Leftovers from Win32.SDBOT *help please*

Ok I seem to have gotten rid of the virus a few hours after I got it which was around august 4th and I’ve been clean the weird thing is 2 of the programs associated with it
wuammgr32.exe and rasmngr.exe are still in my start up when I type in msconfig but what it seems like is I got rid of the virus but there’s leftovers but they cant work cause the virus was deleted.

How can I remove them and am I safe in assuming above that im ok ?

No you are not safe (yet!). But don’t worry, we will help you. For a start do two things. Set Avast to thorough and run a full system scan. After that, run HijackThis and post your log here.

I ran a in depth scan which picked up nothing. and I hope the log below is the right 1

Logfile of HijackThis v1.98.2
Scan saved at 4:11:36 PM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris computer\Desktop\hijackthis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab

Looks clean to me…

This stuff is unnecessary…:
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

and maybe this, too, if you don’t use it often:
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background :wink:

P.S.: if you use PANDA-AV
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

be prepared to get “falsepositives” in its files
[EDIT](e.g. pav.sig & imscan.dll), when you use/update Panda-Onlinescanner

→ for more details, see FAQ’s on www.avast.com → support, or link “VirusRemoval” below in my sig :wink:

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
This is from the online scanner from Panda if I am correct.

For the rest, innocent as a new born baby ;D

Ok welly my question is when I run msconfig why are they still listed in my startup there just disabled ? I enabled each of em once the other night and nothing ! so whats the possable explanation for this ? should I still worry cause SDBOT was a pain to get off?

If you are SURE,
that the files which correspond to the disabled msconfig-entries are gone, then reenable their entries in msconfig and make a new hJT-Log (maybe after reboot)
and fix them there
(it should say now “no file” in the line)

or do a manual search in registry, or use some regCleaner

P.S.:
Imho HJT doesn’t list startup-entries that are disabled via MSCONFIG, as they are inactive… (that’s why you don’t see them in HJT)

ok there they are and this is a update from this post I found the Rascon 1 and deleted it from the registry so when i type in msconfig it’s out of there but the wuammgr32.exe is still there

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [RasCon Remote Access Service Manager] rasmngr.exe
O4 - HKLM..\Run: [Microsoft Update] wuammgr32.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab

Well, what is your problem ?? ??? ???

just check & fix the two above lines in Hijackthis…

I hope you applied all Windowsupdates, changed all your passwords, and secured your shares ?

Info

O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

→ Seems you didn’t enable everything in MSCONFIG yet:

MSConfig
or
MSConfigReminder
msconfig.exe
This is an entry that appears when you uncheck an item in the Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode

SysInfo

duh!!! sorry I fixed it with Hijackthis :smiley:

Logfile of HijackThis v1.98.2
Scan saved at 10:53:42 PM, on 8/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Documents and Settings\chris computer\Desktop\hijackthis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab

Disabling things from loading in msconfig means they will be removed from the registry, but the keys are backup in temp file. MSconfig under XP is NOT for removing things, just for troubleshooting. To remove things from loading at boottime use regedit, or (safer and easier) StartUp.cpl

Since you remove things from the registry on a temporary base with msconfig, HJT doesn’t see the hklm.…\run lines with things you temporary disabled. HJT reports only active things. Why mention something that isn’t there/running? It’s not harmfull, so why report it?

well it was related to the virus so I was on edge.

what I did was I managed to delete the rsgmgr out of my comp with regedit then I ran msconfig and activated the remaining one and fixed/deleted it with Hijack this so my start up is clean