TechSpot

Previous SDBot Trojan. Now KSOD

By Matt444
Apr 26, 2009
  1. Hey everyone. Like the title says, I have what some people call the Vista Black Screen Of Death (KSOD). I started downloading and seeding torrents two weeks ago, and now I know that was a mistake. :eek:
    About a week ago, the Documents folder would open every time any user would log in to Windows. It was annoying, but didn't seem to affect anything else with the PC. I searched for 5 days straight trying to figure out why this was happening. Everything I read pointed to a problem in the registry with explorer.exe. But, when I looked at the keys that everyone pointed me to, they all looked normal. So yesterday, my computer decided to start rebooting on it's own, and would still open the Documents folder when I logged in. Avast found nothing, so I installed Webroot Spy Sweeper. This Dell machine is only 1 month old, and I have about 20 days left on my $30 subscription to Spy Sweeper, which was installed on my previous PC.
    Spy Sweeper found 4 traces of what it called SDBot Trojan Worm, and from what I read online about this wicked little worm, it looks like I will be changing all my passwords, credit card numbers, and bank accounts. So I had SS remove the SDBot, along with a bunch of Adware, and it told me to reboot. So I did, and the login screen came up like normal; but when I logged back in to Windows, all I got was a black screen, and a white mouse pointer. :suspiciou
    I figured out that I could get around using Task Manager - File - New Task (Run...) - then Browse to any application. That's how I found a thread on this Forum (topic 119604) about SDBot. It looks like "mflynn" did a good job helping out someone else with a similar problem. :grinthumb
    I think the problem still lies within explorer.exe, because when I try to run it from Task Manager, I get an error message saying that "Windows cannot find explorer.exe". I did the 8 steps, following all instructions in the "UPDATED 8-step Viruses..." thread. I ran CCleaner 4 times, and it always leaves .2 MB of IE Temporary Internet Files behind. MBAM found nothing, and SuperAntiSpyware found and removed 44 traces of Adware Cookies. I couldn't get to control panel (even with Task Manager), so I downloaded and installed Revo Uninstaller (recommended by someone on this forum). I removed all traces of Utorrent :blush: , and the previous version of Java ( Java 6 Version 7). My three logs are attached, and any help at all would be great. You guys really seem to know what you are doing, and I will follow all instructions anyone here gives me. I would like to avoid reformatting if possible, but I will do it if that is what it takes to get my machine back to normal. :)

    Thanks, Matt.
     

    Attached Files:

  2. ginalolanola

    ginalolanola TS Rookie

    sd bot trojan

    Matt,

    Did this whole problem start when you tried to download codec ?
     
  3. Matt444

    Matt444 TS Rookie Topic Starter

    I'm not sure. I guess it could have. I did download a codec to play a xvid format .avi file last week. Do you think that could be it?
     
  4. ginalolanola

    ginalolanola TS Rookie

    codec

    Matt, I am really not sure. I am totally new at this. The reason I was asking was because I was trying to play a simple DVD movie in a win. xp laptop that I just received from work and it said that I needed a codec or something. I had a friend of mine/computer guy look at it. He sent me this link to download a codec for free, but I;m afraid to do it. I've downloaded others and it still wont play the movies correctly without freezing up or acting crazy.
     
  5. Matt444

    Matt444 TS Rookie Topic Starter

    Sorry. I'm not one who should be giving advice as my computer is pretty messed up right now.

    Anyway, I downloaded Combofix and let it do its thing. I've attached the log in this post.

    ------------------

    Since I ran Combofix and it removed something, I now have no internet connectivity. I have no idea why. My other computers on the network using the same router are working fine. This trojan seems like it is far from gone, but I don't know what else to do at this point.

    ------------------

    OK. I think I got it after 2 days of searching/reading about explorer.exe. If anyone is having the same problems I was, it is somewhat common. Spy Sweeper deleted SDBot, which I think had corrupted/infected explorer.exe. Windows could not find the file at all. It didn't matter if I was in safe mode, or going through dos prompt, either; it could not find the file. I found this link while searching for a way to get my desktop back:

    http://en.kioskea.net/forum/affich-26897-all-my-task-bar-desktop-icons-missing?page=2

    This guy saved me from reformatting my hard drive. I grabbed explorer.exe from another machine running vista 32 bit, and copied it into C:/Windows. I was then able to browse to the file through task manager and open it. When I did, my desktop opened, and I was able to reboot. This time when I logged in, my desktop opened like normal, and did NOT open the Documents folder!

    I am a little concerned that when I tried to rename a copy of the "explorer" file to "explr" and save it to a folder on a different hard drive (just in case I ever need it later); Spy Sweeper popped up with a warning that it put something into quarantine. So I look in the quarantine, and it's the f'in SDBot Trojan again!!!

    So I did the 8 steps again and my new logs are posted here. I also installed Comodo Firewall. Should I run SuperAntiSpyware or Spy Sweeper? My subscription to SS expires in 18 days. I'm concerned because it is the only thing catching this Trojan. Or maybe is it a false positive??

    Someone with some experience looking at these logs please let me know if I need to do anything further.
    Thanks, Matt.



    ------------------

    OK so I was curious, and I ran Combofix after my last post. After it rebooted, I lost my desktop again, but this time, I had the backround picture (instead of the black screen). But no icons, start menu, etc. Then an error message came up...the all to familiar "Windows cannot find explorer.exe". So I waited for Combofix to create its log file. Then I browsed to my laptop with task manager - file - new task - network. I copied the explorer file over to the desktop pc - C:\Windows folder. Then Spy Sweeper quarantined it again. So I released it from quarantine, and opened it. I got my desktop back, so I rebooted. Attached is the Combo Fix Log. I am extremely confused. Can someone please tell me if I am infected. It seems as though Combofix found and quarantined the explorer.exe file also. But I guess I need to scan my laptop now, becauese that is where it came from. :confused:

    I can do no more tonight. I am going to get some sleep.

    Help please.
    Thanks, Matt.

    ---------------------------

    Just wanted to clarify that this thread is for my desktop PC. This one has me baffled because I get the explorer.exe file from my Laptop PC, and when I put it on my Desktop machine, both Spy Sweeper and Combofix remove the file. Spy Sweeper calls the explorer.exe SDBot Trojan. Then I get the Black Screen of Death because Windows cannot find Explorer.exe. I started a new thread with logs from my laptop only to make sure it doesn't have the same SDBot Trojan. Thanks to anyone who might be able to help me out with this mess.

    ---------------------


    OK so it looks like Bobbye confirmed that my other pc is clean. So now I know this SDBot is trickier than I thought. It doesn't matter where I get the explorer.exe file from. As soon as I put it in this computer, SDBot corrupts/infects it. Has anyone else ever seen this before? What kind of special tool does it take to remove this worm?

    Edit:
    I did ran Hijackthis and Combofix, and the logs are attached dated 4-28. I then did a Spy Sweeper full scan, and it found 4 traces of SDBot Trojan. I have attached the Spy Sweeper log as well. As soon as I put the files into quarantine, I lost my desktop icons immediately (explorer.exe stopped running). Spy Sweeper said it needed to reboot in order to get rid of the files, but when I rebooted, Windows could not find explorer.exe, so Spy Sweeper couldn't finish its removal process. This can be noted in the Spy Sweeper log.

    note:the Spy Sweeper log reads from bottom to top chronologically...kind of confusing.

    It also must be noted that all 4 of these explorer.exe files are copies of the explorer.exe file from my other system. The other system was checked by Bobbye and checked out fine, but I haven't run Spy Sweeper on that one. Maybe I should, to be sure, because it looks like the normal tools are not seeing this Trojan.

    Edit:

    I ran Spy Sweeper on the other system, and it came back clean. So the file becomes infected when I copy it to this system. Looks like this trojan has embedded itself deep.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry Matt, I'm now about a week behind! After checking a gazillion sites for the 'Spy sweeper Found Trojan Horse: sdbot' issue, the consensus has been that it is a false positive. Other check it out with a variety of security programs, all of which came out clean.

    This 'find' was particularly noticeable in trial versions of Spysweeper. Let' run the AVP Tool from Kaspersky:

    Please download AVP Tool by Kaspersky.

    • Save it to your desktop.
    • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    • Double click the setup file to run it.
    • Click Next to continue.
    • It will by default install it to your desktop folder. Click Next.
    • Hit ok at the prompt for scanning in Safe Mode.
    • It will then open a box. There will be a tab that says Automatic scan.
    • Under Automatic scan make sure these are checked.

    • [*] System Memory
      [*] Startup Objects
      [*] Disk Boot Sectors.
      [*] My Computer.
      [*] Also any other drives (Removable that you may have)

    After that click on Security level then choose Customize, click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then ok. Choose OK again to go back to the main screen.

    • Click on Scan at the top right hand Corner.
    • It will automatically Neutralize any objects found.
    • If some objects are left un-neutralized then click the button that says Neutralize all
    • If it says it cannot be Neutralized then choose the delete option when prompted.
    • After that is done click on the reports button at the bottom and save it as Kas to the desktop
    • Post only the detected Virus\malware in the report, it will be at the very top under Detected

    Note: This tool will self uninstall when you close it so please remember to save the log before closing it.

    Courtesy of kritius

    Attach log on next reply.
     
  7. Matt444

    Matt444 TS Rookie Topic Starter

    Bobbye,

    Thanks for getting back to me. I don't think it is a false positive for a couple reasons:

    1. I followed your directions to download Kaspersky tool, and reboot into safe mode. When I double click on the installer file, it tries to install, then I get a Microsoft Windows error message: "Kaspersky Anti-Virus has stopped working". No matter how many times I try, I get the same message. I have tried deleting the file, and downloading again...same error.

    2. My antivirus program will not update. First I had the problem with Avast. So I uninstalled completely with Revo Uninstaller. Then I downloaded the free version of Avira. When the updater runs on Avira, it says : "Your program is up-to-date. You currentlt have optimum protection." ; then it continues to update over and over again. When I check the Avira program, it says it has never been updated.

    3. I now have been getting a blue screen message about Memory Management. I never got this message before. It goes away too quickly for me to read it, then it reboots.

    Are there any other scans we can do that might show what the problem is? It seems like the trojan is in the memory or something, because like I said before, when I copy the explorer.exe file from my other computer, which is clean, then somehow the file gets corrupted on this computer. Maybe the trojan is programmed to automatically do this??

    Thanks again for all your help. If anyone else has any insight to my problem, please offer it up. I'm open to any and all suggestions as I am that much closer to reformatting at this point.

    Thanks, Matt.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Things are getting too complicated Matt. You've got a gazillion logs and not progressed. You've run too many programs without guidance. We need to clean up the system and then access the status:

    Please do this in the order I have set up:

    Do NOT transfer, copy or add an 'explorer.exe' file from another location. And whenever you see this file mentioned, make sure it is 'exporer.exe' and NOT 'explore.exe.'
    (explore.exe is added to the system as a result of the GRAYBIRD.G virus.)

    Do NOT run Comboix again unless instructed to do so. You have run it 5 times on your own.

    Do NOT use Revo and Windows Installer Cleanup Utility to uninstall programs. Use Add/Remove Programs in the Control Panel, or better, if a program has it's own uninstaller, use that. The purpose of the uninstallers to to remove any leftover files that can't be deleter or cleaned any other way.

    Do NOT install any new programs or uninstall any old programs at this point. IF you get the Windows Updates automatically now, reset that to 'do not download or install updates. Instead tell me when they are available'. Do that in Control Panel> Security Center> Automatic Updates.

    Remove ALL of the cleaning tools:
    Download OTCleanIt
    HERE
    & save it to your desktop.
    Clear your existing System Restore points and establish a new clean restore point:
    Run CCleaner ONCE:
    Do the Error Checking:
    My Computer> right click on Local Drive- usually C> Properties> Tools> Error Check> Check both boxes on screen that comes up> OK> Close and reboot. Let it complete.

    Defrag the computer:
    My Computer> right click on Local Drive-usually C> Properties> Tools> Defrag> click on Defragment> let it complete.

    When all of the above have been completed, be sure you have only 1 antivirus program, 1 firewall and 2 or more spyware/adware programs.


    Let the following quarantine and/or remove what is found:
    Update and do a full system scan with your antivirus program.
    Run 2 scans with updates spyware/adware programs.


    Post back with description of the system when through.
    Do NOT run any more cleaning programs unless instructed to.

    Begin considering allowing Spysweeper to expire.
     
  9. Matt444

    Matt444 TS Rookie Topic Starter

    Bobbye,

    Thanks a lot for responding. I had a very long week at work, so I just now had a chance to go through your steps. Prior to your post, I uninstalled Avira because it would not scan or update. I reinstalled Avast, and I am having the same problems. Also prior to your post, I uninstalled Spy Sweeper because it kept removing the explorer.exe file, making my computer useless. I did a memory test , and found out that one of my sticks of RAM is bad. So I removed it and no more blue screen problems. Now for everything from your post:

    I haven't had a problem with explorer.exe being quarantined or deleted since I removed Spy Sweeper. It definitely was 'explorer.exe', and not 'explore.exe'. When my computer was missing this file, the only way I could get it back was by copying it from my laptop. It must be noted that the original explorer.exe file was the one that Spy Sweeper quarantined and deleted, before I copied it from my laptop. Spy Sweeper also subsequently quarantined and deleted the 'explorer.exe' files that did come from my laptop.

    I am sorry for running Combofix on my own. Most forums I visit really urge people to read as much as possible, and try to figure things out on their own. When I read up on the SDBot Trojan, another Guru from this forum suggested running Combofix. I should have realized that every computer problem is unique, and awaited an experienced technician's instructions. Now I know better.

    Again, I jumped the gun on this one. I read it somewhere else on this forum, and it sounded like a good idea; because the built-in uninstaller with Vista always seems to leave behind unwanted traces of the program I am trying to uninstall. I will stop using Revo unless I hear otherwise.

    I went to Control Panel> Security Center> Automatic Updates. But the only option that sounds like 'do not download or install updates. Instead tell me when they are available' -- is actually 'Check for updates but let me choose whether to download and install them.' I am using Windows Vista Home Premium...maybe your instructions were for Windows XP? Regardless, I was always told to do the automatic updates to make sure and not miss any security patches. But I did chang the setting, because whatever I was doing obviously got me here, so I will do whatever you say at this point. :grinthumb



    Your link to download OTCleanIt isn't working, but I was able to download it here:

    http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    However, when I run the program, it tells me to reboot to finish removing. Upon rebooting, nothing has been removed, and it did not delete itself, either. So I'm not sure what the purpose of the program is.


    I was able to complete all the above with no issues. CCleaner removed about 700 MB of junk. Now lets get to my problem I was having in my previous post, and am still having now.

    1. Avast is my antivirus program...not working right now.
    2. Windows Firewall is my firewall. My computer is also behind a router with the firewall enabled.
    3. Malwarebytes Anti-Malware and SuperAntiSpyware Free Edition are my 2 spyware/adware programs. I am not sure if these are sufficient or if there are more you would recommend.

    This is the biggest problem I have right now, and the major reason I think my computer is still infected. When my computer starts up, I get the two Avast icons in the notification area in the bottom right hand corner of my desktop. The icon with the 'a' has a red circle with a red line through it, meaning it is not working. when I try to open the Avast control panel, I get this error message:

    When I click OK, a slightly different message pops up:

    When I try and manually update the program or virus definitions, it says it is downloading files. Then a window opens that says "Summary" with nothing else in the window. When I right click the Avast icon> About> Virus Definitions, it says 3/19/09.

    I cannot do a virus scan, either. So if I can't update or scan, and my resident shield is not loaded; I don't really have virus protection. I have manually allowed Avast in Windows firewall, and I never had this problem before the 'explorer.exe' file problem. Why is antivirus not working?

    I was able to run updates and full system scans with both MBAM and SAS. The logs are posted...nothing much to speak of there.


    I was already considering this, but, if you don't mind me asking, why do you suggest this? Is Spy Sweeper not regarded as a useful $20 tool for catching and removing spyware? If not, what would you recommend for something that catches spyware/malware before it gets to your computer?

    Also, what about this from my previous post:

    Any way to get my computer to run this program? I want to make sure I don't have the SDBot Trojan or some other Trojan that is preventing Kaspersky, Avira, and Avast from working properly.

    Once again, thanks for the long post Bobbye. Hopefully we can get to the bottom of this together. It would be nice to someday use my brand new computer for something fun again. But I won't be doing anything else on it until I hear back from you or someone else here. I have obviously screwed things up by trying to research and fix it on my own. I am starting to wonder if I should have taken my friend's advice and bought a Mac instead. :(
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Matt, these logs are clean.There is one Tracking Cookie, that's all.

    1. Try this link for OTCleanIt: http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    I checked the link I left and somehow it had htttp instead of http. Don't know how that could have happened. Go ahead with the cleanup. We need to get what you don't need now off the system.

    2. Please delete the logs for the programs that you have saved also> Mbam, SAS, HijackThis, Combofix> ALL of them. Empty the Recycle Bin when through.

    3. I'd like you to replace these programs as the resident programs. I don't think the free editions-which we use for scans-have the full programs and are therefore no the best for your resident programs. Instead, I suggest:

    Spyware/Adware Programs:
    SpywareBlaster: http://www.techspot.com/downloads/568-spywareblaster.html
    and one of the following:
    Spybot Search & Destroy:http://www.safer-networking.org/en/mirrors/index.html

    4. AFTER you do the above, download HijackThis and run a fresh scan. , attach new log. I need to verify what security remains. I will instruct you further after I see the log.

    NOTE: best not to quote all my instructions. The moderator usually comes around and zaps it. I have numbered 1-4, so just tell me which you did and if there was a problem. They are still here, right above where you are replying> just navigate up a bit if you need to refer to them.

    As for Spy Sweeper: I had this program on two systems for several years, Then, after an update, my network didn't work. I checked all the setting and it should have been correct, but it turned out that the update had disabled 2 Services I needed. The bad thing was that it wouldn't let me disable the program! I tried for 3 days for a workaround and finally got it off. (SS Support was of no help). Once removed, I reset the Services had had no more problem.
     
  11. Matt444

    Matt444 TS Rookie Topic Starter

    Bobbye,

    1. I used that link to download OTCleanIt last time, as stated in my previous post. I just tried it again, and it did not remove or delete anything. What is it supposed to do?


    2. I deleted all the logs.


    3. I downloaded and installed SpywareBlaster and Spyware Doctor. Spyware Doctor found registry entries for Combofix, but would not remove them unless I paid. Is this program worth paying for? Also, is it OK to let both of these programs run in the backround?


    4. New HJT Log posted.


    I quoted your instructions because I wanted to be sure you understood exactly what I was doing, and that I was reading your post word for word. I will stop doing that in the future.

    Thanks, Matt.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Matt, I don't have any problem with the quotes. But the moderator is deleting some of the posts with them. I thought it would save you the trouble of having to type it again:

    OTCleanIt removes the programs you have used as cleaning tools.
    it does not delete anything else.

    For spyware/adware programs: I should have removed Spyware Doctor. My apology. A free scan is available but it does not have the features of the full (read 'paid' program. Please uninstall it> open the program in All Programs. If it has it's own uninstaller, use that. If not, uninstall in Add/Remove Programs in Control Panel.

    Security programs usually won't uninstall if they're running, so do this before you try the uninstall:
    Boot into Safe Mode then follow this:
    Start> Run> msconfig> enter> Selective Startup> Start menu> UNCHECK the following entries:
    pctsAuxs.exe
    pctsSvc.exe
    pctsTray.exe
    Is there is anything like 'Spyware Doctor' or 'PC Tools', uncheck them also.

    Then do this: Start> Run> services.msc> double click on these Services> change Startup type to Disabled> Stop the Service.

    Uninstall Spyware Doctor

    Boot into Normal Mode. Ignore the nag message and close it after checking 'don't show this message again.

    Down Spybot Search & Destroy from HERE and save to your desktop.
    Double click the setup to run. Do a full System Scan.

    Then do a full system scan with Avast. Attach logs if anything is found. I may have you start over with Combofix now that the other programs have been run> but wait on that please.

    We're going in circles here so let's try and go in a straight line.
     
  13. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    See how I have quoted the one specific part of the message that is all that is required
    Full quotes from the previous message (or the original) is not required

    Guide to Making a Good Post/Thread http://www.techspot.com/vb/topic33297.html
     
  14. Matt444

    Matt444 TS Rookie Topic Starter

    Bobbye,

    First of all I want you to know that I really do appreciate the time and energy you guys put into helping us out. I hope to one day be able to return the favor to you and others. I feel I need to quote myself here because we are having a communication problem. My biggest issue right now is that Avast will not update or scan.


    Also , OtCleanit is not removing anything. Which specific programs should it be removing?

    I don't want to go in circles. But I can't go in a straight line if you ask me to do something (do a full system scan with Avast) that I specifically stated in my previous post I can not do right now. Am I missing something?

    Thanks again, Matt.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Matt, I cannot go back and re-read every posts on a thread before I reply. Frankly, you need to focus on the problem more clearly. Your first post rambled on and it was difficult ot pull out the actual problems. You then decided to run Combofix, a program that clearly state it should not be run unless an experienced helper tells you to run it.

    Then you re-ran Combofix 5 times! I tried to clear your system of the cleaning tools as you were beginning to get 'memory' messages.

    Why don't you PM this person- if he's still around!!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...