Virus 'Backdoor.Sdbot' identified in file dveldr.exe

[johngross]

I was cleaning up my WinXP laptop, preparing to upgrade to SP2.

Symantec AntiVirus identified something as 'Backdoor.Sdbot' in a file
named 'dveldr.exe' in \windows\system32. The file was deleted, an
Internet Browser Temporary File Cache was deleted, and two registry
keys were actioned, as follows (I hve just copied these from the SAV
history log):

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell
[Action: Set]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RunServices :
Microsoft Time Manager [Action: Delete]

I thought nothing of this at the time; however, after upgrading to SP2,
I was checking in the registry for something and I noticed the same
file name in a key. I searched the registry for this name and found the
following keys mentioning the name:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Microsoft Time Manager"="dveldr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSConfig\startupreg\Microsoft Time Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dveldr"
"hkey"="HKLM"
"command"="dveldr.exe"
"inimapping"="0"

[HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
"Microsoft Time Manager"="dveldr.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
"Microsoft Time Manager"="dveldr.exe"

[HKEY_USERS\S-1-5-21-436374069-706699826-854245398-500\Software\Microsoft\OLE]
"Microsoft Time Manager"="dveldr.exe"

I am concerned by the fact that that this file seems to be associated
with some Microsoft product "Microsoft Time Manager", and that it may
be important in some way.

Although the above registry keys exist now (I have no idea whether any
of them existed pre-SP2), the .exe file does not exist post-SP2.

Can anyone tell me how important it is, and whether I should re-install
it (presumably from my original XP install CD?)

 

[David H. Lipman]

From: "johngross" <[email protected]>

| I was cleaning up my WinXP laptop, preparing to upgrade to SP2.
|
| Symantec AntiVirus identified something as 'Backdoor.Sdbot' in a file
| named 'dveldr.exe' in \windows\system32. The file was deleted, an
| Internet Browser Temporary File Cache was deleted, and two registry
| keys were actioned, as follows (I hve just copied these from the SAV
| history log):
|
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell
| [Action: Set]
|
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RunServices :
| Microsoft Time Manager [Action: Delete]
|
| I thought nothing of this at the time; however, after upgrading to SP2,
| I was checking in the registry for something and I noticed the same
| file name in a key. I searched the registry for this name and found the
| following keys mentioning the name:
|
| Windows Registry Editor Version 5.00
|
| [HKEY_CURRENT_USER\Software\Microsoft\OLE]
| "Microsoft Time Manager"="dveldr.exe"
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
| Tools\MSConfig\startupreg\Microsoft Time Manager]
| "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
| "item"="dveldr"
| "hkey"="HKLM"
| "command"="dveldr.exe"
| "inimapping"="0"
|
| [HKEY_USERS\.DEFAULT\Software\Microsoft\OLE]
| "Microsoft Time Manager"="dveldr.exe"
|
| [HKEY_USERS\S-1-5-18\Software\Microsoft\OLE]
| "Microsoft Time Manager"="dveldr.exe"
|
| [HKEY_USERS\S-1-5-21-436374069-706699826-854245398-500\Software\Microsoft\OLE]
| "Microsoft Time Manager"="dveldr.exe"
|
| I am concerned by the fact that that this file seems to be associated
| with some Microsoft product "Microsoft Time Manager", and that it may
| be important in some way.
|
| Although the above registry keys exist now (I have no idea whether any
| of them existed pre-SP2), the .exe file does not exist post-SP2.
|
| Can anyone tell me how important it is, and whether I should re-install
| it (presumably from my original XP install CD?)

There are anti virus News Groups specifically for this type of discussion.

In the Microsoft hierarchy there is;
Seems like a Righteos find by SAV/NAV. Sure looks like a SDBot variant by the Registry
entries.

Symantec software is NOT good and cleaning the Registry of alterations. The following
are...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[johngross]

There are anti virus News Groups specifically for this type of discussion.

In the Microsoft hierarchy there is;

Thanks, Dave.

Sorry I missed the right place to post this. Should I post it again in
the Group you suggest?

In the meantime, I will look at following your other suggestions.

Thanks again for your amazingly quick response!

John

 

[johngross]

There are anti virus News Groups specifically for this type of discussion.

In the Microsoft hierarchy there is;

Thanks, Dave.

Sorry I missed the right place to post this. Should I post it again in
the Group you suggest?

In the meantime, I will look at following your other suggestions.

Thanks again for your amazingly quick response!

John

 

[johngross]

There are anti virus News Groups specifically for this type of discussion.

In the Microsoft hierarchy there is;

Thanks, Dave.

Sorry I missed the right place to post this. Should I post it again in
the Group you suggest?

In the meantime, I will look at following your other suggestions.

Thanks again for your amazingly quick response!

John

 

[David H. Lipman]

From: "johngross" <[email protected]>


| Thanks, Dave.
|
| Sorry I missed the right place to post this. Should I post it again in
| the Group you suggest?
|
| In the meantime, I will look at following your other suggestions.
|
| Thanks again for your amazingly quick response!
|
| John

No there is no need to re-post. I will help you.

Just note the Security and Virus group for the future.

 

[David H. Lipman]

From: "johngross" <[email protected]>


| Thanks, Dave.
|
| Sorry I missed the right place to post this. Should I post it again in
| the Group you suggest?
|
| In the meantime, I will look at following your other suggestions.
|
| Thanks again for your amazingly quick response!
|
| John

However, I must add...

There was NO reason to re-post this query. You created TWO posts. When you post please
wait. There is always a time delay between posting and seeing your post in the News Group
in the Microsoft Hierarchy directly connected to the Microsoft News Server.

 

[johngross]

There was NO reason to re-post this query. You created TWO posts. When you post please
wait. There is always a time delay between posting and seeing your post in the News Group
in the Microsoft Hierarchy directly connected to the Microsoft News Server.

Sorry, I accidentally clicked the [Post message] button more than
once... three times?

I knew what I'd done the moment I'd done it, but couldn't take it back!

Thanks for you advice and help.

Regards,
John

 

[johngross]

Hi David,

I downloaded/installed Multi-AV on a desktop running Win98SE, and
decided to check it out on that system before going to the trouble of
connecting the laptop (which runs Win XP Pro) to the internet to do the
same.

After installing Multi-AV, I ran the 'Start Menu' program and
downloaded the required components from all four websites.

I did not intend to run any of them, but I accidentally ran the Trend
SysClean in Normal mode during this process. It seemed to find no
threats, if my reading of its report file(s) is correct.

I then booted from a Win98 FD, into a simple DOS command mode
environment, and began running the xxxCLEAN.BAT files:

SOFCLEAN.BAT (for Sophos) ran for a *very, very* long time... mainly
due to the frequent interaction necessary: namely, prompts of various
kinds, e.g.

[ file name ]: 1000,000 classification loops

or
[ file name ]->Content: 1000,000 classification loops

or various permutations of
[ file name ]->Content\Embednnnn->ReScan\Embednnnn: Elapsed Time mmm:ss

followed by
Continue with this file?

With little idea of what these might mean, and how I should respond, I
tried responding Y. However, after it took a number of responses and
well over two hours to "complete" *one* file, I decided to respond N
from then on. I hate to think how long it might have taken if I had
responded Y to every such prompt; as it was, it ran for about 30 hours
(with quite a number of delays while it waited for my response -
including the 8-9 hours while I was asleep!). Eventually I had to stop
it because we needed to access something important on the computer.

I certainly did not expect this consumption of time (while the system
is in DOS mode or Safe Mode and unusable for other work), and even
worse, the need to sit in front of the screen to respond to the
prompts. I find myself wondering whether the thoroughness of the scan
that is - presumably - being done is worth this investment of time.

By the way, the report file (avreport.txt) shows no evidence of the
scan having found any threats.

Please don't bother to respond to this post; when I get a chance, I
will try running the scans in normal mode and in safe mode, when (I
understand) I can limit the scans to particular folder(s)/drive(s).

I'll let you know how that goes.

Regards,
John Gross

 

[Leythos]

I then booted from a Win98 FD, into a simple DOS command mode
environment, and began running the xxxCLEAN.BAT files:

You should have run from the start item, not the individual bat files,
that is the root of all your problems.

 

[johngross]

Hi David,

You should have run from the start item, not the individual bat files,
that is the root of all your problems.

I tried to test Multi-AV in normal mode on a Win98SE system.

(I did think - from the webpage I printed from the IK-CS website - that
the proper way to do it on such a system is to execute the xxxx.bat
files directly at a DOS prompt after booting from a DOS boot disk!)

The results were as follows:

McAfee reported an error:
-----------
File C:\AV-CLS\MCAFEE\RWABS16.DLL has failed its integrity check

and no scan was performed.

Kaspersky reported an error:
---------------
Can't open avp.set. Do you want to insert diskette with this file?

with buttons reading [ OK ] and [ Cancel ]

Since I have no diskette with this file, I clicked on [Cancel], and no
scan was performed.

Trend reported some error, but so quickly I could not read it.
--------
There was no record of an error in the log(s), and no scan was
performed.

Sophos: I selected only the \windows folder to be scanned.
-----------
It completed in only approx. 30 mins, and found no threats.

Can you help me solve these problems?

Regards,
John Gross