Please help! AVG detects Trojan Horse IRC/Back Door.SdBot.182.AB and it says there are 5 of them. It also says that I have a Kelvir.L. Here is my log.
Logfile of HijackThis v1.99.1
Scan saved at 11:57:15 AM, on 4/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Free\avgvv.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: MSN Messenger 6.2.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_03\bin\npjpi141_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by22fd.bay22.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe

:furious:

You have another thread that is finished.

Is this another computer?

Nope this the same computer but I got new problems.

Where does AVG say they are?

I would hazard a guess they are in your System Restore Area. Go ahead an reset it (instructions follow), then run an Online AV scan and let it remove anything it finds. If AVG then detects anything, notify the company as it will be a false positive.

First:
One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Second:
Please go here and do an AV scan at one (preferably two) of the following:
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Okay this is what is in my AVG vault.
Trojan horse IRC/BackDoor.SdBot.182.AB C:\Documents and Settings\Jennifer\payload.dat 4/15/2005 10:42:29 AM payload.dat 56.5 KB
Trojan horse IRC/BackDoor.SdBot.182.AB C:\Program Files\999\advbot.exe 4/15/2005 10:42:29 AM advbot.exe 56.5 KB
Trojan horse IRC/BackDoor.SdBot.182.AB C:\WINDOWS\system32\msngms.exe 4/15/2005 10:42:29 AM msngms.exe 56.5 KB
Virus identified Worm/Kelvir.L C:\System Volume Information\_restore{D12DE0DD-5795-4AED-BC36-725F1401E845}\RP222\A0018576.exe 4/15/2005 11:52:15 AM A0018576.exe 8 KB
Trojan horse IRC/BackDoor.SdBot.182.AB C:\System Volume Information\_restore{D12DE0DD-5795-4AED-BC36-725F1401E845}\RP224\A0019108.exe 4/15/2005 11:52:20 AM A0019108.exe 56.5 KB
Trojan horse IRC/BackDoor.SdBot.182.AB C:\System Volume Information\_restore{D12DE0DD-5795-4AED-BC36-725F1401E845}\RP224\A0019109.exe 4/15/2005 11:52:26 AM A0019109.exe 56.5 KB

I did what you said to do in reguards to system restore and I did a virus scan with panda software and this is what it gave me.
Incident Status Location

Adware:Adware/Gator No disinfected C:\Program Files\Common Files\CMEII
Adware:Adware/KeenValue No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\WINDOWS\inf\cc_??.pnf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:Spyware/Altnet No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Computer User\.jpi_cache\file\1.0\BlackBox.class-342059fe-3cc7e9c5.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Computer User\.jpi_cache\file\1.0\Dummy.class-2ab77bfe-1a943e35.class
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Computer User\Application Data\Mozilla\Profiles\default\c5wf792f.slt\Mail\mail.sasktel.net\Inbox[~000375.@x@]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\Computer User\Application Data\Mozilla\Profiles\default\c5wf792f.slt\Mail\mail.sasktel.net\Trash[~000344.@x@]

The ones in Restore will be eliminated when you reset your System Restore. For those in the AVG Vault, just delete them See the AVG help for more info if you need it. There is no reason to keep them.

Everything seems to be gone. Thank you for helping me! This forum is so helpful and wonderful. All of you are truly computer angels from above.
Thanks a million,
Jen

We are glad we were able to be of assistance.

NOTE: This thread is now closed. Should you need it reopened, please PM an administrator or moderator.

Everyone else having a similar issue, please launch a new topic for yourselves.