SdBot fix (ctfmonn.exe) Removal tools

Written by Administrator | Friday, 18 September 2009 07:50

Alias

Backdoor.SdBot [PCTools]
Backdoor.Win32.SdBot.arn [Kaspersky Lab]
W32.Spybot.Worm [Symantec]
W32/Sdbot.worm.gen.ax [McAfee]

Information

This virus is transmitted through the network and wait for instructions from the developer of the virus from the infected computer using IRC. The virus can update all alone on the Internet, can also then change its parameters or its possibilities.

Fichier This virus puts only one file in your system
<Windows>\ctfmonn.exe

and two other files in each root directory of all your system's partition.

autorun.inf
ctfmonn.exe

Registre Creates registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
HKEY_LOCAL_MACHINE\SOFTWARE\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\ProductName\ProductID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control

Created values:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- DoNotAllowXPSP2 = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
- EnableFirewall = 0x00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
- EnableFirewall = 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
- *NewlyCreated* = 0x00000000
- ActiveService = "NETWORK SERVICE"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
- Service = "NETWORK SERVICE"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "NETWORK SERVICE"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
- NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
- 0 = "Root\LEGACY_NETWORK_SERVICE\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
- Type = 0x00000110
- Start = 0x00000002
- ErrorControl = 0x00000000
- ImagePath = "<Windows>\ctfmonn.exe"
- DisplayName = "NETWORK SERVICE"
- ObjectName = "LocalSystem"
- FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
- Description = "NETWORK SERVICE"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
- *NewlyCreated* = 0x00000000
- ActiveService = "NETWORK SERVICE"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
- Service = "NETWORK SERVICE"
- Legacy = 0x00000001
- ConfigFlags = 0x00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = "NETWORK SERVICE"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
- NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
- 0 = "Root\LEGACY_NETWORK_SERVICE\0000"
- Count = 0x00000001
- NextInstance = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
- Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
- Type = 0x00000110
- Start = 0x00000002
- ErrorControl = 0x00000000
- ImagePath = <Windows>\ctfmonn.exe"
- DisplayName = "NETWORK SERVICE"
- ObjectName = "LocalSystem"
- FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
- Description = "NETWORK SERVICE"

Changed values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableDCOM = "N"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride = 0x00000001
- FirewallOverride = 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
- Directory = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
- CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
- CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
- CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
- CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
- WaitToKillServiceTimeout = "7000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
- restrictanonymous = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
- (Default) = 0x00000015
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
- WaitToKillServiceTimeout = "7000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- restrictanonymous = 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
- (Default) = 0x00000015
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- Cookies = "%user%\LocalService\Cookies"
- Cache = "%user%\LocalService\Local Settings\Temporary Internet Files"
- History = "%user%\LocalService\Local Settings\History"

ATTENTION This virus launches out automatically each time you open or explore a partition or a removable disk, it is thus preferable to download this patch and to decompress it on the desktop, to start your machine in safe mode and launch the patch, always in safe mode.

Add comment

AdobeR.exe Remover - A patch to remove the virus Worm.Win32.RJump.a - AdobeR.exe

Amvo.exe - Patch pour supprimer le virus Autorun AV (amvo.exe, xn1i9x.com)

Amvo.exe remover - Patch to remove the virus amvo.exe and all its variants

cftmonn.exe - Get rid of ksven (cftmonn.exe)

Kavo.exe Fix - A patch to remove the virus Autorun-XA (kavo.exe, XAdeIect.com)

KillGodzilla.vbs Fix - Get rid of the virus KillGodzilla from your system

KillVBS.vbs Fix - Get rid of the virus KillVBS

hello BO2k Fix - Removal tools for hello BO2k/ne0kS (ne0Ks.exe)

Noooh Fix (Sys.exe, ComSys.dll)

cradle of filth remover. Patch for the virus cradle_of_filth.vbe