[Lost_In_Paris]

Hello,

I am facing some problems with my Sony VAIO Laptop and would need some help.

I have installed the AntiVir program and the Sygate firewall, and found the Bobic Worm and the SdBot Backdoor.

I have followed the advised steps before posting. Unfortunately I have already been using the HiJack This program before, and moved some lines to the IgnoreThis section, so my posted Log is incomplete.

Logfile of HijackThis v1.99.1
Scan saved at 00:12:07, on 01/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\PROGRA~1\Messager Wanadoo\StartMessager.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\HijackThis.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Paste-it Notes] C:\Program Files\Paste-it\NoteManager.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [pktmgnUjnkl] C:\WINDOWS\System32\kqffot.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099062040889
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B1F844EF-66D8-4F31-96B4-E8DBAA79335B}: NameServer = 217.15.80.4,217.15.88.4
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Object Desktop\WindowBlinds\fastload.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


I check and fix the following lines at every start
O1 - Hosts: 255.255.255.255 [...]
O4 - HKLM\..\Run: [pktmgnUjnkl] C:\WINDOWS\System32\kqffot.exe
but they just keep reappearing.


The line
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
just appeared today after the thorough check-up you advised.



My Spybot check always turns up five altered registry keys

--- Search result list ---
Windows Security Center.AntiVirusOverride: Réglages (Modification du registre, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride!=dword:0

Windows Security Center.FirewallOverride: Réglages (Modification du registre, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Windows Security Center.FirewallDisableNotify: Réglages (Modification du registre, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Réglages (Modification du registre, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Windows Security Center.UpdateDisableNotify: Réglages (Modification du registre, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

which I try to correct in vain.


When I shut the system down, I get a blue screen at the end where I can just recognize the following line IRQ_Not_Less_Or_Equal
before it flashes away.

The bobic worm has been identified by Trend Housecall and Kasperky online scans as residing mainly in my C:\Documents and Settings\User\Local Settings\Temp\
directory

The Laptop is DSL connected and the firewall detects some strong incoming and outgoing activity that is being blocked.

I have also detected a trojan with CWShredder which keeps reappearing.

I hope this is not too confusing, and will be thankful for any help.


UPDATE 12 03 2005

I got a new virus definition yesterday for Antivir which found the Bobic Worm in the Temp Files and was able to delete and block them after a reboot.

Nevertheless, at each new start, the worm tries to create temporary files so I'm not completely clean yet.

I got rid of my automatic rebooting problem, Spybot fixed the registry keys, and I fixed the CWS issue and the first line of the HijackThis log, but I am still puzzled by the following line

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

and my event log file is damaged.

The incoming and outgoing traffic monitored by the firewall is now much quieter.

The computer is now stabilized, but I wonder if I can update to SP2 now, or if I have to get rid of all traces of the Bobic Worm.

Thanks for any good advice.

Lost_In_Paris

Edited by Lost_In_Paris, 03 December 2005 - 06:47 AM.

[Advertisements]

Hi Lost In Paris,

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results along with a new HijackThis log. If you have any items disabled from startup, please reenable them all before scanning with HijackThis.

[Armodeluxe]

Hi Lost In Paris,

Download the Hoster Here

Unzip Hoster to your desktop

Open up the Hoster program.

• Make sure that the "make hosts writable?" button in the upper right corner is enabled.
• Click back up Host files
• then click Restore orginal host files
• close program

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results along with a new HijackThis log. If you have any items disabled from startup, please reenable them all before scanning with HijackThis.

[Lost_In_Paris]

Hi Armodeluxe,

Thank you for your time and your help.


I ran the Hoster program according to your instructions, and then the Kaspersky Online Scanner.

Here is the Kaspersky result:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 10, 2005 12:03:41
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/12/2005
Kaspersky Anti-Virus database records: 164254
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 46038
Number of viruses found: 4
Number of infected objects: 121
Number of suspicious objects: 0
Duration of the scan process: 3508 sec

Infected Object Name - Virus Name
C:\Documents and Settings\NP\Local Settings\Temp\10.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\11.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\12.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\14.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\16.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\18.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\1A.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\1E.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\3.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\8.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\9.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\A.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\D.tmp Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~1.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~13.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~15.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~17.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~19.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~1D.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~4.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~6.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~7.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~B.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~C.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~E.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Local Settings\Temp\~F.tmp.exe Infected: Net-Worm.Win32.Bobic.ac
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051125-183720-597 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051125-190843-830 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051125-195415-400 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-152842-548 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-162536-877 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-163226-513 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-211448-703 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-212721-755 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051126-235931-426 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051127-142741-817 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051127-191340-948 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051128-080752-156 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051128-144242-621 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051128-190940-132 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051129-092706-856 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051129-101721-873 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051129-110806-722 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051129-191444-853 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051130-111743-409 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-002224-614 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-085506-754 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-115325-563 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-133026-158 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-150055-633 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-165852-729 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051201-185531-379 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051202-084919-245 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051202-092719-122 Infected: Trojan.Win32.Qhost
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\backups\backup-20051202-134958-586 Infected: Trojan.Win32.Qhost
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0000022.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0001003.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0001010.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0001011.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0002007.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003008.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003015.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003016.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003018.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003019.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0003020.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0005004.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0005006.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0006005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0006006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0006007.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0006008.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0006084.exe Infected: Trojan-Proxy.Win32.Agent.ib
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0007006.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP1\A0007007.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0008005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0008006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0009005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0009006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0010005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0010006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0010009.exe Infected: Trojan-Proxy.Win32.Agent.ib
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0010018.exe Infected: Trojan-Proxy.Win32.Agent.ib
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0011006.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0011009.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0012005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0012006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0013005.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0013006.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0013051.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP2\A0013072.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP5\A0015169.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP5\A0015179.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP5\A0015189.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP5\A0016227.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP6\A0017260.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP6\A0017261.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP6\A0017264.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP6\A0018242.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP6\A0018243.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018265.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018266.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018267.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018279.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018288.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018289.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018291.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018295.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP7\A0018296.exe Infected: Net-Worm.Win32.Bobic.ac
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018306.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018307.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018308.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018309.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018310.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018311.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018312.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018313.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018314.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018315.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018316.exe Infected: Net-Worm.Win32.Bobic.k
C:\System Volume Information\_restore{97C70649-EF83-44ED-AB32-80E4241CCD72}\RP8\A0018317.exe Infected: Net-Worm.Win32.Bobic.k

Scan process completed.


And here the complete HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:30, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\WINDOWS\System32\ati2evxx.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\WINDOWS\kdx\KHost.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Messager Wanadoo\StartMessager.exe
C:\Program Files\Wanadoo\taskbaricon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\NP\Mes documents\Docs\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Paste-it Notes] C:\Program Files\Paste-it\NoteManager.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [MessagerStarter Wanadoo] C:\PROGRA~1\Messager Wanadoo\StartMessager.exe Messager Wanadoo
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\Program Files\Wanadoo\taskbaricon.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Traduire à partir de l'anglais - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Pages liées - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Pages similaires - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Recherche &Google - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Version de la page actuelle disponible dans le cache Google - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall....ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E202E436-658E-4721-BBFD-3814CFABE41B}: NameServer = 80.10.246.130 80.10.246.3
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Object Desktop\WindowBlinds\fastload.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Fichiers communs\Sony Shared\AVLib\SPTISRV.exe

Thanks again.

Lost_In_Paris

[Armodeluxe]

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please update Ewido

• Launch ewido, there should be a big E icon on your desktop, double-click it.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed, exit Ewido

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Now manually navigate to this folder:

C:\Documents and Settings\NP\Local Settings\Temp

See after running Cleanup if there is still anything in that folder..if there is, try to delete all of them..

Then please empty the HijackThis backups folder.

Reboot back to normal mode and please run one more Kaspersky scan. Before the scan:

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Please post the log from Ewido along with the new Kaspersky scan results.

[Lost_In_Paris]

Hi Armodeluxe,

I have followed your instructions and I am pleased by the positive results that ensued.

Here's the Ewido log:

---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 22:39:54, 11/12/2005
+ Somme de contrôle: CB38828C

+ Résultats du scan:

Pas de fichiers infectés trouvés!


::Fin du rapport

... which means no infected files found, and is confirmed by the Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, December 12, 2005 01:40:24
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 12/12/2005
Kaspersky Anti-Virus database records: 164532
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43319
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3413 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.


Thank you very much for your help. The hoster program seems to have been the problem solver in this case.

Can you confirm that it is safe for me to upgrade to SP2?

Your instructions have been really clear and helpfull.

Merci beaucoup.

Lost_In_Paris

Edited by Lost_In_Paris, 12 December 2005 - 08:35 AM.

[Armodeluxe]

Sure, now that you appear to be clean, it is the right time to upgrade. You can download it here:

http://www.microsoft...p2/default.mspx

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate


Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe

[Armodeluxe]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.