IRC/BackDoor.Sdbot.25.AD anyone?

Has anyone heard of this Trojan before? AVG has detected this on a friends PC, but i cant find any relevant info on it. The only thing close to that name that i found was: Trojan horse IRC/BackDoor.sdBot.27 and nothing specific for removal instructions.
Any help would be appreciated. If a Hijack this log would be helpful please let me know.
I have sent a link for the online Trojan scan @ http://www.windowsecurity.com/trojanscan/
and hopefully it may detect and call it by something more recognizable.

 

Hi there,
could not find info on it either, there are so many of them with sometimes only slight differences; maybe the general instructions and which files to look for does help anyway.
If AVG doesn't deal properly with it, disable AVG completely (Open AVG GUI - uncheck all the checkmarks - close AVG) and use another scanner, online http://housecall.antivirus.com or another one you like, or get TDS from the www.diamondcs.com.au site (free 30 day eval) , make sure all scanners are still closed, install TDS, back on the site get the latest radius update, reboot if you hadn't done after the install and have a full system scan.
In the end rightclick in bottom alerts console the finds to test (scandump.txt) and paste that in your next posting. If necessary the HJT log is an option, see in [thread]15913[/thread] about posting it.
I had you closing AVG to give other scanners free access to every file and being able to deal with them if necessary.
Also the HJT log could show more files which could else be hidden with AVG.
TDS does not delete any file by itself, this is why your log is important to look what to do with the alerts.

Please post back so we know how it goes.

 

OK here goes. Ran both TDS-3 Full system scan and Trends housecall.
I also have the laptop with me, and she had both NAV and AVG running and both were reporting different virus's,trojans etc.
Ill list what each one found below. Windows is also reporting an error when starting: "Error loading C:\Windows\System32\Bridge.dll The specified module could not be found" I started getting this error after i installed Adaware and let it clean out over 300 nasties. When trying to run HJT i was getting an error, and it wouldnt let me save the logfile. Ill post the actual error message later if need be.

(i did not run full system scans with NAV and AVG. The results below are just what kept popping up as i was working with the laptop).
NAV: W32.Spybot.Worm
AVG: PSW.Briss.E
AVG: Downloader.Istbar.3.BE
AVG: Trojan Horse IRC/Backdoor.SDBot.25.AD
AVG: Trojan Horse Downloader.Agent.AS
Housecall Online Scan: Troj IMIServ.C
Housecall Online Scan: Bat Sasser.A
Housecall Online Scan: Worm Rbot.R
Housecall Online Scan: Worm Rbot.AP

TDS-3 Full System Scan Results:
Scan Control Dumped @ 05:47:39 14-07-04
Live trojan found (in process memory): DCOM RPC Exploit
File: C:\WINDOWS\System32\wkssvr.exe

RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

File Trace: Default trojan filename: Suspicious
File: c:\command.exe

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Update=wserv32.exe]

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Update=wserv32.exe]

Positive identification <Adv>: Possible WebDownloader
File: c:\command.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\xpfirewall.exe

Positive identification: Adware.BiSpy.f
File: c:\documents and settings\owner\local settings\temp\thi3a68.tmp\preinstt.exe

Positive identification (DLL): Adware.BiSpy.c (dll)
File: c:\documents and settings\owner\local settings\temp\thi3a68.tmp\twaintec.dll

Positive identification (DLL): Adware.BargainBuddy.e (dll)
File: c:\program files\bargain buddy\bin2\apuc.dll

Positive identification: Adware.BiSpy.f
File: c:\windows\preinstt.exe

Positive identification (DLL): Adware.IMI (dll)
File: c:\windows\systb.dll

Positive identification (DLL): TrojanDownloader.Win32.Dyfuca.br (dll)
File: c:\windows\wsem218.dll

 

hey guys...i was also a victim of this irc/backdoor sdbot virus which i just think came from anti virus itself, i use avg anti virus and found out that i had this virus..so i mmediately uninstall the anti virus and look to the internet for a solution and notice that all of users of this avg anti virus got this same kind of virus as i had...

what i just did is i removed the autostart entries from the registry;

open registry editor:

HKEY_LOCAL_MACHINE>software>microsoft>windows>currentversion>run
locate the entry and delete.

do the same thing with HKEY_CURRENT_USER

Hope this will help...

 

I think you may be right about AVG. After updatying to the latest definitions it no longer detected IRC/Backdoor.SDBot.25.AD.
I had also followed the removal procedures for W32.Spybot.Worm from here right before rescanning with AVG, so that may have had something to do with it.
Thanks for the help.