Lo1 Virus

[howard_hopkinso]

... and you have to Format and reinstall your OS

You`re quite right Tmagic650, that maybe the only option if we can`t get rid of this.

I`ve searched far and wide with both Yahoo and Google and can`t find any good info for removing this bugger.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Tmagic650]

I've looked too Howard, and found nothing. These malware producers are getting more and more bold. I just reinstalled my systems OS, because of a malware attack. It started with a browser hijacker, then popups came out of nowhere. I tried all the suggestions on this site. I had Norton's beta 360, Ad-aware, Windows Defender and CCleaner. All protections said nothing was found!

I do keep a current full backup of my system. I was back up and running in less than 2 hours

 

[ffarah]

Hi again Howard. I really appreciate all your help. Hopfully we can get this removed in the end, and hopefully with out reinstalling my os.
I ran the atribune tools as you suggested. It did not appear to do any thing and when I ran the AVG as they requested it also did not find anything. I then ran HJT and noted that the network Bridge registry item was again there. I went into the registry and removed the network Bridge and also ran HJT and removed the network bridge. All this while in safe mode. I then rebooted in normal mode. I looked at the registry and the entry for the Network Bridge had not reappeared. I ran HJT and it also did not show the Network Bridge entry. I have included the HJT log. I also have teaTimer blocking any entry of the network Bridge to the registry. I have not noticed any of the virus activity since but do not feel that it has actually been completely removed. Appreciate you further help on this. Again thanks for you persistence. its appreciated.
frank

 

[howard_hopkinso]

That`s absolutely fantastic news. your HJT log is now clean.

Keep your eye on things for a few days and see how it goes. Eventually, a permanent fix will be found for the W32/IRCBot-TO worm. If during my research I come across a definite fix, I`ll let you know.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

New it was to good to be true.
AVG just reported the following:
Message :VirusScan Alert!
Date and Time : 1/30/2007 10:42:34 AM
Path Name : f:\apps\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe::LoadLibraryA
Detected as : bo:stack
State : Blocked by Buffer Overflow Protection

Message :VirusScan Alert!
Date and Time : 1/30/2007 10:55:54 AM
Path Name : C:\lnchost.exe
Detected as : W32/Sdbot.worm.gen.ay
State : Move failed (Clean failed)

Message :VirusScan Alert!
Date and Time : 1/30/2007 10:55:48 AM
Path Name : C:\Documents and Settings\Default User.WINNT2\Local Settings\Temporary Internet Files\Content.IE5\WRUZYXKV\84785_mssql[1].exe
Detected as : W32/Sdbot.worm.gen.ay
State : Deleted

I just ran HJT and checked the registry as well but no indication of the network Bridge but seem to be still getting these virus alerts.
I have attached the most recent HJT log
Thanks
frank

 

[howard_hopkinso]

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

please attach the contents of the logfile C:\fixwareout\report.txt, along with a fresh HJT log.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Tmagic650]

Damn viruses!

 

[ffarah]

Ran the Fixwareout and it appeared to work. Attached are the HJT and fixwareout logs
thanks
frank

 

[ffarah]

They sure are persistant to say the least. AVG just reported the following:

Message :VirusScan Alert!
Date and Time : 1/30/2007 2:03:13 PM
Path Name : f:\apps\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe::LoadLibraryA
Detected as : bo:stack
State : Blocked by Buffer Overflow Protection.

Frank

 

[howard_hopkinso]

Your HJT log appears to be clean. However, I can`t fine any useful info on this file F:\apps\Linktivity\ConnectionPoint\jService.exe. With that in mind, I`d like you to do the following, unless you know for a fact the file is safe.

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file F:\apps\Linktivity\ConnectionPoint\jService.exe
* Click Open
* Please let me know the results.

I`ve just seen your last post.

Download and run this removal tool and see if it helps.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

I ran the scan on jservice.exe and it came back clean.
I also ran the W32.SQLExp.Worm Removal Tool. It came back with no hits, but identified that my msql ssnetlib.dll as being vunerable and that I should install the Service pack4. Easier said than done. When I attempted to install it I got the following message:
A previous program installation created pending file operations. You must restart the computer before running setup.

I have restarted a number of times but still get the error message
thanks
frank

 

[howard_hopkinso]

Apart fro not being able to install the service pack4, how`s your system running?

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

System is very slow and the virus is still there:

Message :VirusScan Alert!
Date and Time : 2/1/2007 5:24:25 AM
Path Name : C:\lnchost.exe
Detected as : W32/Sdbot.worm.gen.ay
State : Move failed (Clean failed)

frank

 

[Tmagic650]

Prepare to save anything you can. It will be important to make sure that any files you save are not infected though. Howard may have other ideas, but there comes a point where nothing but a format and a reinstall of the OS can be done

 

[ffarah]

You seem to like the reformat aproach. lol. Dont think we have reached that stage as yet. We have a pretty good idea what the virus is and how it is evading detection, so its just a matter of time before we should be able to get rid of it. its not a virus that is actually destroying things or has a pay load that is immediately damaging.

 

[Tmagic650]

"System is very slow and the virus is still there:"

These are your words and not mine. Even if you remove this virus, will your system still be slow? What if it is? What will you do then?

So many people have no idea how to back up their important data and programs. I have spent days trying to clean a system of viruses and malware, only to have a slow, sluggish computer after all that work! So that's where the Reformat approach comes from. I repair and build computers fo a living, and time is money... I can format and install an OS, in less than 1 hour

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

L01 virus

Should I run the avenger program in safe mode?
thanks
frank

 

[howard_hopkinso]

No, you can run it in normal mode as it will reboot your system in order to try and delete the nasty file.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

L01 virus

Attached is the hjt log. Also below is the text from the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\bnxltdiw

*******************

Script file located at: \??\C:\WINNT2\system32\pbgggxlb.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\lnchost.exe not found!
Deletion of file C:\lnchost.exe failed!

Could not process line:
C:\lnchost.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

 

[howard_hopkinso]

It seems that the Avenger couldn`t find the C:\lnchost.exe file on your system.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Microsoft Agent

Close the services window.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: Microsoft Agent - Unknown owner - C:\WINNT2\system32\dllcache\lnchost.exe (file missing)

Click on the fix checked button.

Close HJT and reboot your system.

Post a fresh HJT log and we`ll see if it`s still there.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

L01 Virus

Done. but the virus is still there. See attached
thanks
frank

 

[howard_hopkinso]

We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Have HJT fix this entry.

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

Close HJT and reboot your system. You can then re-enable the Spybot tea timer.

Other than the above, your HJT log is clean.

When you say the virus is still there, which virus are you referring to?

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[ffarah]

L01 virus

I am getting reports of the following virus activity:

Backdoor.Sdbot.akc
W32/Sdbot.worm.gen.ay in C:\lnchost.exe

I have attached the HJT log
thanks

frank

 

[howard_hopkinso]

In addition to the lnchost.exe file, you also have a further two infections. Taskend.exe and cscript.exe.

I have tried everything I can think of to get rid of the lnchost.exe file. No doubt that file is responsible for downloading more infections to your computer.
Given everything we have tried to get rid of your problems, It is with some reluctance that I have to recommend that you do a reformat and reinstall.

I`m sorry I wasn`t able to fully clean your system.

Regards Howard

This thread is for the use of ffarah only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.