Help with Adware/Spyware please.

Discussion in 'General Software and Applications' started by dcx_badass, Aug 2, 2006.

  1. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    Normally i'm careful but basically i got: W32.Donk.C
    and it keeps putting C:\Windows\System32\cool.exe
    I have NOD32 - finds nothing
    and Xoftspy 4.22 - removes but back within minutes
    So i got XoftSPYSE4.29 - This removes it but its back in about 30 mins, i get a quick window flash up and goes, and then its back.
    According to the XoftSpy site:
    Description
    This application is a worm, a program that copies itself from computer to computer and, unlike a virus, can replace entire files. W32.Donk.C is a backdoor worm, which will allow a remote intruder to attack or control the user’s computer. The worm connects to certain IRC channels and awaits instructions from an intruder. It installs the file scchost.exe into the Windows System folder.
    Xoftspy normally removes stuff but this won't go, i've not noticed anything terrible yet, except the cool.exe runnong.
    Xoft site info about it
    Google didn't help much.
     
  2. iako

    iako Ancient Guru

    Messages:
    2,072
    Likes Received:
    0
    GPU:
    MSI GTX 580 LIGHTNING
    I use spybot S&D... you tried it?
     
  3. stormy

    stormy Ancient Guru

    Messages:
    2,664
    Likes Received:
    50
    GPU:
    Pulse RX5600XT
    What you have is a lovely little mass-mailer. OH, and Google returns lots of things, just have to use the right search term. You probably used the name that Xoftspy gave it, problem with that is that all the AV and AS programs have different names for the same infection. If you had searched using cool.exe you would have found lots of hits,

    http://www.google.com/search?lr=&ie...ww.sophos.com/support/disinfection/sdbot.html

    That being said here is TrendMicro's description of it,

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALLON.A&VSect=Sn

    and here is what Sophos has to say about it,

    http://www.sophos.com/virusinfo/analyses/w32sdbothp.html

    Might want to try a couple of online scans,

    http://housecall.trendmicro.com/

    http://www.pandasoftware.com/products/ActiveScan.htm - link to the free scan is near the top right, and requires the use of IE.
     
  4. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I tried 'cool.exe' but found no info of how to remove it. Oh yeah i have Spybot aswell but that finds nothing, and i can't use ZA as i have problems with it, will make a thread about that in about a week. Thanks for the links going through them atm.
     

  5. Omeguz

    Omeguz Maha Guru

    Messages:
    1,166
    Likes Received:
    0
    GPU:
    GeForce 6600 256 MB AGP
    Get Hijack This, scan, post a log file. Careful with meddling with your registry just yet, have someone look through the log file, then see if anyone can confirm their diagnosis, you don't want to screw your PC over even more.
     
  6. Sieras

    Sieras Ancient Guru

    Messages:
    3,815
    Likes Received:
    0
    GPU:
    Gigabyte GTX 970 G1 4GB
    That is related! ZA can't start/work( I dunno what's the problem ,you didn't wrote it..) because of that worm, which now has a free access to the internet, I guess, and that's why it keeps appearing.. You just need to install a good and working firewall, that will block and report everything unusual.. then remove that worm again with XoftSpy(I use it too, great thing :p), and observe.. if it will still appear, then I suggest you to look through your running processes for something strange or just unknown/new, trace where it is, shutdown that process, and delete it... also you should disable it's startup entry in the msconfig :) also it could try to protect itself from this action - the you can do same thing through a safe mode ;) good luck!
     
  7. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    ZA has never worked on my PC, i think its incompatible with one of my other programs, had the prob on my last PC aswell, thats unrelated.
    I've looked through my running proccessors, nothing unual or in the start up list. It keeps coming back.
    I'll get a hijackthis log once its back. Should be less than 30 mins.
     
  8. Sieras

    Sieras Ancient Guru

    Messages:
    3,815
    Likes Received:
    0
    GPU:
    Gigabyte GTX 970 G1 4GB
    hm.. so are you using some kind of firewall with built-in Anti-Spyware or not?
     
  9. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I have:
    NOD32
    XOFTSPY 4.22
    XOFTSPYSE4.29
    Spybot S'n'D
    And my routers Firewall on atm.

    Hijackthis log:
     
    Last edited: Aug 3, 2006
  10. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    One thing at a time. Also it's best not to use cleaning threads for "small talk" it will only make it impossible to help.


