Avast Impotent!

I noticed an unidentified process (phqghum.exe) running in Win XP on my son’s computer.A deep scan with Avast indicated that this file was infected with w32.sdbot-194-B presumably picked up by my son when he installed Win XP and connected to the Internet prior to applying all the latest patches.
Although this file was identified by Avast (and I had terminated its process in Taskmaster) it was impotent at dealing with it and trying to delete the file in Avast was answered by “access denied”.
Since I was able to manually delete all references to this process in the registry and delete the actual file phqghum.exe in the Windows System 32 folder without having to go into safe mode, etc. I wonder why, apart from identifying the file, Avast was as much good as an amorous octagenarian who forgot his Viagara! Mind you in all fairness an online scan with Trend Micro’s housecall did not even detect this worm.

Don’t blame it on Avast. Blame it on yourself and your son.

When it was detected, you should have enabled “remove at next boot when needed” and Avast would have handled it.

Other way to deal with it was, disabling the process and than Avast would also have taken care of it.

A deep scan with Avast indicated that this file was infected with w32.sdbot-194-B presumably picked up by my son when he installed Win XP and connected to the Internet prior to applying all the latest patches.
After installing any OS, always put a firewall and AV software on it before connecting to the net.

Well I must admit to being unfamiliar with Avast’s features and did not notice a “remove at next boot…” option.
Still I did mention that in fact I had already terminated the process and Avast still could not deal with it.

Terminating a process when it comes to viruses, trojans etc isn’t always what it seems. There may be a hidden process that is not shown in the taskmanager. Unless you really know a lot and check everything, disabling a process in taskmanager doesn’t always mean the entire process is closed down.

Anyway you sound like the problem is solved. Still I want to have a look at a HijackThis log to see if I can find some leftovers or other harmfull things. If you want, post the log here and I will have a look. If not it is ok with me. It is your choice :slight_smile:

You can download HijackThis from HERE.

If you are interested, you can download my HijackThis Log analyzer from HERE and also post/analyze the log online HERE

Thanks for your help.

I pretty much went over the system with a fine tooth comb but if time permits I may do as you suggest next time I’m over at my son’s place.

win32:sdbot-194-B → VGREP → http://vil.nai.com/vil/content/v_100454.htm


– Update August 11, 2004 –

There are now over 4000 variants of this threat, … and this number continues to grow at a rapid rate.

YAHOOOOO!!!
:wink:

Avast will soon run out of numbers for naming Win32:SDBOT-xxx,
as they are presently at “Win32:SdBot-982 [Trj]”; I’d guess that most numbers include different variants/packers
:wink:

a bit OT:

"Many share jumping viruses rely on weak usernames/passwords. …
Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

* net share c$ /delete
* net share d$ /delete
* net share e$ /delete
* net share ipc$ /delete
  • net share admin$ /delete "

What do you think of this ?
has anybody implemented this somehow ?

:wink:

Creating a user with limited rights and using that account when using the system also helps. Using the comp constantly as admin is a security risk.