Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works


  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
Hi to all, I'm a computer technician that normally helps customers to remove malware and other stuff, but this time... one of our PC seems to be a target of this worm

Needless to say the PC has XP Sp2 with all patches and fixes installed, and I didn't find any real help to solve this, apparently easy to remove, infection.

Every step from your basic guide has been followed.

One month ago the virus name was W32/Sdbot.worm.gen.h, and was infecting ftp.exe, now has mutated and is infecting cmd.exe

Posted Image

I perfectly know that from the following hijackthis log there's nothing strange except from the 017 line, I can't delete permanently the line, if I reconnect to the Internet the line re-appears, I did a Traceroute on the IP and seems related with an ISP related to my ISP...

any help would be VERY appreciated ! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 13.13.30, on 31/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\Programmi\ewido\security suite\ewidoctrl.exe
E:\Programmi\Network Associates\Common Framework\FrameworkService.exe
E:\Programmi\Network Associates\VirusScan\Mcshield.exe
E:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
E:\Programmi\File comuni\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Programmi\Network Associates\VirusScan\SHSTAT.EXE
E:\Programmi\Network Associates\Common Framework\UpdaterUI.exe
E:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe
E:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\Programmi\Free Download Manager\fdm.exe
E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
E:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
E:\Programmi\Microsoft Office\OFFICE11\EXCEL.EXE
E:\Programmi\Mozilla Firefox\firefox.exe
E:\Programmi\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - E:\Programmi\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\programmi\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "E:\Programmi\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Programmi\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "E:\Programmi\File comuni\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Programmi\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "E:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "E:\Programmi\File comuni\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "E:\Programmi\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Programmi\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dial-Up Monitor] C:\BACKUP\dunmon\DUNMon
O4 - HKCU\..\Run: [Free Download Manager] E:\Programmi\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: freepopsd.lnk = E:\Programmi\FreePOPs\freepopsd.exe
O4 - Startup: WinDates.lnk = E:\Programmi\WinDates\WinDates.exe
O4 - Global Startup: Service Manager.lnk = E:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://E:\Programmi\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://E:\Programmi\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Programmi\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Programmi\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Programmi\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Programmi\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://E:\Programmi\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://E:\Programmi\Google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programmi\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121343265134
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF874E90-5159-4797-A114-1915EDD46287}: NameServer =
O23 - Service: ewido security suite control - ewido networks - E:\Programmi\ewido\security suite\ewidoctrl.exe
O23 - Service: Servizio di framework di McAfee (McAfeeFramework) - Network Associates, Inc. - E:\Programmi\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\Programmi\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\Programmi\Network Associates\VirusScan\VsTskMgr.exe
  • 0





  • Retired Staff
  • 19,711 posts
  • MVP

Hi to all, I'm a computer technician that normally helps customers to remove malware and other stuff, but this time... one of our PC seems to be a target of this worm

View Post

Hello and welcome to GeeksToGo. From our site Terms of Use, which you agreed to when registering:

We offer free computer help and tech support for home and personal use. We are not here to support others that work for profit, or to support/replace your company's IT department.

As you have stated you are seeking help for a customer computer, I am closing this topic. We are unable to help you on this board. Good luck to you. :tazz:
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP