found the W32/Sdbot.gen.t virus!!!

Discussion in 'System Security & Infection Support' started by andriarox, Dec 16, 2004.

  1. andriarox

    andriarox

    Joined:
    Dec 16, 2004
    Messages:
    7
    Likes Received:
    0
    Location:
    Virginia
    I scanned my computer with the Stinger Virus program. This is the log file:

    McAfee AVERT Stinger Version 2.3.7.0 built on Jul 30 2004
    Copyright (C) 2004 McAfee, Inc. All Rights Reserved.
    Virus data file v1000 created on Jul 30 2004.
    Ready to scan for 45 viruses, trojans and variants.

    Scan initiated on Thu Dec 16 03:19:17 2004
    C:\_RESTORE\ARCHIVE\FS4319.CAB\A0262908.CPY
    Found the W32/Sdbot.worm.gen.t virus !!!
    Number of clean files: 35458
    Number of infected files: 1

    Also I just had updated my Spybot Search and Destroy program and SpyWare Blaster and they both found lots of things so I also ran the Hijack This! Program and here is my logfile.


    Logfile of HijackThis v1.99.0
    Scan saved at 2:58:35 AM, on 12/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MOUSE SOFTWARE\BALLY4D.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.swvaol.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscope.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [HorngTech4D] C:\PROGRA~1\MOUSES~1\BALLY4D.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O15 - Trusted IP range: 206.161.125.149 (HKLM)
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab

    I have a Racer PC
    AMD-K6 3D Processor
    Windows ME
    Internet Explorer 6.0
    92.0 MB of RAM
     
    Last edited: Dec 16, 2004
    andriarox, Dec 16, 2004
    #1
    1. Advertisements

  2. andriarox

    James Photojournalist

    Joined:
    Dec 24, 2002
    Messages:
    6,662
    Likes Received:
    35
    Hi.. That virus is contained in your System Restore files. The best way to remove it is to delete your past SR files.
     
    James, Dec 16, 2004
    #2
    1. Advertisements

  3. andriarox

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    You can do this by right clicking on 'My Computer', then selecting 'Properties', then the 'System Restore' tab, and clicking 'Turn of System Restore on All Drives'. This will delete the old stuff. You can then after a reboot turn that check box back on if you want system restore to run.
     
    Fenis-Wolf, Dec 16, 2004
    #3
  4. andriarox

    andriarox

    Joined:
    Dec 16, 2004
    Messages:
    7
    Likes Received:
    0
    Location:
    Virginia
    You can do this by right clicking on 'My Computer', then selecting 'Properties', then the 'System Restore' tab, and clicking 'Turn of System Restore on All Drives'. This will delete the old stuff. You can then after a reboot turn that check box back on if you want system restore to run.

    I went to "My Computer" right-clicked and selected "Properties". Then I didn't see a "System Restore Tab" so I just looked around and found the "Performance" tab and then went to the "File System" Tab and then the "Troubleshooting" tab and clicked "Disable System Restore". Is that the same thing as what you told me to do? Thank you!
     
    andriarox, Dec 16, 2004
    #4
  5. andriarox

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Yes, I assumed you were on Windows XP.
    I also recommend downloading AVG AntiVirus, as its free for home use and a very good virus scanner.
     
    Fenis-Wolf, Dec 16, 2004
    #5
  6. andriarox

    andriarox

    Joined:
    Dec 16, 2004
    Messages:
    7
    Likes Received:
    0
    Location:
    Virginia
    No I have Windows ME LOL! Thank you SO much. I really appreciate your help. I will download that program and scan my system with it. Thanks again!!
     
    andriarox, Dec 16, 2004
    #6
  7. andriarox

    andriarox

    Joined:
    Dec 16, 2004
    Messages:
    7
    Likes Received:
    0
    Location:
    Virginia
    I scanned my computer using the AVG Virus Scan system and it said that it found 30 files that contained viruses. It put them in the "Vault". When I go there where the list of infected files are and click details each one says they are not "Healable" and I have an option to either remove them from the Vault and refresh them (which I didn't think was the right thing to do) or I have the option to Delete the files but I'm not sure what I should do.

    Here is the list of things found:

