PLEASE help for sdBot trojan

can someone please help me remove this trojan found by a scan i performed yesterday?

my computer is a toshiba portege A200, running WIN XP pro. antivirus is avast! 4 home edition, with ZA as firewall.

yesterday, when logging onto the internet ZA detected an access-request by two processes I had not started or seen before: hkcmd.exe and igfxtray.exe

I ran a TrendMicro online scan which didn’t find anything and then my usual Avast! scan with updated VPS 0642-0 of 17/10/06.

The scan found the following trojan horse: win32: sdBot-gen28[trj]
in the following location:
C:System Volume Information_restore{E0038286-7C38-416A-AC95-17B978ECDCF9}\RP59\change.log.31

when the pop-up appeared i chose the recommended option and moved the infected file to Avast’s CHEST, where it’s still sitting.

Having read a few threads on this forum, I did the following:

  1. backed up the System State onto a memory stick - this failed on two dll files: fastprox.dll and repdrvfs.dll
  2. disabled the system restore function and rebooted
  3. rebooted in safemode
  4. performed another scan with avast! (i cannot access the internet in safemode to use online tools) which resulted negative but couldn’t access fastprox.dll and repdrvfs.dll
  5. deleted all temp files and emptied java cache
  6. looked for suspicious processes in task manager but did not feel confident enough to interpret their names
  7. restarted in normal mode

what do i do with the infected file? can i scan the file in avast’s chest with an online tool?
how do i definitively remove the malware?

and can i replace the two apparently damaged (altough i’m afraid from before) dll files from another machine (i.e. my brother’s)?
PLEASE, i’m trying not to panic but it’s harder for us non-experts! :slight_smile:

i hope someone can help and i apologise if the question is silly, i am not very computer literate and English is not my first language.
THANK YOU EVER SO MUCH.

s

  1. The act of disabling system restore on al drives and rebooting will clear ALL restore points, infected or not.

  2. There is no need to do a scan in safe mode with avast if you have XP, which I think you have you can schedule a boot-time scan. If you have XP or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’ This will run a boot-time scan when you next boot, not every time after that.

  3. Files in the chest present no danger, they can’t do any harm there.

  4. You said “but couldn’t access fastprox.dll and repdrvfs.dll” but didn’t give a reason why ?
    Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it).

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (in quarantine/restore/backup) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping and delete old backup/recovery/quarantine entries (older than two weeks or so), this will reduce the numbers of files that can’t be scanned.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned.

THANK YOU!

Ok, I have done this

I have done this too and the bootscan is negative.

Shall I just leave it in there indefinitely, then?

Ok, I have come across this before, about a month ago, when some programmes malfunctioned but scans were negative.
Avast! report last month said “Internal Programme Error” for these dll files. This time it says “Unable to scan. The system cannot read from the specified device”.
Also, when I attempted the back-up of the SystemState, I got a report at the end saying that file fastprox.dll could not be backed-up, this file will not restore.
The same for repdrvfs.dll
When I tried to make a copy of these two files onto disk or drive, I could not copy them. The error message said something like “unable to locate file”.
When I tried to copy the same files from my machine at work, just to check whether it was at all possible, I had no problems in transferring them onto disk, so I assumed there might be something wrong with them on my machine.

I tried AdAware scan but it got invariably stuck whilst scanning the wbem folder and never completed a scan.

This is the first time I detect a Trojan. The only similar instance was last month when Trendmicro online tool found 1 spyware infection “KEYL_ASTLOG” and cleaned it automatically.

The only problem I’m having at present is a very slow startup, but i want to ensure I do everything i need to in order to avoid further consequences.

Can I re-enable the system restore now??

THANK YOU for your help and especially for your detailed and clear explanations. It’s very reassuring to be able to talk to someone!

s

Comment note 3: - I would say leave it there at least a few weeks and then scan it within the virus chest, if it is still detected then delete it. The only reason for leaving it there for a while plus double checking is to ensure that the detection was good and not a false positive detection.

Comment note 4: - It would appear that there is some form of corruption or a problem with these files. You could try as you suggested replacing them with others. You may however, have a problem replacing them if as you say when trying to copy them you got an error. You could try a google search for these file names I did for one of them and that reveals am MS KB article and there were a couple of links to download them (beware of unknown links always scan downloaded files), it is important to ensure you have the right version for your system.

I’m surprised you had a problem with adaware, I’ve been using it for years and it has never failed to complete a scan, this may or may not have something to do with other problems you mentioned. You could have adaware do a custom scan where you exclude the wbem folder.

Yes you can enable system restore.

I will do as you say.

THANK YOU SO MUCH. I’ll post again if I encounter any more problems. Thank you for being so kind with a novice!
:slight_smile:

s

Glad I could help welcome to the forums.

this forum is a great place to learn. :smiley:

for the records, I did replace the fastprox.dll and repdrvfs.dll from another machine, after checking that the version of WIN was exactly the same.

apparently the security system - which had stopped recognising avast! and the ZA firewall - is now working ok again.

also AdAware completed the scan without any problems and without finding any critical objects.
I’ll just keep my fingers crossed hoping that the crisis is actually over! :slight_smile:

Thanks a lot

s

Your welcome, thanks for the feed back, you never know it might help someone else in the same or similar position.

Stick around and browse the forums, especially the sticky topics at the top of each of the forums. They provide a wealth of information to help you get the best from avast.