Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IRC/Backdoor.SdBot.BTS


  • Please log in to reply
1 reply to this topic

#1 nexus

nexus

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:In this moment we're in...
  • Local time:02:22 AM

Posted 10 July 2005 - 10:58 PM

I don't really know what the whole backdoor.sdbot thing means but I keep getting that message from the AVG resident shield like 30 to 50 minutes after logging into my account (I use windows XP home edition) This is the message:

virus found while opening file: wuaclt.exe

virus identified IRC/Backdoor.SdBot.BTS

And when I get this alert the internet just freezes (I can't surf the web) and sometimes so does my computer.

I tried spybot s&d and adaware se. I ran the spybot program but I kept getting the AVG alert, then I ran the adaware thingy and while doing this I got this other alert:

virus found while opening file: GetAcces.class

virus identified Java/ByteVerify

But AVG said none of the options (heal, delete or quarantine) were available for this object so I just ignored the alert (I didn't click on continue) and I let the adaware scan continue.

So when the scan was complete adaware couldn't remove file w?aclt.exe or something like that, and it said it would remove it on reboot... so I rebooted my computer but when adaware scanned it, it didn't find anything.

So I ran the HijackThis program and this is the log:



Logfile of HijackThis v1.99.1
Scan saved at 10:55:24 p.m., on 10/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\w?auclt.exe
C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\OSCAR\Configuración local\Temp\Directorio temporal 5 para hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LunchApp] c:\windows\system32\real.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [JCoV] C:\WINDOWS\elrexbf.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [uio] Dest068.exe
O4 - HKLM\..\Run: [pizda] ActionScr.exe
O4 - HKLM\..\Run: [zzjulg] c:\windows\system32\djkmov.exe r
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\RunServices: [TCPXP Update] tcpxp.exe
O4 - HKLM\..\RunServices: [FireFox Startup Drivers] wuaclt.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Scan Register] ssms.exe
O4 - HKCU\..\Run: [XPCPHOST Settings] xpcphost.exe
O4 - HKCU\..\Run: [TCPXP Update] tcpxp.exe
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\error.exe
O4 - HKCU\..\Run: [Atae] C:\Documents and Settings\OSCAR\Datos de programa\rrau.exe
O4 - HKCU\..\Run: [Islmy] C:\WINDOWS\System32\w?auclt.exe
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Archivos de programa\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{823D32E9-9FCB-44B9-B5BF-AD9CE49DF698}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{B939CFD6-B8A4-49C4-B72F-EC59F164218C}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{823D32E9-9FCB-44B9-B5BF-AD9CE49DF698}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{823D32E9-9FCB-44B9-B5BF-AD9CE49DF698}: NameServer = 69.50.184.84,195.225.176.37
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Handling the DHCP requests (DHCP Client) - Unknown owner - C:\WINDOWS\System32\wuaclt.exe (file missing)



Oh, sorry about it being in spanish heh... I hope it's not much trouble... :thumbsup:
</message>

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:22 AM

Posted 11 July 2005 - 11:31 PM

Print out these instructions and then close all windows including Internet Explorer.

Then I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [LunchApp] c:\windows\system32\real.exe
O4 - HKLM\..\Run: [JCoV] C:\WINDOWS\elrexbf.exe
O4 - HKLM\..\Run: [uio] Dest068.exe
O4 - HKLM\..\Run: [pizda] ActionScr.exe
O4 - HKLM\..\Run: [zzjulg] c:\windows\system32\djkmov.exe r
O4 - HKLM\..\Run: [VCXD Settings] phqg.EXE
O4 - HKLM\..\RunServices: [TCPXP Update] tcpxp.exe
O4 - HKLM\..\RunServices: [FireFox Startup Drivers] wuaclt.exe
O4 - HKLM\..\RunServices: [VCXD Settings] phqg.EXE
O4 - HKCU\..\Run: [Scan Register] ssms.exe
O4 - HKCU\..\Run: [XPCPHOST Settings] xpcphost.exe
O4 - HKCU\..\Run: [TCPXP Update] tcpxp.exe
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\error.exe
O4 - HKCU\..\Run: [Atae] C:\Documents and Settings\OSCAR\Datos de programa\rrau.exe
O4 - HKCU\..\Run: [Islmy] C:\WINDOWS\System32\w?auclt.exe
O4 - HKCU\..\Run: [VCXD Settings] phqg.EXE
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
C:\WINDOWS\System32\wuaclt.exe

Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)

c:\windows\system32\real.exe
C:\WINDOWS\elrexbf.exe
c:\windows\system32\Dest068.exe
c:\windows\system32\ActionScr.exe
c:\windows\system32\djkmov.exe
c:\windows\system32\phqg.EXE
c:\windows\system32\tcpxp.exe
c:\windows\system32\wuaclt.exe
c:\windows\system32\ssms.exe
xpcphost.exe
C:\WINDOWS\litmus\
C:\Documents and Settings\OSCAR\Datos de programa\rrau.exe

Reboot your computer to go back to normal mode and post a new log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users