Hi all

yep ... I am infected! :mad:
Have 5-2-04 HiJackThis log before attempting to remove anything.

OS is Win 2K

Anyone want this file to examine?
navmgrd.exe

PROBLEM 1
isass.exe does auto shutdown

PROBLEM 2
svchost.exe Trojan Horse

NOT WORKING
run --> shutdown -a

ran McAfee stinger
w32/sdbot.worm.gen detected and deleted along with a css*** file name

ran stinger again
Ghost something detected and deleted

ran stinger again
nothing detected

did regedit for wuamgrd.exe detected by Regrun watchdog & rebooted

New name in regedit is now navmgrd.exe detected by Regrun watchdog

The file keeps renaming itself upon detection/deletion

ran terndmicro Housecall
cleaned malware HKTL_DOCM.Y

Security is an interest of mine and I would like to know more about this.
At this point I don't have a problem reformatting my system so if you want to look at this file say so.

Do a scan on the suspicious file at one or both of the following:

Dr.Web online scan
http://www.dials.ru/english/www_av/

Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html

Copy and paste the results of each report back here.

Are you running an Antivirus Program?

If you would like us to take a closer look at what is running on your system, Scan and post your HijackThis log back here as well :)

ok thanks for the input ;)

Kapersky was useful yet didn't clean so I reformatted.

Still think some program is autodialing my dsl using winpoet.

I did delete wmon16 after reformat.

Please take a look at this log.

Thanks

Logfile of HijackThis v1.97.7
Scan saved at 7:28:36 AM, on 5/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\D-Tools\daemon.exe
C:\FSI\F-Prot\F-StopW.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\New Load\HiJackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [F-StopW] C:\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

CJ is experiencing some computer issues and I am covering her logs for her until she is back online.


There is nothing malicious in your log that would connect. Perhaps a program looking for updates. Kerio? F-Prot?

I'm back :) - Thanks LPP.

Re: KAV online single file check. No, it doesn't clean, I wanted know what infection you had to recommend a solution which is why I asked you to copy the report back here. However, since you have reformatted and deleted the file I assume you are ok.

Except, presence of wmon16.exe on the system suggests it may have been an Agobot/Gaobot infection. See example here: http://uk.trendmicro-europe.com/enterprise...=WORM_AGOBOT.SH

You may well have gotten it by not having the patches for your operating system that are linked in the page I just listed above. If you do not, you are highly likely to get reinfected again with no intervention on your part. Just being online with an unpatched system will do it.

First make sure you have all the Windows Critical Security updates. I recommend this tool to help you make sure you do. It will identify which ones you need and there are links and easy instructions to correct the problems and get your needed updates.

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Once you have all the updates there is less chance of getting infected right away again by that worm. Then you can get a free online AV scan at any of the following:

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

KAV scan of navmgrd.exe said it was a 0 byte file so no report was generated.

Thank you for your reply.

I will check to see I have all current patches and visit the AV sites you listed.

Ah! Ok - thanks for letting us know :)

Here is a whole page of our recommendations for prevention of malware that might be useful for you.

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

Good luck - let us know if you need any further help.

Stay safe and happy surfing surf.gif