IRC/SdBot Trojan won't go away

Discussion in 'NOD32 version 2 Forum' started by rbcapricorn, Aug 18, 2005.

Thread Status:
Not open for further replies.
  1. rbcapricorn

    rbcapricorn Registered Member

    Joined:
    Aug 18, 2005
    Posts:
    4
    Almost every day my NOD32 informs me as follows:
    ------------------
    18.08.05 9:30:21 AMON file C:\WINNT\winlogon.pif IRC/SdBot trojan deleted USER-B9F73EB2C6\Eric Event occurred at an attempt to access the file by the application: C:\WINNT\Explorer.EXE.
    -------------------
    It then informs me that the file can be deleted, so I delete it. Next day it's back again.
    I run Windows 2000.
    I found a suspicious entry in the name of "winlogon.pif" in the registry at :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, but did not wish to delete this without advice.

    Can anyone guide me on how to get rid of this nuisance? I have already set my firewall to prevent winlogon.pif from accessing the internet, but cannot get rid of it
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi rbcapricorn, welcome to Wilders.

    Can you please ensure the Nod32 scanner is set according to this post, then reboot your computer into "Safe Mode" and run a scan with Nod32.

    Let us know how you go...

    Cheers :D
     
  3. rbcapricorn

    rbcapricorn Registered Member

    Joined:
    Aug 18, 2005
    Posts:
    4
    Thanks for the help.
    I went through all the settings and changed what was required. To be perfectly honest I got a bit lost on the command line options in the scan scheduling, but as I have all the options marked as required and have set this for all scans, I don't think I'm missing anything.
    I then did a scan after rebooting into safe mode and came up with many infected files which were then deleted.
    I then did a system backup and ran Registry 1st Aid. I have attached the relevant parts of the log.
    I wanted to attach the log of the scan but for some reason it doesn't appear in the logs. Is this because I ran it in safe mode?
    Now all that remains is to wait and see if the intruder pops up again.

    Again, thanks.
     

    Attached Files:

  4. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Get rid of winlogon.pif will certainly help get rid of sdbot. It can be a real pain in the a*s!
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My pleasure.

    You might like to take a run through that entire thread and tweak Nod32 up.

    If you get stuck on anything let us know and we will walk you through it...

    Cheers :D
     
  6. rbcapricorn

    rbcapricorn Registered Member

    Joined:
    Aug 18, 2005
    Posts:
    4
    Only thing that had me a bit puzzled was the way you configured the scheduled scan.
    What I had done was instead of choosing "execution of an external application", I chose "on demand scanner" and then set it to run in the Control Centre profile, which had already been set up for maximum security and to operate for all the options.
    Basically, I think I achieved the same effect.
    Am I wrong or missing something?
    I got a bit lost on all the switch options in the Command Line.

    By the way, your guide pages are excellent. Keep up the good work (and I thought that on the Gold Coast people were so busy sunbathing and diving that they didn't have time for anything else...)
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That’s another way of doing a scan.


    No, many ways to skin a cat (or make soup with it aye Marja :D )


    You can copy and paste the switches that I use in, it will give you the nastiest scan available ;) :D


    Oh I just walked back from the beach to answer you post, hmmmm where is my pina colada and sunscreen o_O

    :D :D :D
     
Thread Status:
Not open for further replies.