SDBOT virus thru gff6.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by vaidyaas, Jul 23, 2010.

  1. vaidyaas

    vaidyaas Private E-2

    Hi,
    I'm harassed with a virus which starts troubling me only if I connect to internet. My AV company (Bitdefender) is also working to find the solution to it. If somebody can help me here..........
    Few days back I formatted my C drive and installed new XP on it. I started installing the required software along with AV. After I installed AV and connected to internet, my AV popped up a screen saying that it had blocked a virus named Generic.Sdbot.B9503259 and file used by program ftp is gff6.exe in sys32 folder. AV said it has deleted the file. But after that till date every time I connect to internet, my AV pop up the screen informed about the gff6.exe and the virus.
    The main problem is after some time, say 10-15 mins, my internet stops responding. Then I could neither disconnect the internet nor could reconnect it. Most of time I'm even unable to switch off the Laptop as well. I have to power it off to close the windows. The DDS data in attached here.

    After some research I learned that the file gff6.exe gets downloaded in my sys32 folder every now and then along with a file named i with no extension. After it gets downloaded, my AV identifies it as virus and deletes it. This continues till my internet connection stops responding.

    Some one please help me. I can provide you with DDS log or any other details required by any one.

    -Amit
     
    vaidyaas, Jul 23, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    Kestrel13!, Jul 23, 2010
    #2
  3. vaidyaas

    vaidyaas Private E-2

    Dear Sir,
    Unfortunately, the problem is not solved. Again after the whole process, when I connected to internet, I got the pop-up from my AV informing that it has blocked the file gff6.exe. After some time, the internet get hanged.
    The log files have attached with this message and message next to this.

    Awaiting sooner reply.

    Regards,

    Amit Vaidya
     

    Attached Files:

    vaidyaas, Jul 24, 2010
    #3
  4. vaidyaas

    vaidyaas Private E-2

    Dear sir,
    The remaining log files with this message.

    regards,

    Amit
     

    Attached Files:

    vaidyaas, Jul 24, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I'm not a sir, I'm female. :)

    MGTools.exe <--- delete this from your desktop now.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\system32\rezumatenoi.dat
c:\windows\system32\gff6.exe

Folder::
C:\WINDOWS\Temp\tmp00003318\tmp00000000
C:\WINDOWS\Temp\tmp0000738d

DirLook::
C:\tmpnet
C:\WINDOWS\system32\1025
C:\WINDOWS\system32\1028
C:\WINDOWS\system32\1031
C:\WINDOWS\system32\1033
C:\WINDOWS\system32\1037
C:\WINDOWS\system32\1041
C:\WINDOWS\system32\1042
C:\WINDOWS\system32\1054
C:\WINDOWS\system32\2052
C:\WINDOWS\system32\3076
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running now, please.
     
    Kestrel13!, Jul 24, 2010
    #5
  6. vaidyaas

    vaidyaas Private E-2

    Hi Kestrel13,
    Sorry for referring you incorrectly. I find no ways to know about it sitting here. ;)
    N e way, I completed the task as per your requirement. The Log files attached with this message.
    But unfortunately the problem is not solved. The file gff6.exe still gets downloaded after I connect to internet. My antivirus kept on informing that it has deleted the file. After some time say 10-15 mins. the internet stoped responding. After clicking the Internet connection icon, the internet connection window only flashes. I;m unable to disconnect the internet.

    Please extend your help a bit more.

    regards,

    amit vaidya
     

    Attached Files:

    vaidyaas, Jul 26, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I assume your BitDefender Internet Security Suite has a firewall? Is it enabled?



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now download install and run this: Autorun Eater

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jul 26, 2010
    chaslang, Jul 26, 2010
    #7
  8. vaidyaas

    vaidyaas Private E-2

    Hi,
    Please find the attachment with this message. All the steps followed. But the problem persists. I don't understand from where the file gff6.exe is getting downloaded. To answer your question - Yes. The firewall of BitDefender Internet Security is enabled.

    Awaiting your reply.

    regards,

    Amit Vaidya
     

    Attached Files:

    vaidyaas, Jul 26, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then I'm wondering whether
    1. Is it working properly? To block this or have the files related to this infection been approved thru the firewall
    2. Or are you still really infected or just seeing reports of leftovers that are quarantined ( like in C:\QooBox from combofix) or that are in System Restore.
    The last fix I gave you removed the source of the infection which was the NrConnmags service which was allowing remoter connection to the PC using the non-valid c:\Windows\system\csrss.exe file. ( Only the csrss.exe file in the system32 folder is valid. ) Also the registry entries for two system service had to be repaired which was also part of my fix. Based on your logs, all of these have been fixed..... that is unless you became reinfected after the new logs were obtained. Run another scan with ComboFix and also run the C:\MGtools\GetLogs.bat file again.




    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Also run this GMER - running with a random name and attach the GMER log.


    Is the below startup process legit? I don't see this in Add/Remove Programs.

    O4 - HKCU\..\Run: [Alwact.exe] "C:\Program Files\Alwact\Bin\Alwact.exe"


    Another question: Why is it that your logs show there was no connection to the internet when GetLogs.bat was run last time? Did you have the cable to the internet unplugged? If so, please have it connected from now on.
     
    Last edited: Jul 27, 2010
    chaslang, Jul 27, 2010
    #9
  10. vaidyaas

    vaidyaas Private E-2

    Hi,
    Before I run the ComboFix and C:\MGtools\GetLogs.bat file, I would like to inform some facts which you have highlighted and if you confirm, I'll generate the Logs.

    I have found one entry in the firewall rules which refers to a exe file in sys32 folder. Is this necessary file? Since I get warning from AV for the same file. The file is ftp.exe.

    Yes this file is legit file. But I could see this in Add/Remove Programs.

    Actually I'm not using the infected laptop to view and download required .exe files like combofix etc. I'm downloading it from another PC transferring it to infected laptop using clean pen drive and then installing it. So most of the time I'm not connected to internet. After all the logs generation, I transfer the files to PC using pen drive and then send it to you. So during the log creation or scanning, my laptop is neither connected to internet nor to BB modem.

    I'll connect it next time I scan or generate the file.

    regards,

    Amit Vaidya
     
    vaidyaas, Jul 28, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is a valid Microsoft file. FTP = File Transfer Program


    Yes please do so this time while running the scans. You can disconnect it again immediately after if you wish.


    If this problem continues, we may need to uninstall BitDefender and disable System Restore before we continue any further.
     
    chaslang, Jul 28, 2010
    #11
  12. vaidyaas

    vaidyaas Private E-2

    This file has firewall rule in BitDefender. After I blocked its access to internet, now I'm not getting any message for file gff6.exe. But still there are some abrupt virus block messages from bitdefender.
    But now I started to get error for Generic Host Process for Win32 Services. And after this internet stops responding.

    As per your requirement, please find the log files of combo fix and MGtools.

    I think 90% of the problem is solved. Pl. help me to make it 100%.

    Thanks

    Amit Vaidya
     

    Attached Files:

    vaidyaas, Jul 30, 2010
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 31, 2010
    #13
  14. vaidyaas

    vaidyaas Private E-2

    Sir,
    The main issue that I'm facing now is the error "Generic Host Process for Win32............" This is not allowing me to continuously use Internet. After this error, internet stops responding. I searched about this error on net and someone has given the solution to close the port 4** and 135. I don't remenber the no of the first port. I want to confirm with you before I proceed, since I'm working under your guidance.

    The log file are attached here. One thing I want to inform is while generating the MGLog file, I got the "Generic Host Process......" error. But the process continued.

    This is for your information.

    Regards,
    Amit Vaidya
     

    Attached Files:

    vaidyaas, Aug 2, 2010
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't see how that would be related. This is likely not a malware issue but rather a problem with Windows especially since you have not updated Windows and are missing many patches. I suggest you at least start by running the patch for Windows XP 32 bit versions given in the below link:

    http://support.microsoft.com/kb/894391
     
    chaslang, Aug 3, 2010
    #15
  16. vaidyaas

    vaidyaas Private E-2

    After all the recommendations you have given, I couldn't solve the issue. Even though the "Generic Host Process for Win32............" is partially solved, the gff6.exe and hanging of internet was continued.
    So finally I decided to format the laptop and re-install all the things.

    But n e ways thanks for your support. In the future, in case I get into trouble, I'll definitely get back to you.

    Regards,

    Amit Vaidya
     
    vaidyaas, Aug 16, 2010
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Aug 17, 2010
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds