Help with Trojan Horse IRC/Backdoor.SdBot2.KLE

[felinne]

Hi All,

I just reformatted my computer and caught these almost the moment I connected to the web:

1. Trojan Horse IRC/Backdoor.SdBot2.KLE
2. Trojan Horse.28.A (in 3 different places)

I've found postings on 28.A but can't find any info on this Backdoor virus specifically.

I'm running Windows Update right now and installing a bunch of updates.

Please help!

 

[wolfram]

Hello and Welcome to Techspot!!

I'd recommend first to download AVG Free Antivirus from HERE.
Also, follow the instructions on THIS page, and also check THIS.

And then post your HJT log

Regards :wave:

 

[felinne]

I've got AVG. Here's my HJT log:



Also, this is what's in my AVG virus vault.
Trojan horse IRC/BackDoor.Sdbot2.KLE
path: C:\WINDOWS\Isass.exe

Trojan horse Dialer.28.A
path: C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OBQP6RC1\adult1[1].exe

Trojan horse Dialer.28.A
path: C:\wen6j4d5.exe

Trojan horse Dialer.28.A
path: C:\System Volume Information\_restore{4369A080-83C6-4143-8A2F-477188C0ED01}\RP17\A0003754.exe

 

[howard_hopkinso]

Hello and welcome to Techspot.

Never ever connect to the net without firewall protection. That`s why you`ve been hit so quickly.

Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:


This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Hi:

I was actually in the process of updating Windows Service Pack 2 but cancelled (almost finished when I hit cancel)...it's been like 10 min and it's still cancelling, but my Task Manager says everything is running. Should I wait it out before doing what you say? Or, do a reboot?

Thanks.

 

[howard_hopkinso]

It just gets better doesn`t it lol.

Since you have just reformatted, maybe it`d just be better to format again and start from scratch. Only this time, don`t connect to the net untill you`ve installed your firewall software.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Actually, someone upstairs was merciful and the updating finally stopped. I ended up installing 1/8 components of the Windows SP2. Now, I am following the instructions on your post. At the online can step right now!

How do I disable auto updates? It keep updating and asking me to restart, so annoying.

 

[howard_hopkinso]

Right click my computer and select properties. Click on the Automatic updates tab and check the Turn off Automatic updates button, click apply/ok.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Got it. I'm running the online scans right now. Picked Kaspersky, should I scan every category? I'm doing My Computer right now or just the critical stuff? Cuz it's takin' a while.

 

[howard_hopkinso]

You should scan everything. Just go and have a cup of coffee or something.

Following the instructions will take you a good couple of hours at least.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Question: the online scan doesn't seem to have a removal function. I saved the report from the first one. A trojan was definitely found.

 

[howard_hopkinso]

That`s ok, try the Trend scanner next.

Ps: All logs should be posted as attachments. Thanks.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Hi:

Thanks for being so responsive. I'm about to start on the Trend scanner. Here is the log for Kaspersky critical scan:

Edit: Pasted log removed.

 

[howard_hopkinso]

Ok, no problem.

I must reiterate. All log files should be posted as attachments and not copy and pasted.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Oops I am sorry. Would you like me to repost as attachments? Otherwise, I'll do that for the next ones. Going to do the Trend scan now.

 

[howard_hopkinso]

No it`s ok you don`t need to repost them. After the Trend scan, go to the rest of the instructions. Posts the results after you`ve completed the instructions.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Uh, what happens if my Trend platform and browser test (which is suppose to take a few secs) is taking an eternity?

 

[howard_hopkinso]

If you`re having problems with the Trend scan, skip it and go to the rest of the instructions.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

It's still testing browser and platform...that's not the scan right? I'm tempted to hit stop.

Oo, I think I was missing some plug-ins. Installing them now. If it still doesn't work, then I'll skip the Trend scan.

Thank you again for helping me. I really appreciate it.

 

[howard_hopkinso]

By all means stop it. Now follow the rest of the instructions, starting with installing a firewall if you haven`t already installed one. Then continue with the rest of the instructions and post a fresh renamed HJT log and an AVG Antispyware log when you`ve completed the instructions.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Okay. Will do. Some file send error occured during the Trend Scan.

Tool 1 report attached.

 

[howard_hopkinso]

It`s ok, you don`t need to post every log as you get them. Wait till you`ve completely finished, then attach the lot lol.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Okay. Trying to go through the rest of the process now.

Down to the last stretch.

My God, I'm finally done. Exhausted but went through the list. I'm attaching my HJT log and the AVG log.

I would like to note that I ran all the final "cleanup" steps in Safe Mode. Hope that's right. Also, I got the following errors when I ran AVG Anti-Virus (the scan in Safe Mode was otherwise clean):

Partition table (MBR) Reading Error
Boot sector of disk C: Reading Error

Please advise on the next steps.

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

LSA Shel<Note only one L.

Close the services window.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O17 - HKLM\System\CCS\Services\Tcpip\..\{AA8FB665-61FF-4A4F-8C36-EA9E19C41A9B}: NameServer = 216.254.95.2,216.231.41.2<Only fix this if it doesn`t belong to your ISP.

O23 - Service: LSA Shel (Export Version) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\lsass.exe

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of felinne only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[felinne]

Hi again,

I'm going to do what you posted right now.

Other things I've noticed - my F8 for safe mode reboot does not seem to work. I have to reboot into safe mode using msconfig.

Also, my Zonealarm Firewall keeps going off. I think some things are legit updates and others might be the virus.

Also got a warning from my Internet provider yesterday saying my computer has malware and was trying to attack others.