    Please upload it to either one of the online scanners and post the result.

    http://virusscan.jotti.org/
    http://www.virustotal.com/xhtml/virustotal_en.html

    If there is no detection by NOD32 please summit the file for analyses.
    sophos W32/Donk-C seems to be quite old "October 2003". But with all the aliases and variants it's kind of hard to say what variant Xoftspy is detecting as W32/Donk-C

    W32/Donk-C (look at the Recovery tab, there is possibly a .bat file and also run commands)
    http://www.sophos.com/security/analyses/w32donkc.html

    Aliases

    * Backdoor.SdBot.gen
    * W32/Sdbot.worm.gen
    * W32.HLLW.Moega


    W32/Sdbot.worm
    http://vil.nai.com/vil/content/v_100454.htm
    Update April 6, 2004 --
    There are now over 700 variants of this trojan-turned worm.

    W32.HLLW.Moega
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-080813-3234-99&tabid=1
     

  11. Sieras

    Sieras Ancient Guru

    Messages:
    3,815
    Likes Received:
    0
    GPU:
    Gigabyte GTX 970 G1 4GB
    It's really not enough to have only a routers firewall, believe me! :( you need one inside of your pc to be fully protected, I'd say that worm keeps reappearing because of a hole in your defense...

    BTW, everything looks good in that report, all services and everything.. but I've found one strange thing :
    O4 - HKLM\..\Run: [D_V_T] C:\\dvt.exe /S \C:\\d_v_t.reg\
    what's this all about? If you know what is it, then ok.. but I'd say that you need to double check that.
     
  12. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I know what that is, i've checked the d_v_t.reg its fine.

    I will submit it to eset.
     
  13. Sieras

    Sieras Ancient Guru

    Messages:
    3,815
    Likes Received:
    0
    GPU:
    Gigabyte GTX 970 G1 4GB
    ok, I see that 'cool.exe' is running like a process, and maybe it has a backup somewhere.. so, probably if you just shut it down through a task manager it appears again, right?

    Try booting into safe mode and running a scan there (or try deleting 'cool.exe' the manual way), then reboot.. maybe then it will be gone.
     
  14. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    This is unrelated at this point in time. Really suggesting a FW is part of overall system hardning not a cleaning process. That is why we use safe mode with NO network.
     
  15. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    Sound like this one follow the instruction and please, please do ALL steps.

    1. Run a general cleaner tool like CCleaner and clean out old temp files, cache etc.

    2. Disable XP restore points

    3. Start your computer in Safe mode

    4. Run and scan with Antivirus and Anti spyware programs (in safe mode).

    5. Remove any of the registry start up entries if found as instructed in the links.


    W32.HLLW.Donk.B
    http://www.symantec.com/security_response/writeup.jsp?docid=2003-092716-2152-99&tabid=2


    Win32.NerdBot Family
    http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=43011
     

  16. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    dcx_badass did you upload it to the scanners ?

    Please do this BEFORE cleaning the infestation so we can get it submitted if needed. ;)
     
  17. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
    I've scanned in Safe mode, and it removed but still came back again, i've disabled System Restore, i've run ccleaned, i've rune tune-up utilities regcleaner, I've emptied my prefetch, and it keeps coming back, its not here atm.
     
  18. dcx_badass

    dcx_badass Ancient Guru

    Messages:
    9,978
    Likes Received:
    1
    GPU:
    Palit GTX 1060 6GB
  19. Luvabud

    Luvabud Master Guru

    Messages:
    918
    Likes Received:
    0
    GPU:
    1060 6GB
    If and when I get infected I go in all guns firing, find the suspect process and file and find where it's located, go in to safe mode disable restore on all drives and delete the virus if it allows, go into the registry and delete HKCU AND HKLM software\microsoft\windows\currentuser\run(export the entries if you want to keep some of the start ups) and other locations the run entries are but it's unlikely there will be anything in them but check in msconfig for startup also check all programs\startup. Scan through the whole registry for the infected entry as you may find other locations of the file and delete as necessary. Disconnect the internet and restart windows and enable startup on your av, firewall and maybe spyware, then do a full av/spyware scan. I find a good idea to make a 5gig or larger partition for windows so if it comes worse to the worse just format the small partition, reinstall and scan again for the infected file just in case it's spread across other partitions
     
    Last edited: Aug 3, 2006
  20. Animatrix

    Animatrix Ancient Guru

    Messages:
    6,842
    Likes Received:
    4
    GPU:
    BFG 8800GT OC2 512
    Remember the registry start up entries.

    Get, install, update. Do the same as before.

    Ewido
    http://www.ewido.net/en

    superantispyware
    http://www.superantispyware.com/


    Also im starting to think your NOD32 might be on the shady side if you know what i mean (NOD32 FiX.lnk). I would suggest you try reinstalling the latest trial version and leave it alone....for now at least. :D
     

Share This Page