Backdoor.Sdbot

Status
Not open for further replies.
Emre

Emre

Posts: 31   +0
Hi, i'm absolutely, bitterly infected by something that comes up in my spyware doctor scans every time i reboot. Spyware Doctor calls it Backdoos.Sdbot, i took my time researching it on the net, found out it is a major problem. Help please, if you can. (All steps are done and i run spyware doctor scans every once in a while - the virus comes back only after reboots tho.)
 
the MBAM.log found two bad registry entries, but you failed to ALLOW the program to fix errors so it just reported the findings.

Use the options to enable Auto Fix
 
Oh, so that was that. the windows defender had found a program trying to function without permission (normally it doesn't fix into mbam's work, lets it do it's job.) so i had defender stop that program, i guess it was mbam trying to erase that virus. i will re-scan and do all steps again, but i do guess those 2 harmful entries are not the problem ; i expect a backup file somewhere buried in the pc for the virus. I'll let you know when i finish.
 
Ok now i have done full system scan with mbam, sas, then got a hjt log. (i did various scans before i got these results, they seem nearly clean but i do have a guess that i will have my backdoor trojans when i restart...) (i am not including my mbam log as it was absolutely clear - nothing found.)

Edit : After reboot : I still have the backdoor.sdbot stuff, nothing has changed with these scans. Will anybody help me...
 
" Backdoor.win32.Sdbot.acj (Kaspersky) " is the definition spyware doctor names the virus. I hope somebody will get interested; it seems to be slowly infesting my whole pc. (at first it used to find 20 results each scan after reboot, this morning it found 80!)
 
Hi Emre my friend

I have been away since Christmas until last Monday but was so busy catching up with work last week I still did not have time to check in. I tried twice yesterday but was interrupted by visitors.

The order of the steps are important so follow the order.

Once you begin these steps do no other WWW browsing or email or play any Videos or movies from the HD!

1. Update MBAM and SAS
2. Download Dr. Web Curit http://www.freedrweb.com/cureit/
3. Download Norman Malware Cleaner http://www.norman.com/Virus/Virus_removal_tools/24789/

then
Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall

After posting all the logs from above then boot to regular Safe Mode and run

1st: DR web
2nd: Norman

Mike
 
Thanks for your helps mike, i hope you and i will be able to clean this one too :) Now, you may not remember but the last time you helped, i told you that sdfix doesn't work on my pc --- vista --- but i followed the rest of the instructions you gave, attaching the 2 logs you wanted. now i will reboot and run the 2 programs you wanted me to download in the first place.
 
P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Many of these Downloads are targeted to carry infections.

Therefore, more and more Malware-Removal Forums will NOT help someone
UNLESS the P2P program is completely REMOVED; having the uTorrent program
on your computer, you are fortunate to get Help from Mike unless he has
failed to notice this program on your computer .
 
Hello Emre

SpiritWind is correct. P2P is the best way I know to get infected. Do not have it active while we are cleaning.

It is not for me to say but If you must do it after we are fixed I will guide you in safer ways of doing it.

One way is to do it and test with multiple scanners all within a Virtual Machine.

This is one of the reasons I requested you do these scans in Safe Mode in addition to the fact in Safe Mode some Malware can be more exposed and easier to damage or eradicate. Expect them to take longer because of Safe Mode.

For now I am awaiting the logs.

Once the other logs are posted download and install the new SDFix, as SDFix does run under Vista. But to run it do the following

1: install SdFix in normal Mode
2: Control panel User Accounts, chose the Logon you are using and turn off User Account Control (UAC) will require a reboot. (Turn back on after run).
3: Reboot back to Safe Mode and browse to SDFix folder. Rt click the Runthis and chose to run as Administrator.

Mike
 
Thanks for the attention SpiritWind and thanks for helping regardless of what i do mike. I appreciate it. Well, about the Sdfix - i already tried with UAC off, both ways Sdfix doesn't work. Surprisingly, after the Combofix scan, norman scan and drweb scan, i still have the backdoor.sdbot virus and now combofix shows up in my scans as a potentially unwanted program + now i have the problem of adware.advertising type of viruses showing up. I wonder what i did to add them; everything i did was under your strict instructions.
 
From Safe Mode another CombFix.

Did you get Logs from Norman and Dr Web? And/or did it detect them.

Mike
 
Both Norman and Dr Web detected nothing, that's driving me nuts (no infected files, nothing found, nothing deleted, repaired, nada.) I guess i will do another combofix now.
 
Done another combofix, nothing changed. I guess i will have to format my pc, i will try whatever else you say tho. I'm waiting for your replies (latest combofix and hjt logs attached.)

Spyware Doctor finds 19 applications of Backdoor.sdbot, 1 Trojan.Generic 18 PUA's (Application.NirCmd) all pua's from combofix, the generic is in HKEY_USERS\...\Software\Wget.
 
Hold on!

I am still at work. Give me a while an hour or more, and I will get you a ComboFix script to get this manually.

Mike.
 
Holding on, you know i love you [in an absolutely manly way ;) ] don't you?

Thanks, Emre.

(By the way, i may not be able to reply until tomorrow, as it is 00:26 am here and i have a final tomorrow =) )
 
Get me a Spyware doctor log with the specific files it can not clean. I need this for the ComboFix script.

then

Go here : https://www.techspot.com/vb/post684649-3.html

1. Download Fixit.zip
2. Unplug network cable or turn off Modem/Router
3. Reboot to Safe mode.
4. Then rename and run as instructed.
5. When it reboots keep it in Safe Mode.
6. Run Spyware doctor in Safe mode

Then reconnect cable reboot to normal mode and post results.

Mike
 
Well, i will post the whole history of my spyware doctor and let you have it your way from then on. (it is in turkish unfortunately, however, i guess what it says is clear enough to understand. if you have problems with reading or understanding, you can always ask me.) i had to cut 2/3 of the log to fit here but everything's about the same as this part.

Downloaded the fixit, will do the rebooting renaming and so on tomorrow, i really have to sleep some time soon :)

Thanks for everything, i don't know what else to say.

Have a good day mike. (or evening, i assume.)
 
After fixit.exe, the 1 virus showing up was gone. I only get my usual backdoor.sdbot and "combofix is a PUA" warning.

I'm adding the logs that i assume were given by fixit (logs don't come out of nowhere now, do they?).
 
Good Morning

Ok I could not read enough of the Spyware Doctor log to be sure, so see if it allows changing the language and then Zip the log and attach.

--------------------------------------------------------------------------------------------------------
Do this:

DDS
D/L to Desktop: DDS by sUBs from one of these locations:

http://www.techsupportforum.com/sectools/sUBs/dds
http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

double click DDS.scr to run

When complete, DDS.txt will open.

Click Yes for Optional Scan.
Save both reports to your desktop.
DDS.txt
Attach.txt

Attach the contents of both logs back here.
--------------------------------------------------------------------------------------------------------

This boy gets in the System Restore so do the below. That may be where Spyware Doctor is detecting most entries (in System Volume Information).

Before turning off System Restore get ERUNT: http://www.derfisch.de/lars/erunt-setup.exe

Install it run it and let it do a registry backup and add entry to Startup!

Instructions to turn off SR: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

then

Start-Programs-Accessories-System Tools-Disk Cleanup
Click OK to accept C:
Select all Boxes
Then click More Options
Here click System Restore and OK to "Are you sure" and the OK to Run.

As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

Then rerun Sypware Doctor and post (English hopefully) log.

Reboot turn SR back on and do a Restore point.

Mike
 
Did all you asked for, nothing changed (tho you saved me a 30 gb of disk space, thank you very much), i am posting the spyware doctor log too (in english too! :) )

Looking forward to hearing from you,

Emre.
 
Sorry so long getting back. Still working then out to eat!

It will take a while to go thu the logs. In the meantime do the below.

Update SAS!

D/L NOD32 stand alone cleaner: http://finalbuilds.edskes.net/nod32.htm

Boot to Safe Mode.

Run SAS click Preferences-Repairs. Counting down from top do
#7, 9,10,11,13,14,15,16,19,20,21 and 22. then run SAS quick scan.

then still in Safe Mode run NOD32

then rename combofix.exe to cbf.exe and run it again before booting back to normal. Then post log.

Then rename Hijackthis.exe to 1hjt.exe run and post log.

Mike
 
Hey Mike, did nod32, the sas stuff, combofix and hjt all. when i had a spyware doctor scan afterwards i was absolutely shocked; it found the usual backdoor sdbot's with the addition of a trojan.generic which is in a registry key (hkey_users...\software\wget) and 276 pua's... all being the combofix. (why is Spyware doc doing this every time i scan and choose not to erase the combofix? why is it considered an unwanted program anyway? where does this generic trojan come from? should i normally let the sp. doc clean everything it finds -which i had been postponing to do, not erasing the combofix files-, i can't be sure; but this time i will clean, i guess it will erase the whole combofix file; i have the setup, i can install again if i need to use it later.)

here are the logs, log.txt is of cbfix.

(oh by the way, the log says both mcafee and spyware doctor are outdated, that's a lie; i checked and rechecked both, they call themselves up to date.)
 
Status
Not open for further replies.

Similar threads

E
Windows 11's latest feature will eliminate reboots for OS updates
Replies
17
Views
328
netman
netman
D
Pegasus spyware targeted iOS 15 and 16 with new zero-click exploits in 2022
Replies
2
Views
484
Hodor
Hodor
D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
388
Fastturtle
F

Latest posts

Back