Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.ini File Found...in Dell Support Related Folder?


  • Please log in to reply
3 replies to this topic

#1 gina o

gina o

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 24 February 2007 - 06:03 PM

I came across this and am wondering why it is in what I believe is a Dell Support Folder...
Norton recently flagged and removed Backdoor.sdbot from my pc following some really bizarre and unpleasant behavior by my pc and now I am wondering if things still aren't right. I am noticing a ton of tcp/udp traffic on some strange ports and things still don't feel entirely right so to speak, even though I have run regular followup scans with up to date Norton. Please forgive my total layman's sounding description/naivete, my pc knowledge is definitely a work in progress. Anyway this is the file in question:


C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\diag


[Version]
BuildVersion=6

[WinDSNX]
StartupPathRegistryValue=HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDSNX

[Sdbot]
StartFilenameRun=*Msdrv.exe*
StartFilenameRun=*Sdkcore.exe*
StartFilenameRunServices=*Sdkcore.exe*
StartFilenameRunServices=*Msdrv.exe*
StartFilenameRunCurrent=*Msdrv.exe*
StartFilenameRunCurrent=*Sdkcore.exe*
StartFilenameRunServicesCurrent=*Sdkcore.exe*
StartFilenameRunServicesCurrent=*Msdrv.exe*
Filename=%systemdrive%\msdirectx.sys
Filename=%systemdrive%\haxdrv.sys
Filename=%systemdrive%\msdrv.exe
Filename=%systemdrive%\sdkcore.exe
Filename=%system%\msdirectx.sys
Filename=%system%\haxdrv.sys
Filename=%system%\msdrv.exe
Filename=%system%\sdkcore.exe
Filename=%system%\drivers\msdirectx.sys
Filename=%system%\drivers\haxdrv.sys
Filename=%system%\drivers\msdrv.exe
Filename=%system%\drivers\sdkcore.exe
Filename=%systemdrive%\system32\msdirectx.sys
Filename=%systemdrive%\system32\haxdrv.sys
Filename=%systemdrive%\system32\msdrv.exe
Filename=%systemdrive%\system32\sdkcore.exe
Filename=%systemdrive%\system32\drivers\msdirectx.sys
Filename=%systemdrive%\system32\drivers\haxdrv.sys
Filename=%systemdrive%\system32\drivers\msdrv.exe
Filename=%systemdrive%\system32\drivers\sdkcore.exe
ControlSet1Services=*Msdirectx*
ControlSet2Services=*Msdirectx*
ControlSetCurrentServices=*Msdirectx*
ControlSet1Services=*Haxdrv*
ControlSet2Services=*Haxdrv*
ControlSetCurrentServices=*Haxdrv*

[Mytob-CI]
Filename=%system%\LienVandeKelder.exe
StartFilenameRun=*LienVandeKelder.exe*
StartFilenameRunServices=*LienVandeKelder.exe*


Any information or input on what this is exactly would be greatly appreciated. I probably look like the Village Idiot to even have to ask, but I'd rather come out of it informed and slightly ashamed than to allow some stranger to romp through my pc again. Thanks in advance for any replies.

Regards,
Gina

BC AdBot (Login to Remove)

 


m

#2 TheYoda

TheYoda

  • Members
  • 466 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NYC
  • Local time:08:31 AM

Posted 24 February 2007 - 06:55 PM

Welcome to BC!! :thumbsup:

Sometimes, backdoor trojans will nestle themselves into familiar folders to make you think that its not what it really is. If Norton removed the file, you have nothing to worry about. Usually they find a random foldler to go in, and it just happened to be that one. Chances are the application was running when the virus entered and found the easiest way in through that application especially if it was updating and accesing the internet.

Edited by TheYoda, 24 February 2007 - 06:57 PM.

"A coward dies a thousand times before his death. The valiant never taste of death but once." -William Shakespeare

Fold for your future...Help us find a cure.


#3 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:31 AM

Posted 24 February 2007 - 08:55 PM

I suggest you run two more scans. These things seldom come alone. It is wise to use more than one program.
Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 gina o

gina o
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 24 February 2007 - 09:23 PM

Thanks for the replies and I will definitely run the 2 additional scans you mentioned and see what comes up :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users