Looking at the website link you posted, I can say that I never purchased that product for download and install. I will check as best I can to see if my computer, or my version of Vista, or another program may have had it prepackaged.
Quads, a quick question for you or anyone else who may know. Does NAV delete erroneous registry keys as part of removal? (I assume yes.....?) I went looking for the above keys in the registry and only found the last one. So, we may assume the suspected virus added the others.......hmmm! It still seems alot different from the Backdoor.Sdbot page and how it is supposed to alter the registry.
(Sorry guys, I have to get in the habit of using "edit post" here.)
Message Edited by Acronym2 on 09-21-2008 05:02 PM
I wouldn't expect NAV to delete erroneous registry keys (that is the purview of systemworks), but it would go after malware entries.
Hi there.
I agree with Mij on the NAV (or NIS) deleting erroneous entries.
Now Not being able to find the other registry entries, So I would presume that they have been added by the injection(s) and masquerading the entries as the legitimate AsProtect product when it is not. But until for sure you know, you don't have AsProtect installed on your PC......... Though as NAV detected them it does also make the entries suspicious.
As for finding hidden registry entries, Try Systeminternal's "Rootkit Revealer" and/ or also WinPatrol. Panda and Sophos also have a rootkit scanner, you can download.
Does anything show up on the list after running HJT??
Cheers
Quads
Well, I have the result from VirusTotal: 41.67% positive. http://www.virustotal.com/analisis/302c31ecf6cf150c8fdeeffaf7d0c570
Next I'll submit it to Symantec as it is interesting that it seemed to resist the scan when compressed on a DVD. Also, it still seems strange that it wasn't detected by NAV until a few days ago. Perhaps it is sophisticated and it wasn't until the 17 SEP 08 DAT until it was recognized.
Oh, well. Live and learn. Is it even possible to clean the orginal infected file? My heart tells me not likely, but I wonder if it could be decompiled and the virus removed. When I scanned it with McAfee on my old computer, it gave a result of three files scanned. Possibly it could be as simple as decompiling it and deleting the virus file.
So, any more advice on how to make sure my system is clean? I guess that's my main mission now: to make sure there are no residual effects left on my system. I'll run the HJT program and post to their web as advised.
Hi
An Update.
As to "AsProtect" there are a few variations of "Sdbot" that use Asprotect as a packer type. (Compression).
There will be or would have been a file in the "c:\windows\system32\" folder. depending on the variation the file name will be different. xxxx.exe
Quads
Symantec's Analysis is complete. A Backdoor.Sdbot non-repairable threat. I am advised that the latest LiveUpdates do detect this threat and that I should delete the suspected file. (Already done!)
I guess that's it. Is there anything more I need to do to clean my system of any residual effects from the infection?
Hi
If your PC is running smoothly etc. I guess there is nothing else.
There could always be the odd small remnant, like reg entry, but one small thing like that with nothing else. It won't do anything.
You may always find in the future as def. updates come in that Antivirus etc. Find the odd small thing left behind to delete, but not the program (infection) as a whole.
Before you wonder, I have had been infected with Virtumondo and had deleted the infection, PC back to normal, months later after a def. update and a scan 2 reg entries and a .dll had been found. Just the remnants.
That could happen to you, there seems to be many variants of the Trojan.sdbot (IRCbot) showing up in lists.
bye
Quads
P.S. You could always do a registry clean.
This should give you more deatils on the Trojan Horse if not already checked out: http://www.symantec.com/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=1.