Leftovers from Project1, command.exe viruses

[InRetro]

I'm coming to the end of a long battle to clean my mum's computer from a nasty virus (or possible set of viruses) and wanted to make sure that the computer is clean before installing some proper protection...

I'm also curious to find out more about the threat which seems to have evaded detection and/or fixing by all the progs I tried.

It seemed to start with something generating loads of pop-ups, and a search bar that installed itself in the taskbar (called 'deskbar') eventually slowed inet traffic down to a complete standstill. Bit by bit i was able to remove offending items, but it wasn't until the very end that inet access was back to normal. Very frustrating as I was unable to download spyware updates or post to forums for help!

The first thing to appear was a prog called command.exe. It appeared that this was then generating a series of programs called 'project1' and adding various .exe files to C:\ & C:\windows

This was detected each time by spybot, along with a serious of changes to windows firewall and sp2 update settings. Each time i fixed them they came back. Following advice on forums related to getting rid of command.exe I used a combination of spybot, spysweeper, hijackthis, combofix and killbox

The files would typically run with the process name 'defender' and were called:
dov9.exe
pwr.exe
dfx.exe
doc.exe
Generally these were picked up and deleted by sweeps, but would be continually regenerated. Finding and deleting relevant registry keys after deleting these files still didn't help.

In the end the only way I could fix the problem was by getting rid of two processes that were running that were not picked up by spybot, clamwin, combofix, spysweer as problems:
lviss.exe
lsyss.exe
I was only able to get rid of them using hijackthis to find thier location, then killbox to get rid of them as they didn't appear in windows explorer (even when showing hidden/system files)

This got rid of the problems with general slowness of the PC and also the total internet block. Finally i could download updates and sweeps this time revealed the same system settings changes as before, plus an entry of Smitfraud.C. These were fixable and have not returned on a re-scan.

Obviously a bit of a botched effort, now I'm now not sure how clean the system is (i'll post a current hjt log when I'm back at my mum's).

1) Does anyone know what problem/combination of problems this might have been?

2) Why is it that both times i have had a serious virus/trojan problem none of the spyware/anti-virus programs picked them up? (even with the latest definitions)

3) Could anyone recommend a good basic software firewall I could install? The computer had previously been behind a router and had no problems at all. A few days of broadband without the router and a deluge

Sorry for the long post, I wanted to include all the details for others to find as I kept searching for ages with my symptoms but never found anything that was quite the same...

Richard

[PhilliePhan]

Hi Richard,

I imagine Judy will check in with instructions for a more detailed analysis, but here are a few quick answers:

1) Does anyone know what problem/combination of problems this might have been?

I think there are a number of different baddies in play here. Probably the worst is the W32/Sdbot-COT
This has probably imbedded itself pretty deeply and modified the registry - we'll need to fix those changes.

2) Why is it that both times i have had a serious virus/trojan problem none of the spyware/anti-virus programs picked them up? (even with the latest definitions)

Often, these programs will miss some of the newer threats if their definitions are not kept up-to-date. And, even then, there are a number of threats which are ever-mutating and it is nearly impossible for these tools to keep up with them.

3) Could anyone recommend a good basic software firewall I could install? The computer had previously been behind a router and had no problems at all. A few days of broadband without the router and a deluge

That'll do it!
Try ZoneAlarm Firewall. See my Linky below!


When you check back, please do the following:

-- Rename hijackthis.exe to HJTScan.exe and then run it and post the log for Judy.

-- Please go to this link and follow the instructions to scan with WinPFind by OldTimer.
Please submit the WinPFind Log along with the HJT Log.

Best Luck
PP

[jholland1964]

I think there are a number of different baddies in play here. Probably the worst is the W32/Sdbot-COT
This has probably imbedded itself pretty deeply and modified the registry - we'll need to fix those changes.

I agree completely with PP. All signs point to the virus noted by PP and possibly a couple others.
I would like you download CCleaner and AdAwareSe from PP's Sticky and also update both Spybot and Spysweeper. Update your anti-virus program also. Then boot to Safe Mode following his steps. Run all five programs, beginning with CCleaner, then your anti-virus program and the others. Have all programs fix whatever they find.
Then reboot to NORMAL mode and
run the two programs he has noted and post the logs here along with the Spysweeper log. We will go from there.
Judy

[InRetro]

That's great - I'll get onto that and report back as soon as I get a chance to head back to my Mum's house (might not be for a couple of days)

Thanks for the quick response

Richard

[PhilliePhan]

That's great - I'll get onto that and report back as soon as I get a chance to head back to my Mum's house (might not be for a couple of days)

Alrighty then! We'll be here

[InRetro]

After some delay, here are the scans!

gotta run to catch a train, so will post again with some thoughts.

Cheers,

Richard