FrEn

E-mail Print PDF

SdBot fix (ctfmonn.exe) Removal tools
Written by Administrator  |  Friday, 18 September 2009 07:50
AddThis Social Bookmark Button
Alias
  • Backdoor.SdBot [PCTools]
  • Backdoor.Win32.SdBot.arn [Kaspersky Lab]
  • W32.Spybot.Worm [Symantec]
  • W32/Sdbot.worm.gen.ax [McAfee]

Information
This virus is transmitted through the network and wait for instructions from the developer of the virus from the infected computer using IRC. The virus can update all alone on the Internet, can also then change its parameters or its possibilities.

Fichier This virus puts only one file in your system
<Windows>\ctfmonn.exe

and two other files in each root directory of all your system's partition.

  • autorun.inf
  • ctfmonn.exe

Registre Creates registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProductName
  • HKEY_LOCAL_MACHINE\SOFTWARE\ProductName\ProductID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control

Created values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    • DoNotAllowXPSP2 = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
    • EnableFirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
    • EnableFirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
    • *NewlyCreated* = 0x00000000
    • ActiveService = "NETWORK SERVICE"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE\0000
    • Service = "NETWORK SERVICE"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "NETWORK SERVICE"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_SERVICE
    • NextInstance = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Enum
    • 0 = "Root\LEGACY_NETWORK_SERVICE\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE\Security
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NETWORK SERVICE
    • Type = 0x00000110
    • Start = 0x00000002
    • ErrorControl = 0x00000000
    • ImagePath = "<Windows>\ctfmonn.exe"
    • DisplayName = "NETWORK SERVICE"
    • ObjectName = "LocalSystem"
    • FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
    • Description = "NETWORK SERVICE"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000\Control
    • *NewlyCreated* = 0x00000000
    • ActiveService = "NETWORK SERVICE"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE\0000
    • Service = "NETWORK SERVICE"
    • Legacy = 0x00000001
    • ConfigFlags = 0x00000000
    • Class = "LegacyDriver"
    • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • DeviceDesc = "NETWORK SERVICE"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_SERVICE
    • NextInstance = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Enum
    • 0 = "Root\LEGACY_NETWORK_SERVICE\0000"
    • Count = 0x00000001
    • NextInstance = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE\Security
    • Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NETWORK SERVICE
    • Type = 0x00000110
    • Start = 0x00000002
    • ErrorControl = 0x00000000
    • ImagePath = <Windows>\ctfmonn.exe"
    • DisplayName = "NETWORK SERVICE"
    • ObjectName = "LocalSystem"
    • FailureActions = 0A 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 B8 0B 00 00
    • Description = "NETWORK SERVICE"

Changed values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    • EnableDCOM = "N"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
    • AntiVirusOverride = 0x00000001
    • FirewallOverride = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    • Directory = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
    • CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
    • CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
    • CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
    • CachePath = "%user%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
    • WaitToKillServiceTimeout = "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    • restrictanonymous = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
    • (Default) = 0x00000015
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    • WaitToKillServiceTimeout = "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    • restrictanonymous = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    • (Default) = 0x00000015
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    • Cookies = "%user%\LocalService\Cookies"
    • Cache = "%user%\LocalService\Local Settings\Temporary Internet Files"
    • History = "%user%\LocalService\Local Settings\History"

ATTENTION This virus launches out automatically each time you open or explore a partition or a removable disk, it is thus preferable to download this patch and to decompress it on the desktop, to start your machine in safe mode and launch the patch, always in safe mode.

Download
 

Add comment


Security code
Refresh

Related articles
Latest posts
Free malware removal tool to remove Antivir Solution Pro
_WRITTEN_BY Administrator 15/07/2010

Antivir Solution Pro is another rogue Antispyware from the Antispyware Soft and Antivirus Suite, that tries to get money from users by prompting them to register and buy their Fake products. Some…Read more...

Free virus removal tool to remove RVHOST.exe
_WRITTEN_BY Administrator 17/06/2010
  • RVHOST.exe is a trojan that may reprensent security risk for your system, it runs in the background, this application allows remote access to the compromised system.
  • Downloads…
Read more...
Free virus removal tool to remove WinDefender.exe
_WRITTEN_BY Administrator 17/06/2010
WinDefender.exe is a trojan that may reprensent security risk for your system, it runs in the background, this application creates startup registry keys. Read more...
Free malware removal tool to get rid of Defense Center
_WRITTEN_BY Administrator 12/06/2010
Defense Center is another rogue Antispyware from the Digital Protection family, it's a malware that pretends to be an Antivirus. It is a wolf in sheep's clothing. It conducts a fake scan of your…Read more...
Free virus removal tool to remove Xss.exe
_WRITTEN_BY Administrator 10/06/2010

Xss.exe is a trojan that may reprensent security risk for your system, it runs in the background, this application allows remote access to the compromised system.

Xss.exe downloads files…Read more...

.
Information | Contact

© All Rights Reserved. net-studio.org 2009