Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Backdoor\sdbot2


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gary8354

Gary8354

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:57 AM

Posted 01 November 2006 - 11:08 AM

I am running NT4.0 I have run adware and spybot and then AVG however after cleaning computer it's like they are coming in a back door and putting the virus back in and causes Dr.Watson error.
Here is a Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:40:25 AM, on 11/1/06
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\System32\llssrv.exe
F:\WINNT\System32\nddeagnt.exe
c:\Radius\ACCESS~1\bin\radiusd.exe
F:\WINNT\System32\LOCATOR.EXE
F:\WINNT\Explorer.EXE
F:\WINNT\system32\RpcSs.exe
F:\WINNT\System32\sistray.EXE
f:\Program Files\ORL\VNC\WinVNC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
F:\WINNT\System32\esserver.exe
f:\winnt\system32\pstores.exe
F:\WINNT\system32\MSTask.exe
F:\WINNT\System32\SENS.EXE
F:\drivers\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS Tray] F:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [WinVNC] "f:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...n9x/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tomah.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tomah.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.200.8.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tomah.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.200.8.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.200.8.6
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network Gateway Manager (npx) - Unknown owner - F:\WINNT\csrsc.exe (file missing)
O23 - Service: post.office MTA (post.office) - Unknown owner - c:\win32app\Post.Office\\post.office.exe
O23 - Service: RadiusSrv - Unknown owner - c:\Radius\ACCESS~1\bin\radiusd.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - F:\WINNT\lsass.exe (file missing)
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - F:\WINNT\system\winlogon.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - f:\Program Files\ORL\VNC\WinVNC.exe" -service (file missing)

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:57 AM

Posted 08 November 2006 - 09:58 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:57 AM

Posted 22 November 2006 - 06:01 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users