MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: IRC/BackDoor.SdBot.46
July 18, 2019, 12:25:00 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
July 18, 2019, 12:25:00 PM

Login with username, password and session length
 
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: IRC/BackDoor.SdBot.46  (Read 4571 times)
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« on: August 21, 2004, 12:47:27 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP Professional Version 2002 Service Pack 2
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:

I'm running AVG antivirus and it spotted the trojan IRC/BackDoor.SdBot.46. The AVG advice was to run a full scan and clean it. Unfortunatley the scan does't pick it up, but periodically the AVG resident shield does, so it's still there. The shield reports it as being in the System Volume Information directory, which I can't get at manually. Any suggestions as to how I can get rid of this. I've searched the web and tried lots of things but so far to no avail.

Many thanks

Alan Hambrook  



Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: August 21, 2004, 12:50:15 AM »

Ensure that AVG is right up to date
Disable system restore
Preferrably Restart your computer into safe mode
Do a full Virus scan
Restart back in Normal mode
Enable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

RESTART your Computer in SAFE MODE
Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #2 on: August 21, 2004, 12:57:22 AM »

Will try this - many thanks

quote:
Originally posted by benditup

Ensure that AVG is right up to date
Disable system restore
Preferrably Restart your computer into safe mode
Do a full Virus scan
Restart back in Normal mode
Enable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

RESTART your Computer in SAFE MODE

Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #3 on: August 21, 2004, 03:06:48 PM »

Many thanks tried this, all done  - AVG came up clean, i.e. no problems found - also ran spybot - with the same result, so looks clean.

However, as this is a backdoor and there's some occasional odd access to the internet that I'm seeing in my zonelabs log, I'm still a bit woried that there may be something else installed (my daughter left the PC logged on to our broadband the whole night with MS Messenger on! which is I think the SDBot got in.)

Anything else I that might be good to run to be doublely sure - or am I just being paranoid?

Kind regards

Alan



 
quote:
Originally posted by ahambrook

Will try this - many thanks

quote:
Originally posted by benditup

Ensure that AVG is right up to date
Disable system restore
Preferrably Restart your computer into safe mode
Do a full Virus scan
Restart back in Normal mode
Enable System Restore

http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

RESTART your Computer in SAFE MODE



Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #4 on: August 21, 2004, 05:24:22 PM »

Let's take a closer look Alan
Download Hijackthis---Important---Create a permanent folder for hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT
OR create a folder as C:\HJT---this is where you will want to save Hijackthis too, also, backups will be stored there.
download from
HERE or HERE


Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important
Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #5 on: August 21, 2004, 05:50:06 PM »

Many thnaks - will give it a try now

kind regards

Alan
Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #6 on: August 21, 2004, 06:07:28 PM »

Hi - many thanks for looking at this - really appreciate the help.

Here's the log...

Logfile of HijackThis v1.97.7
Scan saved at 19:02:44, on 21/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\SYSTEM~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\ahead\Nero\InCD\InCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\hjt\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\Nero\InCD\InCD.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://81.1.41.137/activex/AxisCamControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38216.7583796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meeting.webex.com/client/v_meeting/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DB1CEB5-D659-47EC-A196-EED871155A36}: NameServer = 193.128.18.206,193.128.21.13



quote:
Originally posted by ahambrook

Many thnaks - will give it a try now

kind regards

Alan


Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #7 on: August 21, 2004, 06:14:41 PM »

I don't see that much wrong with your log, but then again, your using
hijackthis 1.97.7
Can you delete your copy of hijackthis and update to the newest version
I supplied links to hijackthis 1.98.2 in my other post Smiley
Post a new log
Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #8 on: August 21, 2004, 07:51:56 PM »

Many thanks - will do right now

quote:
Originally posted by benditup

I don't see that much wrong with your log, but then again, your using
hijackthis 1.97.7
Can you delete your copy of hijackthis and update to the newest version
I supplied links to hijackthis 1.98.2 in my other post Smiley
Post a new log

Logged

 
ahambrook
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #9 on: August 21, 2004, 07:56:40 PM »

Here's the log using hijackthis 1.98.2

Kind regards

Alan
Logfile of HijackThis v1.98.2
Scan saved at 20:57:20, on 21/08/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\SYSTEM~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\ahead\Nero\InCD\InCD.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\hjt\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\Nero\InCD\InCD.exe
O4 - HKLM\..\Run: [RemHelp] remhelp.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://81.1.41.137/activex/AxisCamControl.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meeting.webex.com/client/v_meeting/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DB1CEB5-D659-47EC-A196-EED871155A36}: NameServer = 193.128.18.206,193.128.21.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBB39B51-E5CD-4D28-96A3-461B6CBD1797}: NameServer = 194.72.9.34 194.74.65.68


Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #10 on: August 23, 2004, 02:19:56 AM »

I don't see nothing wrong with your log

O17 - HKLM\System\CCS\Services\Tcpip\..\{1DB1CEB5-D659-47EC-A196-EED871155A36}: NameServer = 193.128.18.206,193.128.21.13
This address leads me too somewhere in the United Kingdom
http://www.dnsstuff.com/tools/whois.ch?ip=193.128.21.13

O17 - HKLM\System\CCS\Services\Tcpip\..\{DBB39B51-E5CD-4D28-96A3-461B6CBD1797}: NameServer = 194.72.9.34 194.74.65.68
This one leads me too BTNet
http://www.dnsstuff.com/tools/whois.ch?ip=194.72.9.34

So I'll assume they both look legit
May be that running Nortons AV and AVG on startup causing a conflict
unless you don't have Norton's AV running, part of SystemWorks?



Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 21, 2017, 03:20:43 PM