IRC/SdBot

[Sam Salt]

A RAV antivirus scan picked up two instances of IRC/SdBot in Windows/System
32/shadow.exe and Windows/System32/dllcache/shadow.exe

Avast,Trend and Panda didn't find it.RAV couldn't delete or repair it.

Have run Spyhunter which is supposed to be able to find this Trojan but that
didn't come up with anything either.

Anyone any suggestions ?

System is XP Pro.

Thanks,

Sam Salt

 

[David H. Lipman]

Although the web page mistakenly leaves out SDbot, McAfee's Stinger does target SDbot and
its variants.

Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode and shutdown as many applications as possible
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html




| A RAV antivirus scan picked up two instances of IRC/SdBot in Windows/System
| 32/shadow.exe and Windows/System32/dllcache/shadow.exe
|
| Avast,Trend and Panda didn't find it.RAV couldn't delete or repair it.
|
| Have run Spyhunter which is supposed to be able to find this Trojan but that
| didn't come up with anything either.
|
| Anyone any suggestions ?
|
| System is XP Pro.
|
| Thanks,
|
| Sam Salt
|
|

 

[Andy]

I have been getting this one the last couple of days and it seems stubborn
bugger : " While opening file: C:\windows\system32\winregs32cdn.exe - Trojan
horse IRC/backdoor.SdBot.90.BR

Full AVG7 virus scan gets rid of it but then when I go back on the net it
comes back again the B*stard.

My configuration is:

Windows XP Home with fully updated AVG7 free, webroot 30day spy sweeper and
XP Firewall turned on.

Andy.

 

[David H. Lipman]

Apply Stinger as suggested in Sam's reply and report back your results.

--
Dave




| I have been getting this one the last couple of days and it seems stubborn
| bugger : " While opening file: C:\windows\system32\winregs32cdn.exe - Trojan
| horse IRC/backdoor.SdBot.90.BR
|
| Full AVG7 virus scan gets rid of it but then when I go back on the net it
| comes back again the B*stard.
|
| My configuration is:
|
| Windows XP Home with fully updated AVG7 free, webroot 30day spy sweeper and
| XP Firewall turned on.
|
| Andy.
|

 

[Andy]

Will do .......

 

[Andy]

Right the, I ran stinger program and got this in the results (I was a
naughty boy and didn't do it in safe mode, just normal windows but I did
disable system restore) :

c:\windows\system32\o
found the w32/sdbot.worm!ftp virus!!!
c:\windows\system32\o has been deleted

c:\windowsold\system32\bling.exe
found the w32/sdbot.worm.gen virus
c:\windowsold\system32\bling.exe has been deleted

So, that must be my PC sorted then but what now about my own virus (my
Cold!) <sniff>



Cheers,

Andy.

 

[David H. Lipman]

Glad to hear that Stinger cleared your SDbot. I hope Sam also has success.

I can't provide any assistance about your cold except the advice of Vitamin C.
500 mg to 1 gram daily for the next week or so. ;-)

--
Dave




| Right the, I ran stinger program and got this in the results (I was a
| naughty boy and didn't do it in safe mode, just normal windows but I did
| disable system restore) :
|
| c:\windows\system32\o
| found the w32/sdbot.worm!ftp virus!!!
| c:\windows\system32\o has been deleted
|
| c:\windowsold\system32\bling.exe
| found the w32/sdbot.worm.gen virus
| c:\windowsold\system32\bling.exe has been deleted
|
| So, that must be my PC sorted then but what now about my own virus (my
| Cold!) <sniff>
|
|
|
| Cheers,
|
| Andy.

 

[Sam Salt]

Hello David,

Stinger didn't find anything.I suppose it could be a false positive from
RAV.


Sam Salt

 

[David H. Lipman]

Please submit "shadow.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

Then we'll know if it is truly a False Positive declaration.

--
Dave





| Hello David,
|
| Stinger didn't find anything.I suppose it could be a false positive from
| RAV.
|
|
| Sam Salt
|
| David H. Lipman wrote:
| > Glad to hear that Stinger cleared your SDbot. I hope Sam also has
| > success.
| >
| > I can't provide any assistance about your cold except the advice of
| > Vitamin C. 500 mg to 1 gram daily for the next week or so. ;-)
| >
| >
| > | >> Right the, I ran stinger program and got this in the results (I was a
| >> naughty boy and didn't do it in safe mode, just normal windows but I
| >> did disable system restore) :
| >>
| >> c:\windows\system32\o
| >> found the w32/sdbot.worm!ftp virus!!!
| >> c:\windows\system32\o has been deleted
| >>
| >> c:\windowsold\system32\bling.exe
| >> found the w32/sdbot.worm.gen virus
| >> c:\windowsold\system32\bling.exe has been deleted
| >>
| >> So, that must be my PC sorted then but what now about my own virus
| >> (my Cold!) <sniff>
| >>
| >>
| >>
| >> Cheers,
| >>
| >> Andy.
|
|

 

[Andy]

Thanks David will try the vitamin C.

Turned on my PC this morning and run AVG7 and it found Sdbot.55.u in
c:\windows\system32\winole.exe (which I have removed now)

I wonder why these sdbot ones are coming through thick and fast now?

Andy.

 

[David H. Lipman]

Good question....

--
Dave




| Thanks David will try the vitamin C.
|
| Turned on my PC this morning and run AVG7 and it found Sdbot.55.u in
| c:\windows\system32\winole.exe (which I have removed now)
|
| I wonder why these sdbot ones are coming through thick and fast now?
|
| Andy.
|
|
| | > Glad to hear that Stinger cleared your SDbot. I hope Sam also has
| success.
| >
| > I can't provide any assistance about your cold except the advice of
| Vitamin C.
| > 500 mg to 1 gram daily for the next week or so. ;-)
| >
| > --
| > Dave
| >
| >
| >
| >
| | > | Right the, I ran stinger program and got this in the results (I was a
| > | naughty boy and didn't do it in safe mode, just normal windows but I did
| > | disable system restore) :
| > |
| > | c:\windows\system32\o
| > | found the w32/sdbot.worm!ftp virus!!!
| > | c:\windows\system32\o has been deleted
| > |
| > | c:\windowsold\system32\bling.exe
| > | found the w32/sdbot.worm.gen virus
| > | c:\windowsold\system32\bling.exe has been deleted
| > |
| > | So, that must be my PC sorted then but what now about my own virus (my
| > | Cold!) <sniff>
| > |
| > |
| > |
| > | Cheers,
| > |
| > | Andy.
| >
| >
|
|

 

[Gabriele Neukam]

On that special day, David H. Lipman, ([email protected])
said...

I can't provide any assistance about your cold except the advice of Vitamin C.

Hot lemon juice in water, with sugar.
Hot milk with honey.
In bad cases of tight nose, hold your head over a bowl/tub of hot water,
to increase the effect, keep a towel over your g?head and the bowl. My
mother always put camomile into the water; but I hate this.


Gabriele Neukam

(e-mail address removed)

 

[Gabriele Neukam]

On that special day, Andy, ([email protected]) said...

Turned on my PC this morning and run AVG7 and it found Sdbot.55.u in
c:\windows\system32\winole.exe (which I have removed now)

I wonder why these sdbot ones are coming through thick and fast now?

Perhaps they are related to that:
http://www.microsoft.com/security/bulletins/automaticupdates.mspx

I'd rather use a browser different from the Internet Explorer (except
for Windows updates), to make sure my machine won't be hit by a popular
(by the exploiters) flaw.


Gabriele Neukam

(e-mail address removed)

 

[--Mike]

Thanks David will try the vitamin C.

Turned on my PC this morning and run AVG7 and it found Sdbot.55.u in
c:\windows\system32\winole.exe (which I have removed now)

I wonder why these sdbot ones are coming through thick and fast now?

Make sure to empty *all* of your temp folders. Their may be a Sdbot
regenerating file lurking somewhere on your system.

Delete ALL sub-folders and files from the following (Do NOT delete the Temp
folders themselves):

C:\Windows\Temp
C:\Windows\Temporary Internet Files
and on WinXP
C:\Documents & Settings\[each user name]\Local Settings\Temp
C:\Documents & Settings\[each user name]\Local Settings\Temporary Internet
Files

*Note: If the above WinXP folders cannot be seen, use the instructions
below to make them visible.

Open My Computer or Windows Explorer. Click on "Tools" in the toolbar along
the top. From the drop-down menu, select "Folder Options...".
The Folder Options window will open. Select the "View" tab.
In the Advanced Settings section, select "Show hidden files and folders" and
right below it, uncheck "Hide extensions for known file types", and right
below this, uncheck "Hide protected operating system files".
These are the 9th, 10th, and 11th options down, respectively. Summarizing:
ON - Show hidden files...
OFF - Hide extensions...
OFF - Hide protected...

--Mike

 

[Sam Salt]

This is the result from "Virus Total"

AntivirusVersionUpdateResultAntiVir6.29.0.1102.09.2005no virus
foundAVG71802.07.2005no virus foundBitDefender7.002.09.2005no virus
foundClamAVdevel-2005013002.09.2005no virus foundDrWeb4.32b02.09.2005no
virus foundeTrust-Iris7.1.194.002.09.2005no virus
foundeTrust-Vet11.7.0.002.09.2005no virus foundFortinet2.5102.09.2005no
virus foundF-Prot3.16a02.08.2005no virus foundKaspersky4.0.2.2402.09.2005no
virus foundNOD32v21.99402.09.2005no virus foundNorman5.70.1002.07.2005no
virus foundPanda8.02.0002.09.2005no virus foundSybari7.5.131402.09.2005no
virus foundSymantec8.002.09.2005no virus found

Sam Salt

 

[David H. Lipman]

What did you submit that was reported on ?

--
Dave




| This is the result from "Virus Total"
|
| AntivirusVersionUpdateResultAntiVir6.29.0.1102.09.2005no virus
| foundAVG71802.07.2005no virus foundBitDefender7.002.09.2005no virus
| foundClamAVdevel-2005013002.09.2005no virus foundDrWeb4.32b02.09.2005no
| virus foundeTrust-Iris7.1.194.002.09.2005no virus
| foundeTrust-Vet11.7.0.002.09.2005no virus foundFortinet2.5102.09.2005no
| virus foundF-Prot3.16a02.08.2005no virus foundKaspersky4.0.2.2402.09.2005no
| virus foundNOD32v21.99402.09.2005no virus foundNorman5.70.1002.07.2005no
| virus foundPanda8.02.0002.09.2005no virus foundSybari7.5.131402.09.2005no
| virus foundSymantec8.002.09.2005no virus found
|
| Sam Salt
|
|
|
| Gabriele Neukam wrote:
| > On that special day, David H. Lipman, ([email protected])
| > said...
| >
| >> I can't provide any assistance about your cold except the advice of
| >> Vitamin C.
| >
| > Hot lemon juice in water, with sugar.
| > Hot milk with honey.
| > In bad cases of tight nose, hold your head over a bowl/tub of hot
| > water, to increase the effect, keep a towel over your g?head and the
| > bowl. My mother always put camomile into the water; but I hate this.
| >
| >
| > Gabriele Neukam
| >
| > (e-mail address removed)
|
|

 

[Andy]

Thank you. Is it true do you reckon that an untreated cold lasts for 7 days
where a treated cold lasts for 6 days.

Will AVG7 get rid of my Cold or is AVAST better?

 

[Sam Salt]

David,

"shadow.exe"

Sam Salt

What did you submit that was reported on ?

 

[David H. Lipman]

So it was most likely a False Positive declaration.

Could you ZIP the file and email me a copy. Just remove ~nospam~.

--
Dave




| David,
|
| "shadow.exe"
|
| Sam Salt