SdBot.AFN trojan

Discussion in 'adware, spyware & hijack cleaning' started by advisor, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. advisor

    advisor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    1
    Location:
    Perth, Western Australia
    File C:\WINDOWS\system32\msconfg.exe is infected with trojan IRC/SdBot.AFN. NOD32 cannot clean this infiltration.

    I did a safe mode reboot and reran NOD32 only to find
    trojan IRC/SdBot.ARN found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memorhy infiltration.

    Any help with this would be greatly appreciated.

    Copy of Hijackthis log attached...

    P.S. Have used Adaware

    Logfile of HijackThis v1.97.7
    Scan saved at 11:05:28 AM, on 25/06/2004
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\mHotkey.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpamPal\spampal.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Ms Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by APC
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Steve Athan\Application Data\ieuq\ieuq32.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CHotKey] mHotkey.exe
    O4 - HKLM\..\Run: [SiS Tray] D:\VIDEO\UTILITY\SISTRAY.EXE
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows System Configuration Loader] smls.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKLM\..\RunServices: [Windows System Configuration Loader] smls.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - Startup: SpamPal.lnk = C:\Program Files\SpamPal\spampal.exe
    O4 - Startup: UCmore XP - The Search Accelerator.lnk = C:\WINNT\System32\rundll32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38145.2419097222
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Regards, Alan
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Steve Athan\Application Data\ieuq\ieuq32.dll (file missing)
    O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows System Configuration Loader] smls.exe
    O4 - HKLM\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - HKLM\..\RunServices: [Windows System Configuration Loader] smls.exe
    O4 - HKLM\..\RunServices: [Win32 USB2 Driver] smsc.exe
    O4 - HKCU\..\Run: [Win32 USB2 Driver] smsc.exe
    O4 - Startup: UCmore XP - The Search Accelerator.lnk = C:\WINNT\System32\rundll32.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINNT\System32\ smsc.exe
    C:\WINNT\System32\smls.exe
    C:\WINDOWS\system32\msconfg.exe if it exists but I am sure it will be C:\WINNT not c:\WINDOWS
    and Delete these folders

    C:\Program Files\TheSearchAccelerator

    then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it
    and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &


    I would strongly recommend downloading and running a specialised anti trojan
    lists here http://www.wilders.org/anti_trojans.htm

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.tx
     
Thread Status:
Not open for further replies.