Avast WEBforum
Other => Viruses and worms => Topic started by: yerom on August 04, 2004, 11:00:58 PM
-
HEllo,
i'm in trouble with the Win32:SdBot-545 [trj].
The trojan is in the msconfg.exe file which is in the C:/windows/system32 folder.
I can remove the virus from my computer.
Avast cannot repair it.
I try Hijackthis, clean or (delete?).
But the trojan is always at startup...
Like the bad guy in "friday the 13th" :)
What could i do to kill him definitely ?
thanks by advance.
yerom
-
Hi,
please
- read the link "VirusRemoval" belwo in my sig
- post the hijackthis-log
- report the exact results of onlinescans with Trend, RAV & KAV on the suspicious file(s)/the whole PC
read here:
SdBot-545 (http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=Win32%3ASdBot-545&product=1)
This strongly suggests that you
- don't have all Windowsupdates applied and/or
- use insecure passwords and/or
- are careless with IRC or FileSharing/P2P
;)
-
Hi yerom,
Do a search of the forums for Win32:SdBot you will find a lot of hits for sdbot.
Check out this thread also General Advice&Tools for virus/trojan/malware removal (http://forum.avast.com/index.php?board=4;action=display;threadid=5373)
If you need more help, come back here with more info....
the file msconfg.exe is not a windows file, msconfig.exe is, what they are attempting to do is confuse with a mis-spelling of a system file. This assumes that you havent mis-typed the trojan name.
HTH David
-
yerom,
Firstly, make sure that you have updated Avast to the latest database. The virus you name W32:sdbot-545 was included into the VPS 0432-1 for detection.
If you have an older database, then Avast will not be able to detect and remove it.
Secondly, once you have removed it......
if it comes back, then you have not eliminated the source that gave it to you in the first place.
As has been mentioned, IRC and File sharing are the most common ways that this trojan is spread.
Do you use Kazaa or any similar utility? What about music sharing?
Make sure that all Windows updates are downloaded and installed. Always reboot after the updates to get all your programs to "settle in" again.
Let me know how things turn out.
-
Hello,
thanks for all your answers.
Well, i dont have any P2P installed or IRC.
I just install my system recently and i don't use it. I just put avast first and it find this trojan on the msconfg.exe file. (that's the real name, no error in it)
I rename and move it. So the the msconfg.exe in c:/windows/system32 folder seem to be clean but the renamed file in the avast/moved folder is still infected.
Avast detect it but don't clean it.
I have the last database installed.
This the hijackthis-log report for my computer :
(I don't really know to use hijackthis in fact)
Logfile of HijackThis v1.98.0
Scan saved at 08:40:58, on 05/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\ati2vid.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Administrateur\Bureau\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [spoolsv.exe] wuamgrd.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\RunServices: [Windows Service Pack2] svchhost.exe
O4 - HKLM\..\RunServices: [spoolsv.exe] wuamgrd.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [spoolsv.exe] wuamgrd.exe
Thank you for great help
Yerom
-
Disable system restore, reboot, fix the following things with HJT, reboot. Than run a full system scan with Avast.
\WINDOWS\System32\wuamgrd.exe
04 - HKLM\..\Run: [spoolsv.exe] wuamgrd.exe
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
04 - HKLM\..\RunServices: [Windows Service Pack2] svchhost.exe
O4 - HKLM\..\RunServices: [spoolsv.exe] wuamgrd.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [spoolsv.exe] wuamgrd.exe
-
Make sure that all Windows updates are downloaded and installed.
or it will always come back...
-
Hello
I got rid of him...
Thanks for your help.
:)
yerom