Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Backdoor.Sdbot.AAD and Backdoor.Rbot.H problem

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 8 posts
Have got a problem with both Backdoor.Sdbot.AAD and Backdoor.Rbot.H. Probably got contaminated via P2P (Azureus). Although I thought I was adequately protected, of course. :whistling:

Have Tiny Firewall running, Spyware Doctor and Norton Anti-virus.

Spyware Doctor is reporting it has found traces of Sdbot. It has detected it in the registry under the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN key. And under ControlSet002 and CurrentControlSet. Can't edit or remove these keys as they are protected although I have admin rights.

Norton Anti-virus detects Rbot and denied access to the file. Can't find it though as it is supposed to be listed as \winnt\system32\.exe. But no such file.

When I block all internet traffic Tiny's Activity Monitor reports it has blocked several outgoing ICMP signals to various IP's listed under 'System'. It leads me to conclude my PC is now part of a network, maybe to be used in DDoS attacks?

Please, help me remove these threats. I am at a loss. No use posting a HijackThis log BTW, is shows nothing related to these issues.


Edited by FredHVG, 12 August 2006 - 03:24 PM.

  • 0




    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Fred and welcome

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please post back a HJT log and the log from Active scan as well please
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey Don,

Thanx for your reply. Like I said earlier, a HijackThis log won't show much but here goes anyway. All of it I can trace to programmes and services I use. Nothing harmful.

But first this. I have scanned my comp using Norton and AVG now. The Backdoor.Rbot.H seems to be gone, but Norton now pops up with Backdoor.IRC.Bot. Seems like one infection opened the gates and it has led to more infections. I have also scanned my comp again with Spyware Doctor and Ewido. I can't find traces of the Backdoor.Sdbot.AAD other than the LEGACY registry entries which I can't remove.

With Tiny Firewall blocking all traffic now I can see what kind of traffic my comp appears to be generating 'under the surface'. Other than the usual Services and System UDP/TCP traffic it still tries to send out ICMP signals to several IP's which I using WHOIS and lookups can trace back to other cable and DSL (personal) connections. Probably a network of infected PC's? I take it these signals are a sign the infection is still there and active. It must have dug in...

What do you make of it?



Logfile of HijackThis v1.99.1
Scan saved at 15:58:07, on 13-8-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\PFShared\UmxCfg.exe
H:\Program Files\Tiny Personal Firewall\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
H:\Program Files\Tiny Personal Firewall\UmxAgent.exe
H:\Program Files\Tiny Personal Firewall\UmxTray.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\Program Files\Motherboard Monitor 5\MBM5.EXE
H:\Program Files\Creative_SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
H:\Program Files\Creative_SBAudigy4\Surround Mixer\CTSysVol.exe
H:\Program Files\Creative_SBAudigy4\Entertainment Center\RcMan.exe
H:\Program Files\Creative_MediaSource\Detector\CTDetect.exe
H:\Program Files\Creative_MediaSource\Go\CTCMSGo.exe
H:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Navnt\navapw32.exe
H:\Program Files\Thunderbird\thunderbird.exe
H:\Program Files\Firefox\firefox.exe
H:\Program Files\Spyware Doctor\Update.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MBM 5] "H:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CTDVDDET] "H:\Program Files\Creative_SBAudigy4\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTSysVol] H:\Program Files\Creative_SBAudigy4\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKCU\..\Run: [RemoteCenter] "H:\Program Files\Creative_SBAudigy4\Entertainment Center\RcMan.exe"
O4 - HKCU\..\Run: [Creative Detector] H:\Program Files\Creative_MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Creative MediaSource Go] H:\Program Files\Creative_MediaSource\Go\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [Spyware Doctor] "H:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Mozilla Thunderbird.lnk = H:\Program Files\Thunderbird\thunderbird.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - H:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O20 - Winlogon Notify: PFW - C:\WINNT\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - H:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - H:\Program Files\Tiny Personal Firewall\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - H:\Program Files\Tiny Personal Firewall\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe


Here's a log from Spyware Doctor:

