Win32:sdbot-2119

[j0r]

My system is infected by the win32:sdbot-2119 Trojan horse worm. Avast does find some bad files at every start-up, but they keep on coming back even if I've removed them! I got it from a friend through MSN and in the beginning it kept on sending itself to my contacts. I believe that stopped now, but I can't remove this worm and avast does not find the worm itself, only the bad files. How can I fix this (I don't want to perform format C:/)? Can't avast find an anti-dote?

Thanks in advance!

[FreewheelinFrank]

Have you done a boot time scan with avast?

Right click the avast! globe and select Start avast! Antivirus.

avast! will do a memory scan: if it find the worm in memory, it will prompt you to do a boot time scan: accept this and reboot.

If avast! doesn't find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)

You will need a firewall to prevent reinfection. Either enable XP's firewall if you have it or download a free one - before you do your boot scan (Zone Alarm is most user friendly.)

After you have done your boot scan, install the firewall before you reconnect to the internet.

[j0r]

I performed the boot scan and deleted A LOT of infected files, but I'm getting the idea it's still nog completely gone. Winamp/MSN are still showing weird colors sometimes and my internetbrowser can't find pages sometimes (and 5 secs later it CAN find them).

[FreewheelinFrank]

I suggest you run some reliable free anti-spyware scanners:

Spybot Search & Destroy: http://www.safer-networking.org/en/download/
MS AntiSpyware: http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en
Yahoo! Anti-Spy: http://toolbar.yahoo.com/
X-Cleaner Free: http://www.xblock.com/download-freeware.php

Also run Ewido anti-Trojan program as a double check:

http://www.ewido.net/en/

[j0r]

Been there, done that..

[FreewheelinFrank]

Then can you do a scan with HijackThis! and post the log file for us to look at?

http://www.merijn.org/downloads.html

[j0r]

Will this do?:

http://homepage.uvt.nl/~s470965/hijackthis.log

[polonus]

Howdy J0r,

Here is the quick-and-dirty on your hijackfile, they save this log analysis  for 3 days. Link to look at it: http://www.hijackthis.de/logfiles/d7d6d2ca54cce097b6f7d406cde51691.html
Check all the things, dll's and such you are not sure about with Google to see if these  are legit and normal for your OS, and right in the  path you find it in. Ignore the 023 reference to AVAST because this is a glitch in the HijackThis program and can be ignored. If there are files you do not trust, scan them  at jotti: link: http://virusscan.jotti.org/ Remember when you go there it is like a second opinion of a specialist. Only scan when you suspect a file with an infection. Because jotti has heuristic AV scanning aboard there is a possibilty it may come up with a false positive. Hope your problem is cured this way. Your OS should be in safe mode when you do this or else all the things you cleared, may be set back again after reboot. Success,

polonus

[FreewheelinFrank]

That'll do nicely!

Your log file analysis has been saved and is available here:

http://hijackthis.de/logfiles/c190f22e5015731c3c28493ab2c83400.html

(It will be saved for 3 days.)

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one.

You have a running process symlcsvc.exe which is part of Norton Anti-Virus 2004. You should not have two anti-virus programs running at the same time because they can conflict and cause problems.

Try Add/Remove to see if you can uninstall from there, or you can find uninstall tools in this thread:

http://forum.avast.com/index.php?topic=12669.0

These lines are malware:

O4 - HKLM\..\Run: [Windows Workstation Service (32-bits)] wkssvc32.exe
O4 - HKLM\..\RunServices: [Windows Workstation Service (32-bits)] wkssvc32.exe 
O4 - HKCU\..\Run: [Windows Workstation Service (32-bits)] wkssvc32.exe   

http://www.bleepingcomputer.com/startups/wkssvc32.exe-f10537.html

The above link identifies wkssvc32.exe as a variant of SDBot.

I suggest you try the SDBot removal tool from F-Secure:

http://www.f-secure.com/v-descs/sdbot_vc.shtml

Run HijackThis! again and if these entries remain, tick the boxes and select fix checked. Reboot and check again to see if they are gone.

If they are not, something is protecting they and we will have to find it and kill it!

The other unknown applications seem to be legitimate. (Checked them on Google.)

The two entries O14 and O16 possibly come from your ISP: you should confirm this.

The two O23 entries marked 'unnecessarily' are a glitch: they should not be fixed.

[FreewheelinFrank]

You beat me to it, Polonus! But you didn't spot the Trojan!

[polonus]

Hello FreewheelinFrank,

Fill me in on it, please, you are a knowledge person. I did not analise the scan further, you know, just posted j0r's HJT log for the automatic analysis. What did I miss out? I like to learn a couple of new tricks too. Hope I did not intergere in this session.

Kindest regards,

polonus

[FreewheelinFrank]

No worries, only kidding.

I've joined boot camp at Spyware Info Forums and I'm getting some practice, but I'm still a HijackThis rookie.

wkssvc32.exe listed in O4 is a malware file. I can't see it in running processes so maybe avast! deleted the file but left the registry entry.

Any ideas? Maybe you can help?

[polonus]

Hi FreelwheeinFrank,

You are right, but when I checked it  here, I would have gotten the info too, it is obvious: http://www.bleepingcomputer.com/startups/wkssvc32.exe-f10537.html
OK, anyway j0r is safe now, and that is the thing that matters here. When I got it right, you proceed like this. Read the manual,  got the HijackThis log,  get the analysis,  check the outcome against information on the net, and then you have a good guess what you are up against, is n't that what it is all about?  OK. I'm learning fast. Thanks for the instruction.

greetings,

polonus

[FreewheelinFrank]

The Microsoft Malicious Software Removal Tool now removes the SDBot.

http://www.microsoft.com/security/malwareremove/default.mspx