Author Topic: W32:sdbot-gen3 and backdoor (Read 2452 times)

barney_beardsall · « **on:** October 02, 2006, 11:06:45 AM »

Hi,
My fathers PC was infected with the win32:sdbot-gen3 Virus... and after a boot scan.. the PC seems to have destroyed this virus... however I beleive that this virus has created a backdoor to the PC... because every 30mins or so.. the PC runs a CMD and opens a MS Dos box.. then tries to Ftp to a IP address and run a win32task etc.... I say try as we cancel the operation midway...

I have ran Hijackthis and the output is shown below... I am also certain I am using the latest version of Avast 4 home as the auto update is set to on for both the database and engine...but I need to check again to make sure the virus has not changed the settings...

Logfile of HijackThis v1.99.1
Scan saved at 22:19:46, on 01/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\Barney\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvfDeRh0WqHgSxcdcBKJs0YRHSgwff8Y4mp1abeH2LX5AiCNyxlB2q0F/7Q5cwsTIuw1pEwE0SQNQCZZpGIVKDVgPQCmaMrk29Kc5mKRnguB4z6G9yToWP/QjK6ZGZ9tqV7Q4559RzyR0WAtsZ+s4LQOBFaTb6tfli9ZVHhM2MAzWuz7BhxINiB6ysYa/O2k7VFgFG2nnHNDsleSn0TFMuVpklCwMden6bo=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.8.1.2\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E6D7265-1094-4073-AF9F-B1B93009F47A}: NameServer = 192.168.2.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{3E6D7265-1094-4073-AF9F-B1B93009F47A}: NameServer = 192.168.2.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Please can you help fix/stop this....

Many thanks in advance.
Barney

FreewheelinFrank · « **Reply #1 on:** October 02, 2006, 12:14:19 PM »

Hi barney_beardsall,

You can see an analysis of your log here:

http://hijackthis.de/logfiles/38445b2822dd98b58b4a689f784043ab.html

It is always important to check out items highlighted. The only real problem highlighted is this entry:

0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as[dot]starware[dot]com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD3RW7BXlKjvfDe Rh0WqHgSxcdcBKJs0YRHSgwff8Y4mp1abeH2LX5AiCNyxlB2q0F/7Q5cwsTIuw1pEwE0SQNQCZZpGIVK DVgPQCmaMrk29Kc5mKRnguB4z6G9yToWP/QjK6ZGZ9tqV7Q4559RzyR0WAtsZ+s4LQOBFaTb6tfli9ZV HhM2MAzWuz7BhxINiB6ysYa/O2k7VFgFG2nnHNDsleSn0TFMuVpklCwMden6bo=

Which is a malware entry:

http://vil.nai.com/vil/content/v_135504.htm

This is an adware dropper, so I recommend you run some free anti-spyware, anti-adware programs: Ad-Aware, Spybot and Ewido:

http://www.download.com/3000-2144-10045910.html

http://www.safer-networking.org/

http://www.ewido.net/en/

If the entry is still there, you can attempt to remove it with HijackThis! as described here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

The other thing I notice is that your version of Sun Java is out of date: older versions have security vulnerabilities and can allow malware infections.

Please update and uninstall all older versions.

You can find information by doing a forum search.

Good luck!

Spiritsongs · « **Reply #2 on:** October 02, 2006, 09:35:02 PM »

Hi Barney :

As Frank implied in his response, your father's computer need MORE than Avast antiVIRUS
TO PROTECT it . Frank mentioned several good & FREE antiSPYWARE programs. Because of
the seriousness of your father's malware "situation", I recommend you install the "FREE"
version of "SUPERantispyware" from www.superantispyware.com ; it "specializes" in
detecting and "quarantining" the latest bad guys.

And to download a later version of Sun Java, go to :
www.majorgeeks.com/download4648.html .
AND as Frank said, this should be done AFTER you
have uninstalled your dad's current version .

And your Dad only has the "half-a-firewall" that comes with his Operating System.
There are lots of good & FREE ones available, to "replace" it and there is lots of
info on this forum regarding a possible replacement .

Author Topic: W32:sdbot-gen3 and backdoor (Read 2452 times)

barney_beardsall

W32:sdbot-gen3 and backdoor

FreewheelinFrank

Re: W32:sdbot-gen3 and backdoor

Spiritsongs

Re: W32:sdbot-gen3 and backdoor