Scan Results:
scan start: 13-8-2006 15:59:21
scan stop: 13-8-2006 16:05:00
scanned items: 81013
found items: 43
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk
Tracking Cookie(s) cookies.txt - Line #24 Low
Tracking Cookie(s) cookies.txt - Line #25 Low
Tracking Cookie(s) cookies.txt - Line #26 Low
Tracking Cookie(s) cookies.txt - Line #27 Low
Tracking Cookie(s) cookies.txt - Line #28 Low
Tracking Cookie(s) cookies.txt - Line #29 Low
Tracking Cookie(s) cookies.txt - Line #50 Low
Tracking Cookie(s) cookies.txt - Line #51 Low
Tracking Cookie(s) cookies.txt - Line #54 Low
Tracking Cookie(s) cookies.txt - Line #55 Low
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN##NextInstance High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000 High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##Class High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##ClassGUID High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##ConfigFlags High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##DeviceDesc High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##Legacy High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NTFSDISCMAN\0000##Service High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN##NextInstance High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000 High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##Class High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##ClassGUID High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##ConfigFlags High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##DeviceDesc High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##Legacy High
Backdoor.Sdbot.AAD HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_NTFSDISCMAN\0000##Service High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN##NextInstance High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000 High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000## High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##Class High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##ClassGUID High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##ConfigFlags High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##DeviceDesc High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##Legacy High
Backdoor.Sdbot.AAD HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTFSDISCMAN\0000##Service High
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
To add, now the Backdoor.IRC.Bot is giving me a lot of problems.

Quite often I see services.exe open a local port at a high port number which differs every time.

Log file:

Access:Open local network port
Object:Protocol: TCP, Port: 26822

Shortly after that Norton pops up indicating it has denied access to IRC.Bot. It lists it as C:\WINNT\system32\.exe which of course it can't find when I run a full disc scan. How do I remove this pest?
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Fred,
I need to know if you have made any changes or deleted any files to the system prior to posting the log ?
whether spyware docotor or any other means have removed anything ?
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanx for your help, much appreciated!

The battle continues, but nothing has changed since I posted the HJT and the Spyware Doctor log. At least not that I know of.

I did alter my Firewall settings though to increase security but that should not effect the system in anyway. It just blocks more incoming and outgoing traffic now. That's also how I found out about the relation between services.exe and IRC.Bot.

For now, it looks like Sdbot.AAD is still present but dorment. Rbot.H seems to be gone. IRC.Bot is wreaking havoc...
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
what I meant was did you delete any files or did spyware doctore delete and remove any files prior to your initial post ?
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Prior? No. Although when I read back I think I got it wrong there. Sdbot had been discovered by Spyware Doctor at that time. But the description of Rbot I gave is not correct. I looked it up, Rbot is the same as Sdbot. Some other programme I tried must have listed Sdbot as Rbot.

So basically, my comp is infected with Sdbot/Rbot and IRC.Bot. Nothing has changed since I posted the logs...
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
OK thank you,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Don, thanks for your assistance.

I am actually away from my computer for a few days. Will put your advice into practice on Friday and I'll get back to you via this topic then.
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
I'll be here
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay, I'm back...

I've tried the Kaspersky scanner and the rootkit scanner. No use posting the logs, they don't show anything.

I think I have located the problem. The Rbot virus pops up after incoming traffic on port 4444 which uses services.exe to start cmd.exe. Then I get a Norton alert saying it denied access to a specific filename which can't be located afterwards. Norton also indicated it can't fix this problem.

Here's a log from Tiny:

Access:Inbound TCP access
Object:4444 (krb524) <- (cust-02-52868a34.adsl.scarlet.nl):3990
Interface:[5] SiS 900-Based PCI Fast Ethernet Adapter
Time:20-8-2006 19:23:55

Action:System information
Access:Process started
Time:20-8-2006 19:24:09

I got the problem isolated and blocked but not solved. Everything I tried has been of no use. Somehow the Rbot virus can't be spotted...
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Oh yes, I already contacted abuse to report this IP: It's another customer on the same ADSL network. Either this one is the source, or also a contaminated PC...
  • 0



    Malware Expert

  • Retired Staff
  • 18,526 posts
Hey there Fred,
I m getting ready to head off on a vacation for a week I asked one of the other staff members to see if he can't get to the bottom of this for ya, He enjoys the root kits he is very good at them so I asked if he wasn't too busy to have a look and see if he can't figure out whats going on here

  • 0



    Rest in Peace, ukbiker

  • Retired Staff
  • 2,014 posts
Hi There FredHVG

I am UKBiker and will be giving Don a hand with this log while he is away.

Could you please get me a full startup list as follows from SAFE mode please?

Create a Startup List
Boot into SAFE Mode
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Checkmark the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

Then I get a Norton alert saying it denied access to a specific filename which can't be located afterwards.

Is this the .exe file you mentioned earlier or a different one? If its a different file, can you give me the filename please?

One last thing, could you please get this file checked out as follows please?

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • H:\Program Files\Firefox\firefox.exe
  • Click on the submit button
  • Please post the results in your next reply.

Edited by ukbiker, 23 August 2006 - 05:09 PM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP