Thread: win32:SdBot-545[Trj]

the web's a bust - at least in english
no manual to read

win32:SdBot-545[Trj] is a recurring problem
I use avast for my AV but it can't clean it, mainly cos I didn't have a recovery DB

I move the file to the chest everytime

but keeps appearing in

"C:\Documents and Settings\UserName\Local Settings\Temp";
"C:\WINDOWS\Temp"

everytime its moved with trz#.tmp where # is a numeral or counting in Hex
I've ran the avast worm cleaner
stinger
adaware
hijack this
window washer

here's the log of hijack this

Logfile of HijackThis v1.97.7
Scan saved at 1:33:08 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Washer\washer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
D:\HijackThis.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.altavista.yellowpages.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=168.10.79.7:2032;gopher=168.10.79.7:2032;http=208.38.40.72:8080 168.37.244.10:3128 209.91.207.161:8333;https=168.10.79.7:2032
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...sh/swflash.cab

most of that looks normal to me
msmsgs.exe could be the problem, I'll explain why in a minute

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=168.10.79.7:2032;gopher=168.10.79.7:2032;http=208.38.40.72:8080 168.37.244.10:3128 209.91.207.161:8333;https=168.10.79.7:2032

this may well be the problem too as I was attempting to chain proxies

the rest looks legit to me as all the NV things are referring to my graphics card

now messenger, I fell victim to rpc exploit when downloading updates for windows messenger and I'm suspicious this trojan may have been carried on the msn messenger 6.2 update

and most of the time I use firefox anyway not IE

oh and I originally found it masquerading as trivial ftp

c:\windows\system32\TFTP3580

and thought I was clean