Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus Trojan Horse IRC/BackDoor.SdBot2.KLE


  • Please log in to reply

#1
felinne

felinne

    Member

  • Member
  • PipPip
  • 64 posts
Hi,

Please help. I just ran AVG and it found the following:

Trojan horse IRC/Backdoor.SdBot2.KLE
Trojan horse Dialer.28.A (3 of these in different locations)

Not sure what to do. I just reformatted my computer and caught these almost the moment I connected to the Internet. :whistling:

I'm installing Windows Updates right now in hopes of getting Windows Defender which I've heard is pretty good.

Thanks!
  • 0

Advertisements


#2
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Please do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.
  • 0

#3
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Will do in just a sec. I'm just about done with those pesky updates. Btw, not sure if this has anything to do with this whole virus situation...

But, along with these I also started getting popup windows about how my registry is going to explode and I must register at registryexpress.com or something. But, I disabled Windows Messenger and so far so good. Hope that was the right thing to do.

Brb with that log. Thank you!
  • 0

#4
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Yes, that was the right thing to do. :whistling:
  • 0

#5
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:32:33 PM, on 10/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\NYCLAN\Desktop\hijack this!\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161919323640
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA8FB665-61FF-4A4F-8C36-EA9E19C41A9B}: NameServer = 216.254.95.2,216.231.41.2
O18 - Protocol: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - C:\WINDOWS\System32\QBPOSProtocol.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Intuit Entitlement Service v2 - Intuit, Inc. - C:\Program Files\Common Files\Intuit\Entitlement Client v2\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: QBPOS Database Extended Manager (QBPOSDBExtServices) - Intuit Inc. - C:\Program Files\Intuit\QuickBooks Point of Sale 5.0\DatabaseServer\QBPOSDBServiceEx.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
  • 0

#6
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Okay, now I'm sitting in front of the comp waiting for your instructions. I've been surfing forums and found some info on the 28A thing as an annoying tough to get rid of trojan. But, nothing anywhere on IRC/Backdoor.SdBot2.KLE. I'm hoping they come and GO as a bundle.

Thanks!
  • 0

#7
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Btw, this is what AVG virus vault says:

Trojan horse IRC/BackDoor.Sdbot2.KLE
path: C:\WINDOWS\Isass.exe

Trojan horse Dialer.28.A
path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OBQP6RC1\adult1[1].exe

Trojan horse Dialer.28.A
path: C:\wen6j4d5.exe

Trojan horse Dialer.28.A
path: C:\System Volume Information\_restore{4369A080-83C6-4143-8A2F-477188C0ED01}\RP17\A0003754.exe

I had to type these out, so there may be some minor mistakes.
  • 0

#8
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Is it just me or does my log look clean? As you can tell I've got very little on the comp since I just reformatted. I'm installing the Windows Service Pack 2 right now in hopes of installing Windows Defender.
  • 0

#9
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I also asked you to post an Uninstall list:

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. After you click the "Save List" button, you will be asked where to save the file. Pick a place to save it then the list should open in notepad. Copy and paste that list here.

Plese post that in your next reply. also go ahead and do the following:

* Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

Copy and Paste:

sc stop Export Version

Hit Enter

Copy and Paste:

sc delete Export Version

Hit Enter

Type exit then hit enter again to exit the command window.


* Click here to download ATF Cleaner by Atribune and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]
* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..

Come back here and post the following logs:

A new Hijack This log
The Hijack This Uninstall Manager List
The results of the BitDefender online scan

  • 0

#10
Flrman1

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts

Is it just me or does my log look clean? As you can tell I've got very little on the comp since I just reformatted. I'm installing the Windows Service Pack 2 right now in hopes of installing Windows Defender.

DO NOT install Service Pack 2 yet. If you are badly infected, installing SP 2 can cuase serious problems. You need to wait until we are finished cleaning the machine before you install it.
  • 0

Advertisements


#11
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Here's the uninstall list: Sorry!

Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
ATI Control Panel
ATI Display Driver
AVG Free Edition
BHODemon 2.0.0.20
Dell ResourceCD
HijackThis 1.99.1
Intel® PRO Ethernet Adapter and Software
Macromedia Flash Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Mozilla Firefox (1.5)
MSXML 4.0 SP2 (KB925672)
QuickBooks Point of Sale 5.0
QuickBooks Pro 2006
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XGAMING_Arcade_Test 1.2.2
  • 0

#12
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Yikes, I was almost done installing.

Just cancelled the whole update for SP2.
  • 0

#13
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Okay, my screen is stuck on cancelling updates.
  • 0

#14
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Hi again,

My computer is still trying to cancel the SP2 install. Everything is running, it seems the cancellation is taking a really long time, is that normal? Or, should I just hard reboot?

Also, while waiting, I tried to use ur "sc stop Export Version command" (typed it in at the C:\> prompt) and it yielded the following:
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service.

Please advise
  • 0

#15
felinne

felinne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Hi:

My SP2 Update finally stopped. Unfortunately 1 part got installed sucessfully, but I was in time to stop the other 8.

I tried the Export Version command again, and got the same failed msg.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP