trojan horse virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wendytyo

Thread Starter
Joined
Jun 6, 2001
Messages
129
Hi can anyone help me I have a Virus Its Trojan horse IRC/Backdoor.Sdbot.oj I am posting hijack log Thanks for any help.Wendy running win xp pro


Logfile of HijackThis v1.95.0
Scan saved at 5:59:25 PM, on 10/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Compaq S200 Scanner\S200Btns.exe
C:\WINDOWS\System32\Suspend.exe
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wendy Tyo\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [ButtonMonitor] S200
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Compaq S200 Button Manager.lnk = ?
O4 - Global Startup: j2Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37889.7237962963
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
 

wendytyo

Thread Starter
Joined
Jun 6, 2001
Messages
129
also when I run virus scan it won't detect it also tried running housecall also did not detect it please help
 
Joined
Dec 9, 2000
Messages
45,855
If nothing is being detected how do you know you have it?

There is nothing obvious in the Scanlog. By the way, is this a laptop? I'm not too sure of what "suspend.exe" is up to.
 

wendytyo

Thread Starter
Joined
Jun 6, 2001
Messages
129
a window keeps poping up saying that i have it and no this is not a laptop it says virus detected run scan to remove it but when i run scan it dosent detect anyting. also i tried to do a system restore and it would'nt let me also I cannot check my outlook mail
 
Joined
Dec 9, 2000
Messages
45,855
Does AVG report the name and location of the infected file?

What happens when you try to do a System Restore? What is the exact message?

Also would you right click on C:\WINDOWS\System32\Suspend.exe and select Properties > Version. Does it have any copyright or company info? And what is the "created" date (the date it was installed on your system)

You can check and "fix" this entry in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
 

wendytyo

Thread Starter
Joined
Jun 6, 2001
Messages
129
ok the box that pops up says....virus trojan horse irc/backdoor.sdbot.oj is found in file c:\system volume information\-restore{da824678-7cdb-48c5-9d98-9a1afye6f69c}\rp25\a0004238.exe to remove this virus please run avg for windows.....I ran avg and noting came up also ran housecall and nothing....when i tried to do a restore it says can't restore at this point try another point and when i try another it will say the same thing..also i try to open my mail and it wont let me open
 
Joined
Dec 9, 2000
Messages
45,855
To remove that you will have to turn off System Restore, run AVG, and then reboot turn System Restore back on again.


Here are instructions for turning off System Restore:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Be sure to re-enable it after you have run your AV program.

By the way, I don't think this is going to address the mail problem which may or may not be virus related.

You will have to provide more information on that, perhaps in another post in the Web and Email forum
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top