Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

removing w32/sdbot.worm.gen

0 views
Skip to first unread message

s...@mailinator.com

unread,
Apr 2, 2005, 9:27:11 PM4/2/05
to
I am running Windows 2000 with Service Pack 4. I was using Mcafee ver
7.0 Enterprise Edition which I regularly updated and scanned my machine
using it. I am connecting to the Internet through a LAN and the LAN is
behind a firewall. I got the most recent stinger tool from Mcafee's
website but that could not find anything. I upgraded to Mcafee Beta
version 8 which detects the worm and deletes its infected files but
still cannot remove it(i.e. it deletes a infected .exe file but another
.exe gets infected in some hour or so). I followed the thread at
http://groups-beta.google.com/group/microsoft.public.win2000.general/
browse_frm/thread/368051af1bdb57b4/d93fc3a153116015?q=w32%2Fsdbot.worm.gen
&rnum=28#d93fc3a153116015
Did everything they told Ran the Trend Sysclean package as instructed
on the Trendmicro website but that could not find anything(Its sysclean
log says no viruses found and after some time Mcafee reports that it
deleted a infected file by the w32/sdbot.worm.gen .
Went to houecall.trendmicro.com and used their free scan but that also
could not find anything. Rebooted in safe mode removed all suspicious
files which were in startup list from the registry,removed infected exe
files masqueraded as legitimate windows files by the worm from the
registry,cleaned my temp folder,Internet Temporary files folder,cleared
my history,cookies,used CWSShredder most recent version,ran
Adaware,Spybot Search and destroy,Hijackthis with updated definitions,
but that could not help me. My machine was fully patched as I go to the
Windows update and regularly apply the critical updates but now after
the infection I cannot go to that Windows update site. I had default
admin shares on my C drive(so I think a infected machine on my network
may have infected mine which I now disabled). I cannot open the
Add/Remove Programs in Control Panel to see if any unwanted programs
are there(When I try to open it I get a window with no entries of any
programs). I have Zonealarm free edition installed but even then I am
unable to remove the worm.

After the infection I unplugged my machine from the network and
connected only to go to Windows update site which was not successful.

I would appreciate any any advice in removing the worm.

Thanks

Toolman Tim

unread,
Apr 2, 2005, 9:37:17 PM4/2/05
to

<s...@mailinator.com> wrote in message
news:1112495230.9...@f14g2000cwb.googlegroups.com...

Format C: /s should do it. (Just kidding!)

Have you researched the worm at other AV software companies' web sites?
Often there are 'custom' removal tools available. Also, run the scans from
safe mode so you are disconnected from the network and Internet with most
other non-essential services running. Be sure the scans are set to check all
files, not just specific locations and/or extensions, and set to scan within
compressed files.

I don't use W2K anymore, so I don't remember for sure if msconfig.exe is
part of that OS. But check and see - it will list the programs that your
computer is starting up with. You can disable any/all of them and see if you
can then access the Control Panel Add/Remove programs.


s...@mailinator.com

unread,
Apr 2, 2005, 10:57:12 PM4/2/05
to
Thanks Toolman,

I went to these sites and ran their scans

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.kaspersky.com/remoteviruschk.html
http://security.symantec.com/sscv6/default.asp
http://www.pandasoftware.com/activescan/activescan.asp
http://commandondemand.com/eval/index.cfm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php
http://www.pcpitstop.com/antivirus/default.asp
http://scan.sygatetech.com/prestealthscan.html

but that could not help me. Now the worm has disabled even my going to
those sites. I cannot go to any such site and start the Active X
control to start a scan.

I ran the scans in normal and safe mode,connected and disconnected from
the network but of no help.

The scans are set for all files,compressed and also to decode MIME
files. Msconfig does not work for me. Sysedit does not show anything
suspicious. But going to registry I removed the suspicious program
entries in safe mode. Also using the Advanced mode of Spybot search and
destroy I inspected the programs in startup but everything seems
normal. I still dont know where the worm may be hidden. I selected the
option of showing all files(even the operating system files) but cannot
still find the reason.

Thanks for your help.

Toolman Tim

unread,
Apr 2, 2005, 11:10:16 PM4/2/05
to

<s...@mailinator.com> wrote in message
news:1112500632....@z14g2000cwz.googlegroups.com...
That *is* scary! If it were a machine I was responsible for, I'd pull the
drive out, install it in a 'clean' machine with the AV fully updated, then
scan it there. When I've done that in the past, about 25% of the time, there
were many infected files in the OS, and it was un-bootable after the scan
removed the files...so be careful. Worst case, scan, backup, erase, put it
back in the original system, reinstall Windows. I know...hours and hours of
work...but at least you know it's clean.


s...@mailinator.com

unread,
Apr 3, 2005, 12:19:49 AM4/3/05
to
Thanks again Toolman,

I will try one more method. Restoring the registry to a week or month
back and see if that helps me(I know it is very faint since the
problems is not by faulty registry entries but a worm so I doubt it
will work). If it does not I think what you have told me is the only
option. But then I need to be careful that the infected drive does not
infect another clean machine with the worm and cause me more problems.


Thanks for your help.

0 new messages