1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

backdoor.sdbot trojan infection

Discussion in 'Virus & Other Malware Removal' started by jookie, Oct 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jookie

    jookie Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    2
    Hi,

    I stumbled upon this forum while looking for information on removing this annoying trojan. Apparently it copied itself to my system32 folder as sytem32.exe . NAV detects this virus on start-up but cannot do anything about it because it doesn't have access rights to the file. I even tried to manually delete the file.

    I ran the hijack program and here is the log:

    Logfile of HijackThis v1.97.2
    Scan saved at 8:26:16 PM, on 10/7/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\System32.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Winamp3\winampa.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    -----------------------

    Any help is very much appreciated!

    JooKie
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe


    Fix those two.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Fix these two also:

    O4 - HKLM\..\Run: [RDLL] RunDll16.exe

    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\WINDOWS\System32\System32.exe file and
    The RunDll16.exe file
     
  4. jookie

    jookie Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    2
    Excellent! Problem solved.

    Thanks alot!


    note to self: Whatch what you download off Kazaa...

    JooKie
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Marking solved and closing. Anyone with similar problems, please start your own thread :)

    Thanks for the assist flrman ;)

    As an added note, this is a resource hog, and I would take it out of my startup items via start, run, msconfig, startup tab, or start, programs, startup folder, wherever it is loading from :)

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    Side question, flrman, you can pm or email me, but is the run.dll item part of the virus?
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170299

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice