I use Avast! Home and automatically update since I’m always connected to the internet. Sometime between last night and this morning, a Spybot trojan variant infected my machine. Windows update is not working. I scanned with Avast, McAfee Stinger, Avast Virus Remover Tool and my machine is still running S-L-O-W. The trojan was detected by Avast resident scanner TWICE, about once per boot, and I moved them to the chest. I thought it was fixed the first time I moved it to the chest. I did a boot-time scan. I installed and ran Microsoft Antispyware, nothing found. I turned off system restore. WHAT ELSE CAN I DO TO ENSURE IT IS GONE? I HAVE NO CLUE HOW I GOT THIS TROJAN, AS I DIDN’T SEEM TO HAVE IT LAST NIGHT, BUT UPON BOOTING THIS MORNING, IT WAS DETECTED. The path of the trojan, for both times, is C:\WINDOWS\system32\TFTP2792[MEW]. Thank you in advance.
Run antispywares and antitrojans applications:
Antispyware applications (freeware): download, install, update and run it.
Ad-Aware
Spybot Search and Destroy
Spywareblaster
A-squared
Ewido
Webroot Spy Sweeper:
Microsoft AntiSpyware
X-Cleaner Free
For antiTrojans see the sharewares bellow (download, install, update and run it, you can test it for some days):
TrojanHunter
TDS-3
Troganhunter is good as well found it on mine, Avast found it as well, Troganhunter killed it.
AdAware, MS Antispyware, Avast!, and TrojanHunter could not kill it. Avast detects it and moves it after every boot (about 10-20mins after startup). TrojanHunter didn’t find it. McAfee Stinger didn’t find it, neither did the Avast exe that cures infected machines. The trojan is: Win32:SdBot-194-B [Trj].
Hi go to www.AdwareAlert.com this I believe is what you are looking for.
Isn’t AdwareAlert one of the bad Antispyware Products?
Hi budd512, bad one you’ve got there. Found a lot of info for you but rather weak on the solution side.
Surf around these sites:
Rbot.gen
Also known as: IRC-Sdbot W32.Spybot.Worm Win32.HLLW.MyBot W32/Rbot-BY Backdoor:Win32/Rbot Worm/Sdbot.39936.B Win32:SdBot-194-B IRC/BackDoor.SdBot.28.F Backdoor.SDBot.Gen Backdoor.Rbot.gen
Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC
www.trojanguide.com/spydet_1049_rbot_gen.html
This worm exploits certain vulnerabilities to propagate across networks. It takes advantage of the following Windows vulnerabilities:
*Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
*Buffer Overflow in SQL Server 2000 vulnerability
*IIS5/WEBDAV Buffer Overflow vulnerability
*LSASS vulnerability
It scans the network for systems with weak passwords and drops a copy of itself to target machines. It uses a list of weak passwords, which are hardcoded in its body, so that it can gain access to its target systems
It connects to port 6667 (a normal mIRC port) and joins a specific channel where it listens for commands issued by the remote malicious user on the infected system. It also steals the CD keys of certain game applications.
http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&VName=WORM_SDBOT.WY
Installation and Autostart Technique
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as the file LSRV.EXE.
It creates the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\Run
Microsoft Services = “LSRV.EXE”
HKEY_CURRENT_USER\Software\Microsoft
Windows\CurrentVersion\Run
Microsoft Services = “LSRV.EXE”
HKEY_LOCAL_MACHINE\Software\Microsoft
Windows\CurrentVersion\RunServices
http://de.trendmicro-europe.com/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=3&VName=WORM_SDBOT.WY
I don’t think that windows update isn’t working, rather it may well have been blocked by the virus to stop you from closing the RPC and DCOM exploits, these were patched years ago by MS.
Have you tried scheduling a boot-time scan from within avast?
If it can be detected by the resident scanner it should be detected by the boot scan and be able to be removed because windows won’t have started at that point.
For really bad malware, Ad-Aware SE requires the use of
“special instructions” ; therefore, I recommend you go to
www.landzdown.com/index.php and post a “Full System
Scan” setting logfile and let the now-defunct Lavasoft
Ad-aware Support forums experts there assist you in
getting rid of this malware .