By Emre
Jan 8, 2009
  1. Hi, i'm absolutely, bitterly infected by something that comes up in my spyware doctor scans every time i reboot. Spyware Doctor calls it Backdoos.Sdbot, i took my time researching it on the net, found out it is a major problem. Help please, if you can. (All steps are done and i run spyware doctor scans every once in a while - the virus comes back only after reboots tho.)
  2. jobeard

    jobeard TS Ambassador Posts: 9,151   +598

    the MBAM.log found two bad registry entries, but you failed to ALLOW the program to fix errors so it just reported the findings.

    Use the options to enable Auto Fix
  3. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Oh, so that was that. the windows defender had found a program trying to function without permission (normally it doesn't fix into mbam's work, lets it do it's job.) so i had defender stop that program, i guess it was mbam trying to erase that virus. i will re-scan and do all steps again, but i do guess those 2 harmful entries are not the problem ; i expect a backup file somewhere buried in the pc for the virus. I'll let you know when i finish.
  4. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Ok now i have done full system scan with mbam, sas, then got a hjt log. (i did various scans before i got these results, they seem nearly clean but i do have a guess that i will have my backdoor trojans when i restart...) (i am not including my mbam log as it was absolutely clear - nothing found.)

    Edit : After reboot : I still have the backdoor.sdbot stuff, nothing has changed with these scans. Will anybody help me...
  5. Emre

    Emre TS Rookie Topic Starter Posts: 31

    " Backdoor.win32.Sdbot.acj (Kaspersky) " is the definition spyware doctor names the virus. I hope somebody will get interested; it seems to be slowly infesting my whole pc. (at first it used to find 20 results each scan after reboot, this morning it found 80!)
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Emre my friend

    I have been away since Christmas until last Monday but was so busy catching up with work last week I still did not have time to check in. I tried twice yesterday but was interrupted by visitors.

    The order of the steps are important so follow the order.

    Once you begin these steps do no other WWW browsing or email or play any Videos or movies from the HD!

    1. Update MBAM and SAS
    2. Download Dr. Web Curit
    3. Download Norman Malware Cleaner

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here:
    Or here:

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    After posting all the logs from above then boot to regular Safe Mode and run

    1st: DR web
    2nd: Norman

  7. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Thanks for your helps mike, i hope you and i will be able to clean this one too :) Now, you may not remember but the last time you helped, i told you that sdfix doesn't work on my pc --- vista --- but i followed the rest of the instructions you gave, attaching the 2 logs you wanted. now i will reboot and run the 2 programs you wanted me to download in the first place.
  8. SpiritWind

    SpiritWind TS Rookie Posts: 164

    P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

    When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Many of these Downloads are targeted to carry infections.

    Therefore, more and more Malware-Removal Forums will NOT help someone
    UNLESS the P2P program is completely REMOVED; having the uTorrent program
    on your computer, you are fortunate to get Help from Mike unless he has
    failed to notice this program on your computer .
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello Emre

    SpiritWind is correct. P2P is the best way I know to get infected. Do not have it active while we are cleaning.

    It is not for me to say but If you must do it after we are fixed I will guide you in safer ways of doing it.

    One way is to do it and test with multiple scanners all within a Virtual Machine.

    This is one of the reasons I requested you do these scans in Safe Mode in addition to the fact in Safe Mode some Malware can be more exposed and easier to damage or eradicate. Expect them to take longer because of Safe Mode.

    For now I am awaiting the logs.

    Once the other logs are posted download and install the new SDFix, as SDFix does run under Vista. But to run it do the following

    1: install SdFix in normal Mode
    2: Control panel User Accounts, chose the Logon you are using and turn off User Account Control (UAC) will require a reboot. (Turn back on after run).
    3: Reboot back to Safe Mode and browse to SDFix folder. Rt click the Runthis and chose to run as Administrator.

  10. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Thanks for the attention SpiritWind and thanks for helping regardless of what i do mike. I appreciate it. Well, about the Sdfix - i already tried with UAC off, both ways Sdfix doesn't work. Surprisingly, after the Combofix scan, norman scan and drweb scan, i still have the backdoor.sdbot virus and now combofix shows up in my scans as a potentially unwanted program + now i have the problem of adware.advertising type of viruses showing up. I wonder what i did to add them; everything i did was under your strict instructions.
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    From Safe Mode another CombFix.

    Did you get Logs from Norman and Dr Web? And/or did it detect them.

  12. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Both Norman and Dr Web detected nothing, that's driving me nuts (no infected files, nothing found, nothing deleted, repaired, nada.) I guess i will do another combofix now.
  13. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Done another combofix, nothing changed. I guess i will have to format my pc, i will try whatever else you say tho. I'm waiting for your replies (latest combofix and hjt logs attached.)

    Spyware Doctor finds 19 applications of Backdoor.sdbot, 1 Trojan.Generic 18 PUA's (Application.NirCmd) all pua's from combofix, the generic is in HKEY_USERS\...\Software\Wget.
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Hold on!

    I am still at work. Give me a while an hour or more, and I will get you a ComboFix script to get this manually.

  15. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Holding on, you know i love you [in an absolutely manly way ;) ] don't you?

    Thanks, Emre.

    (By the way, i may not be able to reply until tomorrow, as it is 00:26 am here and i have a final tomorrow =) )
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    dupe post deleted
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Get me a Spyware doctor log with the specific files it can not clean. I need this for the ComboFix script.


    Go here :

    1. Download
    2. Unplug network cable or turn off Modem/Router
    3. Reboot to Safe mode.
    4. Then rename and run as instructed.
    5. When it reboots keep it in Safe Mode.
    6. Run Spyware doctor in Safe mode

    Then reconnect cable reboot to normal mode and post results.

  18. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Well, i will post the whole history of my spyware doctor and let you have it your way from then on. (it is in turkish unfortunately, however, i guess what it says is clear enough to understand. if you have problems with reading or understanding, you can always ask me.) i had to cut 2/3 of the log to fit here but everything's about the same as this part.

    Downloaded the fixit, will do the rebooting renaming and so on tomorrow, i really have to sleep some time soon :)

    Thanks for everything, i don't know what else to say.

    Have a good day mike. (or evening, i assume.)
  19. Emre

    Emre TS Rookie Topic Starter Posts: 31

    After fixit.exe, the 1 virus showing up was gone. I only get my usual backdoor.sdbot and "combofix is a PUA" warning.

    I'm adding the logs that i assume were given by fixit (logs don't come out of nowhere now, do they?).
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    Good Morning

    Ok I could not read enough of the Spyware Doctor log to be sure, so see if it allows changing the language and then Zip the log and attach.

    Do this:

    D/L to Desktop: DDS by sUBs from one of these locations:

    double click DDS.scr to run

    When complete, DDS.txt will open.

    Click Yes for Optional Scan.
    Save both reports to your desktop.

    Attach the contents of both logs back here.

    This boy gets in the System Restore so do the below. That may be where Spyware Doctor is detecting most entries (in System Volume Information).

    Before turning off System Restore get ERUNT:

    Install it run it and let it do a registry backup and add entry to Startup!

    Instructions to turn off SR:


    Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    Then rerun Sypware Doctor and post (English hopefully) log.

    Reboot turn SR back on and do a Restore point.

  21. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Did all you asked for, nothing changed (tho you saved me a 30 gb of disk space, thank you very much), i am posting the spyware doctor log too (in english too! :) )

    Looking forward to hearing from you,

  22. mflynn

    mflynn TS Rookie Posts: 2,655

    Sorry so long getting back. Still working then out to eat!

    It will take a while to go thu the logs. In the meantime do the below.

    Update SAS!

    D/L NOD32 stand alone cleaner:

    Boot to Safe Mode.

    Run SAS click Preferences-Repairs. Counting down from top do
    #7, 9,10,11,13,14,15,16,19,20,21 and 22. then run SAS quick scan.

    then still in Safe Mode run NOD32

    then rename combofix.exe to cbf.exe and run it again before booting back to normal. Then post log.

    Then rename Hijackthis.exe to 1hjt.exe run and post log.

  23. Emre

    Emre TS Rookie Topic Starter Posts: 31

    ok Mike, will do asap. thanks for everything yet again.
  24. Emre

    Emre TS Rookie Topic Starter Posts: 31

    Hey Mike, did nod32, the sas stuff, combofix and hjt all. when i had a spyware doctor scan afterwards i was absolutely shocked; it found the usual backdoor sdbot's with the addition of a trojan.generic which is in a registry key (hkey_users...\software\wget) and 276 pua's... all being the combofix. (why is Spyware doc doing this every time i scan and choose not to erase the combofix? why is it considered an unwanted program anyway? where does this generic trojan come from? should i normally let the sp. doc clean everything it finds -which i had been postponing to do, not erasing the combofix files-, i can't be sure; but this time i will clean, i guess it will erase the whole combofix file; i have the setup, i can install again if i need to use it later.)

    here are the logs, log.txt is of cbfix.

    (oh by the way, the log says both mcafee and spyware doctor are outdated, that's a lie; i checked and rechecked both, they call themselves up to date.)
  25. mflynn

    mflynn TS Rookie Posts: 2,655


    I never knew you were not cleaning with Spyware Doctor. Please DO! Remove all!

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...