Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

IRC/Backdoor.sdl - Infected WinRegs32

Started by dreamblaze , Nov 07 2004 06:07 PM

  • Please log in to reply

#1
dreamblaze
Posted 07 November 2004 - 06:07 PM

dreamblaze

    New Member

  • Member
  • Pip
  • 8 posts
hey there all :D

Just over an hour ago i reformatted due to this trojan (IRC/Backdoor.sdl). After i had reformatted and re-installed XP, set-up my internet connection etc the virus was still there!

I have AVG 6 which was unable to move the files to the vault. There are 2 infected files:
Winregs32.exe
Msnmssgs.exe

I have ad-aware, but after it's first run the reference file seems to have gone astray, and will not update to correct itself.

I found a thread related to my problem, and followed the steps using Hijack This, although my log was completely different. i managed to follow it, but when coming out of safemode and re scanning, the infections were still there.

However, after running AVG again it was able to heal the files. I am unsure that i have cured it, as my broadband connection details say i have a lot of traffic, but i have no programs open which would need it! Please could you look at this log, i would be over the moon if i can sort this with your help <_<



Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 00:06:22, on 08/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\UTILIT~1\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\sysmsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Utilities\Winamp\winampa.exe
C:\UTILIT~1\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Utilities\AVG6\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jack\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Utilities\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] C:\UTILIT~1\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7E73806-F5A0-4870-B6FE-55BFEF9557BD}: NameServer = 212.67.120.148 212.67.96.129


I apreciate any help you could give on this. it's driving me round the bend :D
Thanks in advance...
Jack
  • 0

Advertisements

#2
admin
Posted 08 November 2004 - 12:07 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Some hijacks interfere with the installation of Service Pack 2, so we'll hold of for now. When we're finished cleaning your computer we highly recommend installing SP2. Click here: http://windowsupdate.microsoft.com/.
-or-
It's a very large download, so if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx
  • 0

#3
dreamblaze
Posted 08 November 2004 - 01:46 PM

dreamblaze

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for the quick reply =)
I have Sp2 installed now.
looking in the task manager there are 3 processes that seem to directly effect my connection. as soon as i had ended them, surfing speed was back to normal. these are as follows:
crss.exe
wdrk32.exe
sysmsvc.exe

My most recent logs are shown below. The log was taken after a full system scan with AVG 6, Ad-aware and spybot; all of which i consider to be up to date!

Logfile of HijackThis v1.98.2
Scan saved at 19:45:08, on 08/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\UTILIT~1\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Utilities\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Utilities\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Utilities\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Utilities\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Sygate Personal Port] crss.exe
O4 - HKLM\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Games\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7E73806-F5A0-4870-B6FE-55BFEF9557BD}: NameServer = 212.67.120.148 212.67.96.129


Thanks for all your help, Good to know people are still out there willing to help others <_<

Jack
  • 0

#4
coachwife6
Posted 08 November 2004 - 04:34 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\RunServices: [MsWindows SysDate] sysmsvc.exe
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [Win32 DRK Driver] wdrk32.exe
O4 - HKLM\..\RunOnce: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Win32 DRK Driver] wdrk32.exe
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - HKCU\..\RunOnce: [Win32 DRK Driver] wdrk32.exe

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):


C:/sysmsvc
C:/crss
C:/wdrk32

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

-> Reboot your computer.

If you would please, rescan with HijackThis and post a fresh log in this same topic.
  • 0

#5
dreamblaze
Posted 08 November 2004 - 06:49 PM

dreamblaze

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
heya! Thanks for all this help - I think you'v cracked it. my log is now as follows:

Logfile of HijackThis v1.98.2
Scan saved at 00:47:17, on 09/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\UTILIT~1\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Utilities\Winamp\winampa.exe
C:\Utilities\AVG6\avgcc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jack\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Utilities\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Utilities\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab


looks fine to my lay eyes <_<
I can't say it enough - Thankyou!!!

I think this is clean now, confirm with me =)
  • 0

#6
admin
Posted 08 November 2004 - 07:57 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Congratulations! Your system is CLEAN <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP