Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PLEASE HELP -IEXPL0RE.EXE -SDBOT TROJANS?


  • Please log in to reply
5 replies to this topic

#1 antoine

antoine

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 04 August 2005 - 02:24 AM

PLEASE HELP -IEXPL0RE.EXE -SDBOT TROJANS?


I've started having some extra slowness in my PC and did ctrl alt del to see what's running in the task manager (I have win2000 SP4)

I've noticed IEXPL0RE.EXE is one of the entries shows up running. It is not visible otherwise.
I realised I hardly use IEXPL0RE and not supposed to be running and stop running it. And IEXPLORE shows up only in the background and can only see it through the Task Manager

But when I restart the PC, IEXPL0RE.EXE again was there running noticeable only through the task manager of course.

Then I checked whether it is in the start up using Startup Control Panel 2.8 by Mike Lin and IEXPL0RE wasn't in the start up.

I then checked IEXPL0RE.EXE on

http://www.bleepingcomputer.com/startups/IEXPL0RE.EXE-975.html

and found out that


This is an undesirable program.

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.



Name: Configuration Loader
Filename: IEXPL0RE.EXE
Description: Added by the LOADCFG or SDBOT TROJANS!
File Location: Unknown
Startup Type: Currently being identified.


Then I checked registry entries to see if I could locate any of the following entries through http://securityresponse.symantec.com/avcen...oor.sdbot.html:

Backdoor.Sdbot
Discovered on: April 30, 2002 
Last Updated on: July 21, 2005 04:51:37 PM
 

   

Backdoor.Sdbot is a Backdoor Trojan horse that allows the Trojan's creator to control a computer by using Internet Relay Chat (IRC). Backdoor.Sdbot can update itself by checking for newer versions over the Internet.

Also Known As:  IRC-Sdbot [McAfee], Backdoor.IRC.SdBot [Kaspersky], BKDR_SDBOT.B [Trend], Troj/Sdbot-B [Sophos], Win32.SdBot.14176 [CA]
Type:  Trojan Horse
Infection Length:  varies
Systems Affected:  Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me



Wild
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate

Threat Metrics
       

Wild:
Medium

Damage:
Medium

Distribution:
Low

Damage
Payload Trigger: Running the Backdoor executable file.
Payload:
Compromises security settings: Allows unauthorized use of a compromised system.

Distribution
Ports: 6667 (the default IRC port).



Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse allows its creator to perform a wide variety of actions on a compromised computer.

The Trojan arrives in the form of a Portable Executable (PE) file.

When Backdoor.Sdbot is executed, it does the following:

Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are:
Aim95.exe
CMagesta.exe
Cmd32.exe
Cnfgldr.exe
Explorer.exe
FB_PNU.EXE
IEXPL0RE.EXE
MSTasks.exe
MSsrvs32.exe
Mssql.exe
Regrun.exe
Svchosts.exe
Sys32.exe
Sys3f2.exe
Syscfg32.exe
Sysmon16.exe
YahooMsgr.exe
cthelp.exe
iexplore.exe
ipcl32.exe
quicktimeprom.exe
service.exe
sock32.exe
spooler.exe
svhost.exe
syswin32.exe
vcvw.exe
winupdate32.exe
xmconfig.exe


NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32), and then copies itself to that location.


Adds one of the following values:

"Configuration Loader" = "%System%\iexplore.exe"
"Configuration Loader" = "MSTasks.exe"
"Configuration Loader" = "aim95.exe"
"Configuration Loader" = "cmd32.exe"
"Configuration Loader"= "IEXPL0RE.EXE"
"Configuration Manager" = "Cnfgldr.exe"
"Fixnice" = "vcvw.exe"
"Internet Config" = "svchosts.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe
"MSSQL" = "Mssql.exe"
"MachineTest" = "CMagesta.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"Registry Checker" = "%System%\Regrun.exe"
"Sock32" = "sock32.exe"
"System Monitor" = "Sysmon16.exe"
"System33" = "%System%\FB_PNU.EXE"
"Windows Configuration" = "spooler.exe"
"Windows Explorer" = " Explorer.exe"
"Windows Services" = "service.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"cthelp" = "cthelp.exe"
"stratas" = "xmconfig.exe"
"syswin32" = "syswin32.exe"

or a similar value to the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


May create the following additional files:

%System%\SVKP.sys (a clean driver that can be used for malicious purposes).
%System%\msdirectx.sys (this file is intended to provide rootkit functionality and may be detected as Hacktool.Rootkit).


Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. Some examples of possible servers to which it may connect are:

bmu.h4x0rs.org
bmu.q8hell.org
bmu.FL0W1NG.NET


Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan accesses the Trojan by using a password-protected authorization.

The commands allow the Trojan's creator to perform any of the following actions:
Manage the Backdoor installation.
Control the IRC client on a compromised computer.
Dynamically update the installed Trojan.
Send the Trojan to other IRC channels to attempt to compromise more computers.
Download and execute files.
Deliver system and network information to the Trojan's creator.
Perform Denial of Service (DoS) attacks against a target, which the Trojan's creator defines.
Completely uninstall itself by removing the relevant registry entries.


I couldn't identify anything loading IEXPLORE.EXE

I then run the latest version of PestPetrol Corporate Edition, Adaware Latest with updates, SpySweeper , SpyBot Search and Destroy, Norton Antivirus (all with latest definitions/updates)

None identifed anything relating to the problem which is " IEXPLORE.EXE" loads everytime Pc starts and I can only kill it after it starts through Task manager

I now do not know if I have a trojan?
I do not know how to stop IEXPLORE.EXE running in the background according to the task manager.

I also have ZoneAlarm which is not reporting anything suspicious. (Well IEXPLORE.EXE cannot be suspicious I guess)

I've run out of possibilities:

Please help!!!







***

BC AdBot (Login to Remove)

 


#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 AM

Posted 04 August 2005 - 02:31 AM

If you think you are infected submit a hijackthis log here.

How to submit a hijackthis log

Download Hijackthis

Try running the following from safe mode Sysclean you'll also need the virus template file from here lpt***.zip

or

DrWeb CureIT

Also try installing and running A2 Free and Ewido

I'd also run Spybot and Adaware

If your using Win2K/XP run adaware/spybot from "safe mode with command prompt"

At the C:\ prompt type the following:-

cd\
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
cd\
C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

#3 antoine

antoine
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 04 August 2005 - 05:07 AM

Thank you stidyup. I appreciate your prompt suggestion.

I did Sysclean, DrWeb CureIT, Spybot and Adaware in the safe mode.




Nothing comes up.

If it is not a detectible trojan then at least I could ask for help on how not to load iexplore on start up?

Is there such commands I could type in the config and it doesn't load at start up assuming you are aware of the following situation:

And IEXPLORE shows up only in the background and can only see it through the Task Manager's list of entries. It is not visible otherwise.

But when I restart the PC, IEXPL0RE.EXE again was there running noticeable only through the task manager of course.

Then I checked whether it is in the start up using Startup Control Panel 2.8 by Mike Lin and IEXPL0RE wasn't in the start up.




I also posted my log file here and waiting for the outcome:
http://www.bleepingcomputer.com/forums/My_...-tx26954-0.html

Edited by antoine, 05 August 2005 - 12:59 AM.


#4 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:42 AM

Posted 05 August 2005 - 02:01 AM

If you type in msconfig this will give you access to everything that's loading at startup. Becareful as you may screw up your PC if you tick the wrong box.

If you still suspect you are infected I would post a hijackthis log and see what the experts think.

#5 antoine

antoine
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 05 August 2005 - 02:37 AM

If you type in msconfig this will give you access to everything that's loading at startup. Becareful as you may screw up your PC if you tick the wrong box.

If you still suspect you are infected I would post a hijackthis log and see what the experts think.

Thank you stidyup again.

I have done the logfile last night and waiting for a response:

http://www.bleepingcomputer.com/forums/My_...-tx26954-0.html

#6 unrepper

unrepper

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 05 August 2005 - 11:29 PM

Try this generic Trojan Removal
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users