Solve : IRC bot/Serv-u FTPD hack kit - Huh??

I'm told I could have a bug, virus, spy or something scary called an IRC bot/Serv-u FTPD hack kit that
hides itself in windir/system32/drivers/etc  - (etc being the bad part)

I do have this etc file and did use the patch exe file from a friends cd that I'm told it came from. [smiley=embarassed.gif]
So - do I delete it, destroy it with Steganos, relax or set fire to my PC?

I run XP Home and have  AVG, Spybot, SpyDoctor, AdAware, Ewidow, CWS and cCleaner - hope this is enough info  [smiley=smiley.gif]
(Only AVG and SpyDoctor are running permanently)

All help / advice very welcome - thanks in advance.
Springbok

Why don't you download and run HijackThis and post your logfile here for our resident expert, dl65.

http://www.majorgeeks.com/download3155.html

You might ALSO want to try the free online scanner at www.trendmicro.com springbok...... Are your win updates CURRENT ?
Lets see a hijackthis log .........and we can try that first ...........
When you ran Ewido ...did you do it from the safe mode with your system retsore turned off ?


dl65  Do NOT delete your etc directory.Hi all, thanks for the reponse.
First, I have got highjackthis but it's not installed and I'm not sure about how to use it.
I'll will do all that but in the meantime I got a housecall from Trend, it found 7 items it didn't like much and removed all except one - [highlight]TROJ_SE.67431[/highlight]. It did manage to remove a second similar (TROJ_SE.67426).
Next I ran Ewidow - it found only one cookie = Euroclick, & removed.
Next I ran SpyDoctor which found 32 undesirables but only one high risk - VX2-Look2Me (also removed).

Running with restore turned off and in [highlight]SAFE[/highlight] mode.
On my old WIN95 SE I could slip into safe mode anytime I liked, with XP I can't figure out how, even tho' I did it once a few months ago.  [smiley=sad.gif] Also cannot see anyway to turn off Restore!
I'll come back when I've run hijackthis, in the meantime, thanks a lot for your kind interest and advice.
Really glad I found you all!  [smiley=smiley.gif]Sorry dl65, in reply to the question you asked, yes, my Win updates are current - as from this morning in fact.
The update thing is set on auto and seems to be performing fine. Phew!
As for safe mode and restore off, I replied to that in the post above.  [smiley=smiley.gif]
Before anyone suggests a name change - I'm going from Springbok to Dumbo - (maybe)!  [smiley=lolk.gif]

Springbok Quote

Running with restore turned off and in [highlight]SAFE[/highlight] mode.
On my old WIN95 SE I could slip into safe mode anytime I liked, with XP I can't figure out how, even tho' I did it once a few months ago.  [smiley=sad.gif] Also cannot see anyway to turn off Restore!

Safe Mode is F8 when the machine starts (before you see the Windows logo). You can tap the key several times as the machine is starting.

System Restore info is here:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

You have learned a great deal this week. Be sure and practice safe computing.  We are glad you are up and running, though.  

Hi again,
Thanks for the info GX1_Man, I spent some time trying to find the system control panel (I'm using the windows 'Classic' layout) but got there in the end.
Also remembered the tapping of F8 for safe mode (thanks), haven't tried either yet but will do so later.
In the meantime I have a HIGHJACK log - hope it helps -

Logfile of HijackThis v1.99.1
Scan saved at 16:57:30, on 11/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\SLEE401.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Steganos Security Suite 5\spm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
D:\Programs\Psuite.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Steganos Security Suite 5\steganos5.exe
C:\Program Files\Steganos Security Suite 5\safe.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start PAGE = http://www.universal-archives.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Internet Download Accelerator - {2A646672-9C3A-4C28-9A7A-1FB0F63F28B6} - C:\PROGRA~1\IDA\idaiehlp.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\XIOD\XIOD3200U USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SSS5SPM] "C:\Program Files\Steganos Security Suite 5\spm.exe" /booting
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download ALL with IDA - C:\Program Files\IDA\idaieall.htm
O8 - Extra context menu item: Download with IDA - C:\Program Files\IDA\idaie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401CYou will have to copy & paste your HJT log in 2 or 3 sections.
Carry on from where it was cut off.Sorry  [smiley=sad.gif]


\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE401.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

That's all - sorry I didn't spot that.
Springbokspringbok........
Mark for removal :
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phas e=6&key=SEARCH    

Then there are a number of questionable items ........ if you ARE NOT SURE WHAT THEY ARE remove them as well.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm

O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe

O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\XIOD\XIOD3200U USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"

O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe

O9 - Extra button: Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe

O9 - Extra 'Tools' menuitem: &Internet Download Accelerator - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - C:\Program Files\IDA\ida.exe

O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

Now click on Fix Marked ...then reboot and see how things are .

dl65  Hi dl65,
Late comeback due to our different time zones.
I didn't delete anything as yet, but one or two lines there I do recognise. First is -
 O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\XIOD\XIOD3200U USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
My broadband works via an EXTERIOR X10D modem. Because my 'out in the sticks' phone line is so bad I lose connection every few minutes. The X10D re-connects. (I think maybe that's what this O4 - HKLM\ line does).
---------
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe  
This Ghostsurf is one my stepson put on via a cd. The prog's not installed so I guess the line can be deleted.
----------
The two O9 - Extra button: Internet Download Accelerator  lines.
Download accelerator is associated with IE - so it fires up whenever I go to a download. If I remove the line will Download Accelerator still work?
----------
There's just one more thing - how or where do I find these lines to remove? I never saw them before I used hijackthis - and that only gave me a text list. Should I use 'search' to get them?
Thanks for your help,  
Springbok

 

Ps dl65,
Yesterday I went to the Microsoft website, and got my PC checked for updates. Seemed I needed quite a few accociated with IE (and others).
I let it download and install the lot - about 15 minutes worth.
Mention this 'cos you asked about updates. Don't know why Auto Update missed them  :-?
SpringbokAhem, I er, found out how to delete from the registry.  [smiley=rolleyes.gif]

And I deleted R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phas e=6&key=SEARCH    
 
Just in case any of you guys would like to know, you just click Start, Run, type Regedit and click Ok!
Ok, I'm going, I'm going . . . .  [smiley=lolk.gif]

Still need help, not an expert quite yet.
Springbok

When you run a HJT scan you can delete entries by ticking the checkboxes from within the program.
Is your computer ok?