Trojan horse IRC/BackDoor.SdBot.58.L - help needed to remove this

BullGuard Antivirus Forum > Virus > Virus Questions > Trojan horse IRC/BackDoor.SdBot.58.L - help needed to remove this

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sunflower
New Member

Date Joined Oct 2004
Total Posts : 1

Posted 10-24-2004 4:13 (GMT +1)

Ran AVG and found a trojan horse and avg info says cannot repair cannot quarentine,still infected!!!

C:\WINDOWS\SYSTEM32\kimochi.EXE

Trojan horse IRC/BackDoor.SdBot.58.L

how do i go about getting rid of it, Cannot find anything on it!

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 10-24-2004 5:05 (GMT +1)

Hey sunflower smilewinkgrin

Try this:

Download Hijackthis
http://www.spychecker.com/program/hijackthis.html
Do NOT run Hijack This from the Desktop, a temp folder or choose run from the download. Place it in its own folder, for example C:\Program Files\HJT

. Scan, scan button change to-save log. Post log here

Touch

Member of - Alliance of Security Analysis Professionals

fav8
New Member

Date Joined Nov 2004
Total Posts : 1

Posted 11-23-2004 2:46 (GMT +1)

Hi I had the same problem using AVG, so I used the Hijack this and this is what came out:

Logfile of HijackThis v1.97.7
Scan saved at 08:38:47 p.m., on 22/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashserv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DRIVERS\WtSrv.exe
C:\WINDOWS\System32\avscan.exe
C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\spdstrm.exe
C:\WINDOWS\System32\svxhost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\WService.EXE
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Archivos de programa\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\regedit.exe
C:\Archivos de programa\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Archivos de programa\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Archivos de programa\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WindowsRegKey update] winupdates.exe
O4 - HKLM\..\Run: [] spdstrm.exe
O4 - HKLM\..\Run: [Microsoft Office] svxhost.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dpameto.exe
O4 - HKLM\..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ARCHIV~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Wlan Driver] avscan.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Intrenet Explorer] smssi32.exe
O4 - HKLM\..\Run: [Microsoft Control] crssi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\RunServices: [WindowsRegKey update] winupdates.exe
O4 - HKLM\..\RunServices: [] spdstrm.exe
O4 - HKLM\..\RunServices: [Microsoft Office] svxhost.exe
O4 - HKLM\..\RunServices: [Wlan Driver] avscan.exe
O4 - HKLM\..\RunServices: [Microsoft Intrenet Explorer] smssi32.exe
O4 - HKLM\..\RunServices: [Microsoft Control] crssi.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WindowsRegKey update] winupdates.exe
O4 - HKCU\..\Run: [] spdstrm.exe
O4 - HKCU\..\Run: [Microsoft Office] svxhost.exe
O4 - HKCU\..\Run: [Wlan Driver] avscan.exe
O4 - HKCU\..\Run: [Microsoft Intrenet Explorer] smssi32.exe
O4 - HKCU\..\Run: [Microsoft Control] crssi.exe
O4 - HKLM\..\RunOnce: [Wlan Driver] avscan.exe
O4 - HKCU\..\RunOnce: [Wlan Driver] avscan.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 11-24-2004 9:21 (GMT +1)

Hey fav8

Download this scanner – mwav exe : http://home9.inet.tele.dk/le01/Sikkerhed.htm
http://www.spywareinfo.dk/download/mwav.exe

Download Spybot Search and Destroy here : http://www.safer-networking.org/index.php?page=mirrors if it is not already installed on your computer
Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update

Adware: http://fileforum.betanews.com/detail/965718306/1

Open adaware and Click the "Check for updates now" line on the main screen. Click the "Connect" button on the webupdate screen. If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Cwshredder: http://www.spywareinfo.com/~merijn/downloads.html
Or: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

Please go offline

Run the mwav scanner:
Activate all, in settings- Scan

Spybot, click on the Immunize button. Then "Scan System" button. When the Check is over, fix all marked with red

Adware
Push START
Perform full system scan. NEXT
To fix all the bad critical objects do the following:
Right click on one of them to open up the selection screen. Click the "Select All" button to select all entries.
When all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

Run cwshredder, close all other windows-Fix

Reboot

Go to Start | Run and type: cleanmgr.exe and hit enter.
When prompted what drive to clean select your hard drive c:
If asked what folders to clean in a list, tick them all to clean all temp folders, downloaded program folders, temporary internet files, etc., and the recycle/trash bin.

Check for updates for Windows and Internet Explorer . Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"

http://windowsupdate.microsoft.com/

Download newer Hijackthis:

http://danborg.org/spy/HJT/hijackthis.exe

post new log

Touch

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Saturday, November 21, 2009 5:41 PM (GMT +1)
There are a total of 73.034 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads