TechSpot

Help with Trojan Horse IRC/Backdoor.SdBot2.KLE

By felinne
Oct 26, 2006
  1. Hi All,

    I just reformatted my computer and caught these almost the moment I connected to the web:

    1. Trojan Horse IRC/Backdoor.SdBot2.KLE
    2. Trojan Horse.28.A (in 3 different places)

    I've found postings on 28.A but can't find any info on this Backdoor virus specifically.

    I'm running Windows Update right now and installing a bunch of updates.

    Please help!
     
  2. wolfram

    wolfram TechSpot Paladin Posts: 1,967   +9

    Hello and Welcome to Techspot!! :)

    I'd recommend first to download AVG Free Antivirus from HERE.
    Also, follow the instructions on THIS page, and also check THIS.

    And then post your HJT log :)

    Regards :wave:
     
  3. felinne

    felinne TS Rookie Topic Starter Posts: 21

    I've got AVG. Here's my HJT log:



    Also, this is what's in my AVG virus vault.
    Trojan horse IRC/BackDoor.Sdbot2.KLE
    path: C:\WINDOWS\Isass.exe

    Trojan horse Dialer.28.A
    path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OBQP6RC1\adult1[1].exe

    Trojan horse Dialer.28.A
    path: C:\wen6j4d5.exe

    Trojan horse Dialer.28.A
    path: C:\System Volume Information\_restore{4369A080-83C6-4143-8A2F-477188C0ED01}\RP17\A0003754.exe
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Never ever connect to the net without firewall protection. That`s why you`ve been hit so quickly.

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


    Regards Howard :wave: :wave:


    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Hi:

    I was actually in the process of updating Windows Service Pack 2 but cancelled (almost finished when I hit cancel)...it's been like 10 min and it's still cancelling, but my Task Manager says everything is running. Should I wait it out before doing what you say? Or, do a reboot?

    Thanks.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It just gets better doesn`t it lol.

    Since you have just reformatted, maybe it`d just be better to format again and start from scratch. Only this time, don`t connect to the net untill you`ve installed your firewall software.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Actually, someone upstairs was merciful and the updating finally stopped. I ended up installing 1/8 components of the Windows SP2. Now, I am following the instructions on your post. At the online can step right now!

    How do I disable auto updates? It keep updating and asking me to restart, so annoying. :p
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Right click my computer and select properties. Click on the Automatic updates tab and check the Turn off Automatic updates button, click apply/ok.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Got it. I'm running the online scans right now. Picked Kaspersky, should I scan every category? I'm doing My Computer right now or just the critical stuff? Cuz it's takin' a while.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You should scan everything. Just go and have a cup of coffee or something.

    Following the instructions will take you a good couple of hours at least.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Question: the online scan doesn't seem to have a removal function. I saved the report from the first one. A trojan was definitely found.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok, try the Trend scanner next.

    Ps: All logs should be posted as attachments. Thanks.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Hi:

    Thanks for being so responsive. I'm about to start on the Trend scanner. Here is the log for Kaspersky critical scan:

    Edit: Pasted log removed.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, no problem.

    I must reiterate. All log files should be posted as attachments and not copy and pasted.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Oops I am sorry. Would you like me to repost as attachments? Otherwise, I'll do that for the next ones. Going to do the Trend scan now.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No it`s ok you don`t need to repost them. After the Trend scan, go to the rest of the instructions. Posts the results after you`ve completed the instructions.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Uh, what happens if my Trend platform and browser test (which is suppose to take a few secs) is taking an eternity?
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    If you`re having problems with the Trend scan, skip it and go to the rest of the instructions.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. felinne

    felinne TS Rookie Topic Starter Posts: 21

    It's still testing browser and platform...that's not the scan right? I'm tempted to hit stop.

    Oo, I think I was missing some plug-ins. Installing them now. If it still doesn't work, then I'll skip the Trend scan.

    Thank you again for helping me. I really appreciate it.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    By all means stop it. Now follow the rest of the instructions, starting with installing a firewall if you haven`t already installed one. Then continue with the rest of the instructions and post a fresh renamed HJT log and an AVG Antispyware log when you`ve completed the instructions.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Okay. Will do. Some file send error occured during the Trend Scan.

    Tool 1 report attached.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s ok, you don`t need to post every log as you get them. Wait till you`ve completely finished, then attach the lot lol.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Okay. Trying to go through the rest of the process now.

    Down to the last stretch.

    My God, I'm finally done. Exhausted but went through the list. I'm attaching my HJT log and the AVG log.

    I would like to note that I ran all the final "cleanup" steps in Safe Mode. Hope that's right. Also, I got the following errors when I ran AVG Anti-Virus (the scan in Safe Mode was otherwise clean):

    Partition table (MBR) Reading Error
    Boot sector of disk C: Reading Error

    Please advise on the next steps.
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    LSA Shel<Note only one L.

    Close the services window.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O17 - HKLM\System\CCS\Services\Tcpip\..\{AA8FB665-61FF-4A4F-8C36-EA9E19C41A9B}: NameServer = 216.254.95.2,216.231.41.2<Only fix this if it doesn`t belong to your ISP.

    O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\lsass.exe

    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. felinne

    felinne TS Rookie Topic Starter Posts: 21

    Hi again,

    I'm going to do what you posted right now.

    Other things I've noticed - my F8 for safe mode reboot does not seem to work. I have to reboot into safe mode using msconfig.

    Also, my Zonealarm Firewall keeps going off. I think some things are legit updates and others might be the virus.

    Also got a warning from my Internet provider yesterday saying my computer has malware and was trying to attack others.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...