wormsdbot.wy

Discussion in 'adware, spyware & hijack cleaning' started by Clanger, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    I have just run housecall and find I have three viruses which it cannot access. The first is wormsdbot.wy cannot access
    C:\Windows\sys32\serv.exe
    C:\Windows\temp\trz55\temp
    C:\Windows\temp\trz58\temp

    I put them in avast chest. Here is my log:
    Logfile of HijackThis v1.97.7
    Scan saved at 02:49:35, on 10/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\autoclk.exe
    C:\WINDOWS\System32\Microsoft32.exe
    C:\WINDOWS\System32\lsrv.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Ares\Ares.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\TMD-Recruit3.71\mirc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\Macromed\Shockwave 10\Download.exe
    C:\Documents and Settings\Chris Allen\Local Settings\Temporary Internet Files\Content.IE5\4XIZC1AF\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tiscali.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [autoclk] autoclk.exe
    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
    O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\saxkeg.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
    O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.5771064815
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{08955DD1-9768-46C9-AB67-28A4AE2DE38F}: NameServer = 212.74.114.129 212.74.114.193
    O17 - HKLM\System\CS1\Services\Tcpip\..\{08955DD1-9768-46C9-AB67-28A4AE2DE38F}: NameServer = 212.74.114.129 212.74.114.193


    any help would be appreciated, yet again. :D
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Tick the following items, then reboot

    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\RunServices: [Microsoft Services] lsrv.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
    O4 - HKCU\..\Run: [Microsoft Services] lsrv.exe
    O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe

    Please submit those 3 files to submit@diamondcs.com.au
    Microsoft32.exe
    lsrv.exe
    wserv32.exe

    They should all be in the Windows or Windows\System32 folder
    Please also send these too

    C:\WINDOWS\System32\saxkeg.exe
    C:\Windows\sys32\serv.exe (sure it wasnt wserv32.exe?)
    C:\Windows\temp\trz55\temp
    C:\Windows\temp\trz58\temp
     
  3. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    I still can't find the saxkeg.exe, but done as you asked.

    Here is my log
    Logfile of HijackThis v1.97.7
    Scan saved at 11:14:22, on 10/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\autoclk.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Ares\Ares.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Documents and Settings\Chris Allen\Local Settings\Temporary Internet Files\Content.IE5\LJK9DTCS\HijackThis[1].exe
    C:\Program Files\Outlook Express\msimn.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tiscali.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [autoclk] autoclk.exe
    O4 - HKLM\..\Run: [Disk Defragmenter] C:\WINDOWS\System32\saxkeg.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
    O4 - Startup: Hewlett-Packard Recorder.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
    O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
    O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38147.5771064815
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/Sasser/20/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{08955DD1-9768-46C9-AB67-28A4AE2DE38F}: NameServer = 212.74.114.129 212.74.114.193
    O17 - HKLM\System\CS1\Services\Tcpip\..\{08955DD1-9768-46C9-AB67-28A4AE2DE38F}: NameServer = 212.74.114.129 212.74.114.193

    should I just get rid of the sexkeg one and empty the chest of avast.
    this is the report of my virus scanner

    avast! Report
    * This file is generated automatically
    *
    * Task 'Resident protection' used
    * Started on Wednesday, June 09, 2004 11:02:13 PM
    * VPS: 0418-0, 26/04/2004
    *

    C:\WINDOWS\System32\saxkeg.exe [L] Win32:Korgo-F [Wrm] (0)
    During the file repair, error occurred: The file was not repaired.
    File was successfully moved to chest...
    File was successfully moved to chest...
    C:\WINDOWS\System32\wuamgrd.exe [L] Win32:Trojan-gen. {UPX!} (0)
    While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
    While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
    During the file repair, error occurred: Access is denied
    File was successfully moved to chest...
    File was successfully moved to chest...
    C:\WINDOWS\system32\ftpupd.exe [L] Win32:Korgo-F [Wrm] (0)
    During the file repair, error occurred: The file was not repaired.
    File was successfully moved to chest...
    File was successfully moved to chest...
    C:\WINDOWS\system32\TFTP3524 [L] Win32:Trojan-gen. {UPX!} (0)
    During the file repair, error occurred: Access is denied
    File was successfully moved to chest...
    File was successfully moved to chest...

    And can you tell me the ones again to get rid of Dixons homepage.

    Sorry to be a pest
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Have you tried scanning in safe mode with avast ?

    Then find : C:\WINNT\INF\iereset.inf

    Open it in notepad and post the content.

    Regards,

    Pieter
     
  5. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    scanned in safe mode but didn't know whether to delete. Avast couldn't access to repair so I moved them to the chest.

    This is the file you asked for

    [Version]
    Signature="$CHICAGO$"
    AdvancedINF=2.5,"You need a new version of advpack.dll"

    [RestoreHomePage]
    AddReg=RestoreHomePage.reg

    [RestoreBrowserSettings]
    AddReg=RestoreBrowserSettings.reg
    DelReg=DeleteTemplates.reg, DeleteAutosearch.reg

    [RestoreHomePage.reg]
    HKCU,"Software\Microsoft\Internet Explorer\Main","Start Page",0,%START_PAGE_URL%

    [RestoreBrowserSettings.reg]
    HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Page_URL",0,%START_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main","Default_Search_URL",0,%SEARCH_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","1",0,"www.%s.com"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","2",0,"www.%s.org"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","3",0,"www.%s.net"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","4",0,"www.%s.edu"
    HKCU,"Software\Microsoft\Internet Explorer\Main","Search Page",0,%SEARCH_PAGE_URL%

    ; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
    HKCU,"Software\Microsoft\Internet Explorer\SearchUrl","Provider",0,""

    HKLM,"Software\Microsoft\Internet Explorer\Search","SearchAssistant",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
    HKLM,"Software\Microsoft\Internet Explorer\Search","CustomizeSearch",0,"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites",%SAFESITE_VALUE%,0,"http://ie.search.msn.com/*"

    [DeleteTemplates.reg]
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","5"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","6"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","7"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","8"
    HKLM,"Software\Microsoft\Internet Explorer\Main\UrlTemplate","9"

    [DeleteAutosearch.reg]
    ; NOTE (andrewgu) ie5.5 b#108259 - autosearch settings are not properly reset
    HKCU,"Software\Microsoft\Internet Explorer\Main","AutoSearch"

    [Strings]
    START_PAGE_URL=http://www.dixons.co.uk/
    SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    SAFESITE_VALUE="ie.search.msn.com"

    ; IMPORTANT NOTE:
    ; IE branding dll (iedkcs32.dll) uses the following entries to restore the default MS values.
    ; In the vanilla version of IE, the values must be the same as their corresponding non MS_* values.
    ; For example, START_PAGE_URL and MS_START_PAGE_URL must have the same URL in the IE version released by MS.
    MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I don't think there is anything to repair in those files. They should be deleted.

    In IERESET.INF

    Change this bit
    to

    [Strings]
    START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
    SEARCH_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
    SAFESITE_VALUE="ie.search.msn.com"

    If you want to have the default Windows settings or put in any URL you prefer of course.

    Then click Save to keep those settings.

    That will change this line in your log:
    O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
    and enable you to permanently get rid of the other:
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/

    Regards,

    Pieter
     
  7. Clanger

    Clanger Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    27
    I have just done a online trojan scan and it has come up with this

    Trojan 5000 OPEN Bubbel, Back Door Setup, Sockets de Troie

    I have kerio firewall and anti avast how can I plug this open port.
     
Thread Status:
Not open for further replies.