    "","","Trojan horse Downloader.Agent.4.BJ","C:\WINDOWS\scanregw.exe","12/16/2004 5:26:54 PM","scanregw.exe","18.5 KB"
    "","","Trojan horse Downloader.Agent.2.BN","C:\WINDOWS\sdkte32.dll","12/16/2004 5:26:54 PM","sdkte32.dll","91 KB"
    "","","Trojan horse Downloader.VB.3.BV","C:\WINDOWS\rico.exe","12/16/2004 5:26:54 PM","rico.exe","64 KB"
    "","","Trojan horse Downloader.Agent.2.BN","C:\WINDOWS\mvfiys.dat","12/16/2004 5:26:54 PM","mvfiys.dat","91 KB"
    "","","Trojan horse Dropper.Small.5.J","C:\WINDOWS\96wu19rd.exe","12/16/2004 5:26:54 PM","96wu19rd.exe","54 KB"
    "","","Trojan horse Downloader.Istbar.4.D","C:\WINDOWS\istinstall_si.exe","12/16/2004 5:26:54 PM","istinstall_si.exe","3.5 KB"
    "","","Trojan horse Downloader.Agent.2.BN","C:\WINDOWS\xnsstd.dat","12/16/2004 5:26:55 PM","xnsstd.dat","91 KB"
    "","","Trojan horse Downloader.Delf.3.BB","C:\WINDOWS\loadclean.exe","12/16/2004 5:26:55 PM","loadclean.exe","7 KB"
    "","","Trojan horse Downloader.VB.3.BV","C:\WINDOWS\SYSTEM\CHANDG.exe","12/16/2004 5:26:55 PM","CHANDG.exe","64 KB"
    "","","Trojan horse Downloader.VB.3.BV","C:\WINDOWS\SYSTEM\CSCONFGI.exe","12/16/2004 5:26:55 PM","CSCONFGI.exe","64 KB"
    "","","Trojan horse Downloader.VB.3.AX","C:\WINDOWS\SYSTEM\TCDLLR.exe","12/16/2004 5:26:56 PM","TCDLLR.exe","64 KB"
    "","","Trojan horse Downloader.VB.3.BV","C:\WINDOWS\SYSTEM\STORECP.exe","12/16/2004 5:26:56 PM","STORECP.exe","64 KB"
    "","","Trojan horse Downloader.Small.8.Q","C:\WINDOWS\TEMP\iB245.TMP","12/16/2004 5:26:56 PM","iB245.TMP","13 KB"
    "","","Trojan horse Downloader.Small.5.AX","C:\WINDOWS\TEMP\i8151.TMP","12/16/2004 5:26:56 PM","i8151.TMP","12.5 KB"
    "","","Trojan horse Downloader.Small.5.AX","C:\WINDOWS\TEMP\i92C5.TMP","12/16/2004 5:26:56 PM","i92C5.TMP","12.5 KB"
    "","","Trojan horse Downloader.Agent.AS","C:\WINDOWS\TEMP\polmx2.exe","12/16/2004 5:26:56 PM","polmx2.exe","37 KB"
    "","","Trojan horse Downloader.Istbar.5.I","C:\WINDOWS\TEMP\faJpEE9.exe","12/16/2004 5:26:56 PM","faJpEE9.exe","17.5 KB"
    "","","Trojan horse Downloader.Stubby.C","C:\WINDOWS\TEMP\conscorr.exe","12/16/2004 5:26:57 PM","conscorr.exe","68 KB"
    "","","Trojan horse Downloader.SecondThought.A","C:\WINDOWS\TEMP\adlinstallwin32.exe","12/16/2004 5:26:57 PM","adlinstallwin32.exe","93.5 KB"
    "","","Trojan horse Downloader.Small.15.R","C:\WINDOWS\TEMP\saD014.TMP.exe","12/16/2004 5:26:57 PM","saD014.TMP.exe","5.5 KB"
    "","","Trojan horse Clicker.BG","C:\WINDOWS\Downloaded Program Files\WinAdToolsX.dll","12/16/2004 5:26:57 PM","WinAdToolsX.dll","22 KB"
    "","","Trojan horse Dropper.VB.EC","C:\WINDOWS\All Users\Application Data\IEService\v28.exe","12/16/2004 5:26:57 PM","v28.exe","78 KB"
    "","","Trojan horse Downloader.Agent.AS","C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE194.TMP","12/16/2004 5:26:57 PM","ppqE194.TMP","37 KB"
    "","","Trojan horse Downloader.Agent.AS","C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE195.TMP","12/16/2004 5:26:57 PM","ppqE195.TMP","37 KB"
    "","","Trojan horse Downloader.Keenval.C","C:\Program Files\Yahoo!\YPSR\Quarantine\ppqE1C4.TMP","12/16/2004 5:26:57 PM","ppqE1C4.TMP","84 KB"
    "","","Trojan horse Dropper.Delf.4.G","C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D3.TMP","12/16/2004 5:26:58 PM","ppq2D3.TMP","35.5 KB"
    "","","Trojan horse Downloader.Nex.B","C:\Recycled\Q678340.exe","12/16/2004 5:26:58 PM","Q678340.exe","3 KB"

    "","","Trojan horse Dialer.12.AM","C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1085.TMP\124309.dlr","12/16/2004 5:26:58 PM","124309.dlr","79.5 KB"
     
    andriarox, Dec 16, 2004
    #7
  8. andriarox

    Fenis-Wolf VIP Member

    Joined:
    Apr 30, 2003
    Messages:
    2,951
    Likes Received:
    35
    Location:
    Ann Arbor, Mi
    Delete them.
     
    Fenis-Wolf, Dec 16, 2004
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.