win32:SdBot-545[Trj]
Results 1 to 5 of 5

Thread: win32:SdBot-545[Trj]

  1. #1
    Junior Member
    Join Date
    Jul 2004
    Posts
    4

    win32:SdBot-545[Trj]

    the web's a bust - at least in english
    no manual to read

    win32:SdBot-545[Trj] is a recurring problem
    I use avast for my AV but it can't clean it, mainly cos I didn't have a recovery DB

    I move the file to the chest everytime

    but keeps appearing in

    "C:\Documents and Settings\UserName\Local Settings\Temp";
    "C:\WINDOWS\Temp"

    everytime its moved with trz#.tmp where # is a numeral or counting in Hex
    I've ran the avast worm cleaner
    stinger
    adaware
    hijack this
    window washer

    here's the log of hijack this
    Logfile of HijackThis v1.97.7
    Scan saved at 1:33:08 PM, on 7/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Washer\washer.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    D:\HijackThis.exe
    C:\WINDOWS\System32\notepad.exe
    C:\WINDOWS\System32\notepad.exe
    C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.yellowpages.com.au/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=168.10.79.7:2032;gopher=168.10.79.7:2032;http=208.38.40.72:8080 168.37.244.10:3128 209.91.207.161:8333;https=168.10.79.7:2032
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab
    most of that looks normal to me
    msmsgs.exe could be the problem, I'll explain why in a minute

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=168.10.79.7:2032;gopher=168.10.79.7:2032;http=208.38.40.72:8080 168.37.244.10:3128 209.91.207.161:8333;https=168.10.79.7:2032

    this may well be the problem too as I was attempting to chain proxies

    the rest looks legit to me as all the NV things are referring to my graphics card

    now messenger, I fell victim to rpc exploit when downloading updates for windows messenger and I'm suspicious this trojan may have been carried on the msn messenger 6.2 update

    and most of the time I use firefox anyway not IE

    oh and I originally found it masquerading as trivial ftp

    c:\windows\system32\TFTP3580

    and thought I was clean
    404

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Why would chaining proxies be a problem? Are you using a software or simply plugged them in the browser? Regardless I have used chained proxies and it wasn't an issue... so more details?

    Only advice is to DL a trial version of Nortn and check the system in safe mode with that. And I know it's not the greatest idea but if you want to get rid of it, why not try it like this?

    Or maybe the www.symantec.com virus checker could remove it... give it a shot!
    /\\

  3. #3
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Turn off your system restore before attempting removal!!!!
    Al
    It isn't paranoia when you KNOW they're out to get you...

  4. #4
    Junior Member
    Join Date
    Jul 2004
    Posts
    4
    I'll give it a shot but in my experience Norton sucks major arse

    and no I didn't particularly think proxies were the problem but wondered ow they were magically added to the registry
    404

  5. #5
    Junior Member
    Join Date
    Jul 2004
    Posts
    4
    Thanks all

    Problem solved.

    Turned out I hadn't ran Window Washer at all
    and now that I have, the problem hasn't shown up since
    404

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides