Trojan horse IRC/BackDoor.SdBot

I dont beleive it, I have XPPRO running its own firewall, AVG antivirus, and Spybot running and i still get clobbered, i suspect from a kazaa download = (

AVG has detected...
IRC/BackDoor.SdBot

infected object
C:\WINDOWS\SYSTEM32|MSCVRT32.EXE

Virus Name
Trojan horse IRC/BackDoor.SdBot

when i click on "Move to virus vault" option i get this message...

file C:\WINDOWS\SYSTEM32|MSCVRT32.EXE can not be removed.

i guess this is because this infected file is an integral part of windows...

what do i do now ??? please = (

 

Hi verdi
Maybe try stopping the trojan process first?
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for cnfgldr.exe.
If you find the file, click it, and then click End Process.
Close the Task Manager.

Then run your anti virus. Or perhaps even housecall?

more info.

Daizy

 

hi daisy

have done as you said, and i cant find any mention of cnfgldr.exe
in task manager/processes in my XP PRO

i did notice while i had task manager up, as soon as i click on your link in email to BBS in task manager/applications this trojan came back on (i tried removing it from applications as well as your suggestion) would it help if i lgged off before trying your suggestion again

how's da basement : )

 

Hiya verdi! Basement's DONE!!! Wohoooo!

I'm not sure I'm following you completely.
But let's try again.
Shut all open windows.......then see if you are able to stop the trojan process from running. If it's not listed.......go ahead with the virus scan.

Daizy

 

also i notice in processes...
everything is normal font except for this one in cap's...

EM_EXEC.EXE

WHYYYYYYYY

 

That's fine Verdi. Don't worry about fonts.

Did you do the scan yet?

 

Btw....... EM_EXEC.EXE Is just your Logitech Mouseware driver. Needed to support some additional functionality of Logitech mice/trackballs such as "SmartMove ".

 

closed all windows but left machine online... run AVG and did the same again, cant remove : (

 

this trojan is linked to my internet explorer isnt it

 

I wonder if we're approaching this from the wrong angle.
a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort the processes.
e. Scroll through the list and look for
System32.exe
Xms32.exe
f. If you find the file, click it, and then click End Process.
g. Exit the Task Manager.


Perhaps this got you first?

 

have done...

a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort the processes.
e. Scroll through the list and look for
System32.exe
Xms32.exe

can only find system... not System32.exe or Xms32.exe

f. If you find the file, click it, and then click End Process.
g. Exit the Task Manager.

should i just end process on system and then run AVG

P.S. at the risk of getting my ignorant head torn off...
i do recall you said you are running win98 i was wondering is there a difficulty in communique here because of two differnet OS's

Ouch Ouch please forgive me

 

I found you a link to peruse.

Daizy

 

You're sooooooooo behind times.
I'm running XP Pro.

 

PHEW i did'nt get a bashing

thanks for the link i'll peruse later,
have to go food shopping now

let you know how i get on

Thank you

 

Well i did exactly what you said, which is exactly what your link suggested...
reboot in safe mode
a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort the processes.
e. Scroll through the list and look for
System32.exe
Xms32.exe
cnfgldr.exe

nothing ???

attempted to run avg and i got error...
Driver (core) not found winerr = 2

reboot into normal win mode and spybot message came up suggesting i run avg
i did and managed to remove by healing... then opened outlook, opened task manager/applications clicked on link to bbs and task manager/app's showed first a link to bbs via internet explorer which changed to Trojan horse IRC/BackDoor.SdBot and then back to internet explorer.

neither daisy nor norton have the same description as i am getting???

now getting late, look forward to any more suggestions.

thank you

 

Sorry verdi...... I'm completely caffeine depleted. I can't keep up with everything you're saying. I'll wait a bit and see if womeone else can jump in..... or keep re-reading until it makes sense to me.

In the meanwhile....... Here's the fix for the Driver (core) not found winerr=3 error.

Daizy

 

I do not know how long you have had this infection. And maybe you do not either.

But in any case I would suggest that you shut down the System Restore ( or what ever XP calls the stupid thing it ) and make sure ALL previous restore points are removed.

And do not re-activate same until you are sure the system is clean.

BillyBob

 

in this post Daizy provided a link to the Symantec security response for this threat.

imo, it contains the very best info for the problems you are now faced with.

if you scroll to the very end of the linked page, you will find this...

"Additional information:

Once this type of Trojan attacks a computer, it is difficult to determine what else the computer has been exposed to.

In most cases, any changes—other than those that the Trojan made—will not have occurred. However, a hacker may have been able to use the Trojan to access the computer to make changes to it.

Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system. "

in addition, i haven't heard you mention your firewall? a good firewall will, in most cases, stop unauthorized outbound connections.

as you may know, this is one security layer that a user should not be without, particularly when trying to harden your system against trojans.