Information\{AC85CD9E-BC46-4874-90E6-ADB558DE7D9E}\Setup.exe" /i_again -s
O4 - Global Startup: DSLMON.lnk = C:\Programmi\Telecom Italia Media\Fast 800-840 Tin.it\dslmon.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 6891629925
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 6893699717
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EB12550-0046-4AEE-83D3-0955B5E00BAC}: NameServer = 62.211.69.150 212.48.4.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{3EB12550-0046-4AEE-83D3-0955B5E00BAC}: NameServer = 62.211.69.150 212.48.4.15
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
Isilwen
Active Member
 
Posts: 13
Joined: December 24th, 2006, 4:40 am

Unread postby Shaba » December 24th, 2006, 1:44 pm

Hi

Now it looks good :)

All viruses are in system restore or in backup folders; not active any more.

Were you able to access spykiller?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Isilwen » December 24th, 2006, 1:47 pm

Don't know why, but that site does not seem to load. Tried several times, and always the connection times out.
Isilwen
Active Member
 
Posts: 13
Joined: December 24th, 2006, 4:40 am

Unread postby Shaba » December 24th, 2006, 1:50 pm

Yes, same here.

You can upload it later when site is up again.

Feel free to empty these folders:

C:\!KillBox\
C:\SDFix\backups_old1\

Empty Recycle Bin.

Do you still have problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby Isilwen » December 24th, 2006, 2:14 pm

No, everything seems fine :)
You've been awesome :D
Thanks a lot for your time, your help was greatly appreciated ^^

I will try uploading what you requested later.

Thanks again and Happy Holidays!
Isilwen
Active Member
 
Posts: 13
Joined: December 24th, 2006, 4:40 am

Unread postby Shaba » December 24th, 2006, 2:23 pm

Great :)

You're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.


See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

And happy holidays :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby NonSuch » December 25th, 2006, 2:09 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware