Win32.Secdrop.HB trojan

I have this trojan:

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=43245

The latest version of Avast does not detect it. What do I have to do to get rid of it?

Thanks

Bill.

  1. If you believe you have an undetected virus, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be an undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

  1. Since this is designed to lower IE security settings I would suggest using Firefox as your primary browser.

  2. Check out this link for Trojan Characteristics:
    http://vil.nai.com/vil/content/v_127723.htm
    This may help you to resolve the problem.

  3. Program & Tutorial - Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial
    For an on-line analysis - HiJackThis Log file - On-line Analysis
    Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

You could also post the contents of the log file here and we can take a look at it (as the HJT analysis may not recognise it either).

Well, actually it seems to detect something when the payload is delivered. I get a mesage giving me the option of the aborting the connection. However, when I run a full system scan nothing comes up. There’s also a few other suspicious processes running.

I’ve installed and run HiJackThis. Could you take a look at my log?

Logfile of HijackThis v1.99.1
Scan saved at 08:09:07, on 30/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\dhcpclient.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\phqghum.exe
C:\WINDOWS\System32\phqg.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Bill\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM..\RunServices: [Windows CPU host] winbog32.exe
O4 - HKLM..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKLM..\RunServices: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [VCXD Settings] phqg.EXE
O4 - HKCU..\Run: [VIEW POINT DRIVERS] phqghum.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://.windowsupdate.microsoft.com
O15 - Trusted Zone: http://
.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119423470812
O17 - HKLM\System\CCS\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
O17 - HKLM\System\CS1\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe

  1. Your OS and Browser are both in need of a visit to windows update, XP SP2 has numerous security improvements that will leave you less vulnerable as does IE 6 SP2.

  2. You don’t appear to be using a firewall (unless you have a hardware one), this is like playing Russian Roulette with an automatic.

These look suspicious to me so you should double check using google and the link for on-line analysis site I gave.

C:\WINDOWS\System32\phqghum.exe
C:\WINDOWS\System32\phqg.EXE
O4 - HKLM..\Run: [VIEW POINT DRIVERS] phqghum.exe
O4 - HKLM..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKLM..\RunServices: [VIEW POINT DRIVERS] phqghum.exe
Why this is listed twice is beyond me:
O4 - HKCU..\Run: [VCXD Settings] phqg.EXE
O4 - HKCU..\Run: [VIEW POINT DRIVERS] phqghum.exe
Are these familiar to you did you install some viewpoint software/hardware that uses these.

O4 - HKLM..\RunServices: [Windows CPU host] winbog32.exe
This is very suspicious and should be fixed as some google hits to be a trojan.

O17 - HKLM\System\CCS\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
O17 - HKLM\System\CS1\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
Are these in anyway related to your ISP if not do you know why they are there?
See the on-line analysis report.

See this on-line analysis report (available for three days) - http://hijackthis.de/logfiles/e737d8408acf2e2a708a8db675c0fa0e.html

dhcpclient.exe in the O23 section is a service installed by the Codbot-AG worm:

http://sophos.com/virusinfo/analyses/w32codbotag.html

Sophos provides removal instructions plus a link to a downloadable virus scanner which should remove the worm- some registry editing is also necessary.

Panda active scan will also detect and remove Codbot.AG as they call it:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

Ok, well I used Panda and it turns out that all those files were trojans. I’ve just managed to install SP2. The installation kept stalling before, perhaps something to do with the trojans (I’ve recently reformatted).

Anyway, thanks for the help. Will SP2’s filewall be enough or do I need something like ZoneAlarm?

ZA is better than the XP firewall because it provides outbound protection, XP’s firewall doesn’t.

Hi subtlesnake,

Could you repeat the HijackThis! scan and post the log please?

Panda also doesn’t find everything, and we need to make sure that the malware in your first log has gone.

This is my new log:

Logfile of HijackThis v1.99.1
Scan saved at 23:09:02, on 01/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Bill\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://.windowsupdate.microsoft.com
O15 - Trusted Zone: http://
.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119423470812
O17 - HKLM\System\CCS\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
O17 - HKLM\System\CS1\Services\Tcpip..{00EFDD4A-1371-4798-BEAF-AB282C9827C4}: NameServer = 80.225.252.58 80.225.252.50
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\dhcpclient.exe (file missing)

I’ve got to check the NameServers, but I don’t think they’re for my ISP or anything like that.

Get rid of (fix) dhcpclient.exe in the O23 section is a service installed by the Codbot-AG worm: as FreeWheelinFrank mentioned in post 4#

I would say that the nameservers may well be to do with your ISP, but check it out.

A quick look at the log looks in reasonable shape but check out the above.
You still don’t appear to have a firewall yet.

I have just done a Whois reverse lookup and the IP range would appear to be Tiscali UK Ltd IP range, so if they are your ISP they are OK (or they provide access for your ISP).

% Information related to '80.225.248.0 - 80.225.255.127'

inetnum: 80.225.248.0 - 80.225.255.127
netname: UK-TELINCO-MGNT
descr: Tiscali UK Ltd