Leftovers from Project1, command.exe viruses

[InRetro]

I'm coming to the end of a long battle to clean my mum's computer from a nasty virus (or possible set of viruses) and wanted to make sure that the computer is clean before installing some proper protection...

I'm also curious to find out more about the threat which seems to have evaded detection and/or fixing by all the progs I tried.

It seemed to start with something generating loads of pop-ups, and a search bar that installed itself in the taskbar (called 'deskbar') eventually slowed inet traffic down to a complete standstill. Bit by bit i was able to remove offending items, but it wasn't until the very end that inet access was back to normal. Very frustrating as I was unable to download spyware updates or post to forums for help!

The first thing to appear was a prog called command.exe. It appeared that this was then generating a series of programs called 'project1' and adding various .exe files to C:\ & C:\windows

This was detected each time by spybot, along with a serious of changes to windows firewall and sp2 update settings. Each time i fixed them they came back. Following advice on forums related to getting rid of command.exe I used a combination of spybot, spysweeper, hijackthis, combofix and killbox

The files would typically run with the process name 'defender' and were called:
dov9.exe
pwr.exe
dfx.exe
doc.exe
Generally these were picked up and deleted by sweeps, but would be continually regenerated. Finding and deleting relevant registry keys after deleting these files still didn't help.

In the end the only way I could fix the problem was by getting rid of two processes that were running that were not picked up by spybot, clamwin, combofix, spysweer as problems:
lviss.exe
lsyss.exe
I was only able to get rid of them using hijackthis to find thier location, then killbox to get rid of them as they didn't appear in windows explorer (even when showing hidden/system files)

This got rid of the problems with general slowness of the PC and also the total internet block. Finally i could download updates and sweeps this time revealed the same system settings changes as before, plus an entry of Smitfraud.C. These were fixable and have not returned on a re-scan.

Obviously a bit of a botched effort, now I'm now not sure how clean the system is (i'll post a current hjt log when I'm back at my mum's).

1) Does anyone know what problem/combination of problems this might have been?

2) Why is it that both times i have had a serious virus/trojan problem none of the spyware/anti-virus programs picked them up? (even with the latest definitions)

3) Could anyone recommend a good basic software firewall I could install? The computer had previously been behind a router and had no problems at all. A few days of broadband without the router and a deluge

Sorry for the long post, I wanted to include all the details for others to find as I kept searching for ages with my symptoms but never found anything that was quite the same...

Richard

[PhilliePhan]

Hi Richard,

I imagine Judy will check in with instructions for a more detailed analysis, but here are a few quick answers:

1) Does anyone know what problem/combination of problems this might have been?

I think there are a number of different baddies in play here. Probably the worst is the W32/Sdbot-COT
This has probably imbedded itself pretty deeply and modified the registry - we'll need to fix those changes.

2) Why is it that both times i have had a serious virus/trojan problem none of the spyware/anti-virus programs picked them up? (even with the latest definitions)

Often, these programs will miss some of the newer threats if their definitions are not kept up-to-date. And, even then, there are a number of threats which are ever-mutating and it is nearly impossible for these tools to keep up with them.

3) Could anyone recommend a good basic software firewall I could install? The computer had previously been behind a router and had no problems at all. A few days of broadband without the router and a deluge

That'll do it!
Try ZoneAlarm Firewall. See my Linky below!


When you check back, please do the following:

-- Rename hijackthis.exe to HJTScan.exe and then run it and post the log for Judy.

-- Please go to this link and follow the instructions to scan with WinPFind by OldTimer.
Please submit the WinPFind Log along with the HJT Log.

Best Luck
PP

[jholland1964]

I think there are a number of different baddies in play here. Probably the worst is the W32/Sdbot-COT
This has probably imbedded itself pretty deeply and modified the registry - we'll need to fix those changes.

I agree completely with PP. All signs point to the virus noted by PP and possibly a couple others.
I would like you download CCleaner and AdAwareSe from PP's Sticky and also update both Spybot and Spysweeper. Update your anti-virus program also. Then boot to Safe Mode following his steps. Run all five programs, beginning with CCleaner, then your anti-virus program and the others. Have all programs fix whatever they find.
Then reboot to NORMAL mode and
run the two programs he has noted and post the logs here along with the Spysweeper log. We will go from there.
Judy

[InRetro]

That's great - I'll get onto that and report back as soon as I get a chance to head back to my Mum's house (might not be for a couple of days)

Thanks for the quick response

Richard

[PhilliePhan]

That's great - I'll get onto that and report back as soon as I get a chance to head back to my Mum's house (might not be for a couple of days)

Alrighty then! We'll be here

[InRetro]

After some delay, here are the scans!

gotta run to catch a train, so will post again with some thoughts.

Cheers,

Richard

[InRetro]

just a couple of things:

I ran ccleaner first, then clamwin antivirus.

As you can see from the clamwin log, there were a couple of bits from old quarantines from other progs, which may give a guide as to what was actually on in the first place. After getting that log I used Clamwin to clear those problems.

next up was spybot, which returned a clean status report so no log there.

then adaware which found quite a few bits spybot didn't (I always used to use just adaware, but everyone kept talking about spybot... think i'll be using both from now on )

no spysweeper i'm afraid as i think our trial period expired.

HJT and the winpfind logs (split into two to get past the upload limit) also posted, not really had a chance to look at those myself yet.

Richard

[jholland1964]

I am going through your logs now. One thing I question; you say you ran CCleaner first and THEN your anti-virus program. CCleaner "should" have cleaned out your internet temp files but the anti-virus program finds trojans in your Internet Explorer Temp files.
You need to navigate to these folders;

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HQ3N07CP\

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q2NYU0PG\

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XE8XKAS7\

and delete whatever is in those files. Don't delete the files themselves, JUST THE CONTENTS of those folders

[InRetro]

yeah, I noticed that and thought it was strange, I ran CCleaner twice to double-check but they were still there.

I used the Antivirus program to remove the files in the end and a subsequent antivirus scan showed those folders to be clean.

[jholland1964]

You say there was no Spysweeper scan...do you mean you could not run one or didn't run one? Because Spysweeper does show in the Start up programs section (O4) of your HJT log.
You didn't say, did you remove and quarantine all items found by AdAwareSE? If not, run the program again and do that.
You mention that Spybot came up clean. I always use BOTH Spybot and AdAwareSE...each program really looks for different items so for safety sake I always use both. Generally AdAware will find more than Spybot but occasionally something will be found by Spybot but not AdAware. One highly recommended FREE program, that I use to assist in keeping the items found by those two programs to a bare minimum is SpywareBlaster
SpywareBlaster works by setting "kill bits" in the registry. These "kill
bit" registry entries are set for the spyware ActiveX CLSIDs (unqiue IDs
that identify an ActiveX control). When a kill bit is set for a CLSID, the
ActiveX control that uses that CLSID cannot install itself
nor can it run if it already installed. What is so nice is that this means it does not have to run in the background. Keep it updated and you will really have a well protected computer.

I don't see much in the HJT log, just a few minor items you can clean up with another scan with HJT. Run it again and place checkmarks next to the following;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Once you have placed the checkmarks then click the FIX button and then exit HJT.
I am not the expert with the WPFind logs. I am certain that if PP sees anything else in those he will post back with the needed instructions.
Judy