|
web
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
removing w32/sdbot.worm.genComputer brand name Dell Model number Inspiron Optiplex G100 The last time the system/device was working normally. Before one week Cannot post logs from event viewer as I cannot view them myself(maybe because of the worm or something I dont know. I open the event viewer and see number of errors for Disk,Bdsrv(dont remember this word exactly) but when I try to do a right click and see the properties no screen opens) What I did ///////////////////////////// I was using Mcafee ver 7.0 Enterprise Edition which I regularly updated and scanned my machine using it. I am connecting to the Internet through a LAN and the LAN is behind a firewall. I got the most recent stinger tool from Mcafee's website but that could not find anything. I upgraded to Mcafee Beta version 8 which detects the worm and deletes its infected files but still cannot remove it(i.e. it deletes a infected .exe file but another ..exe gets infected in some hour or so). I followed the thread at http://groups-beta.google.com/group/microsoft.public.win2000.general/ browse_frm/thread/368051af1bdb57b4/d93fc3a153116015?q=w32%2Fsdbot.worm.gen&rnum=28#d93fc3a153116015 Did everything they told Ran the Trend Sysclean package as instructed on the Trendmicro website but that could not find anything(Its sysclean log says no viruses found and after some time Mcafee reports that it deleted a infected file by the w32/sdbot.worm.gen . Went to houecall.trendmicro.com and used their free scan but that also could not find anything. Rebooted in safe mode removed all suspicious files which were in startup list from the registry,removed infected exe files masqueraded as legitimate windows files by the worm from the registry,cleaned my temp folder,Internet Temporary files folder,cleared my history,cookies,used CWSShredder most recent version,ran Adaware,Spybot Search and destroy,Hijackthis with updated definitions, but that could not help me. My machine was fully patched as I go to the Windows update and regularly apply the critical updates but now after the infection I cannot go to that Windows update site. I had default admin shares on my C drive(so I think a infected machine on my network may have infected mine which I now disabled). I cannot open the Add/Remove Programs in Control Panel to see if any unwanted programs are there(When I try to open it I get a window with no entries of any programs). I have Zonealarm free edition installed but even then I am unable to remove the worm. After the infection I unplugged my machine from the network and connected only to go to Windows update site which was not successful. I went to these sites and ran their scans http://housecall.trendmicro.com/housecall/start_corp.asp http://www.kaspersky.com/remoteviruschk.html http://security.symantec.com/sscv6/default.asp http://www.pandasoftware.com/activescan/activescan.asp http://commandondemand.com/eval/index.cfm http://www.ravantivirus.com/scan/ http://www.bitdefender.com/scan/licence.php http://www.pcpitstop.com/antivirus/default.asp http://scan.sygatetech.com/prestealthscan.html but that could not help me. Now the worm has disabled even my going to those sites. I cannot go to any such site and start the Active X control to start a scan. I ran the scans in normal and safe mode,connected and disconnected from the network but of no help. The scans are set for all files,compressed and also to decode MIME files. Msconfig does not work for me. Sysedit does not show anything suspicious. But going to registry I removed the suspicious program entries in safe mode. Also using the Advanced mode of Spybot search and destroy I inspected the programs in startup but everything seems normal. I still dont know where the worm may be hidden. I selected the option of showing all files(even the operating system files) but cannot still find the reason. I have to try restoring the registry to a week or month back and see if that helps me(I know it is very faint since the problems is not by faulty registry entries but a worm so I doubt it will work). If it does not I think what I have been told in the 24hr support helpdesk at http://groups-beta.google.com/group/24hoursupport.helpdesk/browse_frm/thread/01ce866fc8db40fd/c15b417c11c64c81#c15b417c11c64c81 is the only option. //////////////////////////// My apologies for posting this in 24hr support helpdesk,dirverzone.com and then here and I dont mean to make anybody upset but I need help and options suggested in that group could not help me. I would appreciate any ideas in helping me or pointing me to a right newsgroup. Thanks for your help. Time to blow it away and start a new install. To do a clean install, either
boot the Windows 2000 install CD-Rom or setup disks. The set of four install disks can be created from your Windows 2000 CD-Rom; change to the \bootdisk directory on the CD-Rom and execute makeboot.exe (from dos) or makebt32.exe (from 32 bit) and follow the prompts. When you get to the point, delete the existing NTFS and or other partitions found. After you delete the partition(s) abort the install, then again restart the pc booting the CD-Rom or setup disks to avoid unexpected drive letter assignments with your new install. Be sure to apply these to your new install before connecting to any network. http://download.microsoft.com/download/E/6/A/E6A04295-D2A8-40D0-A0C5-241BFECD095E/W2KSP4_EN.EXE http://www.microsoft.com/technet/security/bulletin/MS03-043.mspx http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect <s@mailinator.com> wrote: Operating system. Win2k with Service Pack 4 Computer brand name Dell Model number Inspiron Optiplex G100 The last time the system/device was working normally. Before one week Cannot post logs from event viewer as I cannot view them myself(maybe because of the worm or something I dont know. I open the event viewer and see number of errors for Disk,Bdsrv(dont remember this word exactly) but when I try to do a right click and see the properties no screen opens) What I did ///////////////////////////// I was using Mcafee ver 7.0 Enterprise Edition which I regularly updated and scanned my machine using it. I am connecting to the Internet through a LAN and the LAN is behind a firewall. I got the most recent stinger tool from Mcafee's website but that could not find anything. I upgraded to Mcafee Beta version 8 which detects the worm and deletes its infected files but still cannot remove it(i.e. it deletes a infected .exe file but another ..exe gets infected in some hour or so). I followed the thread at http://groups-beta.google.com/group/microsoft.public.win2000.general/ browse_frm/thread/368051af1bdb57b4/d93fc3a153116015?q=w32%2Fsdbot.worm.gen&rnum=28#d93fc3a153116015 Did everything they told Ran the Trend Sysclean package as instructed on the Trendmicro website but that could not find anything(Its sysclean log says no viruses found and after some time Mcafee reports that it deleted a infected file by the w32/sdbot.worm.gen . Went to houecall.trendmicro.com and used their free scan but that also could not find anything. Rebooted in safe mode removed all suspicious files which were in startup list from the registry,removed infected exe files masqueraded as legitimate windows files by the worm from the registry,cleaned my temp folder,Internet Temporary files folder,cleared my history,cookies,used CWSShredder most recent version,ran Adaware,Spybot Search and destroy,Hijackthis with updated definitions, but that could not help me. My machine was fully patched as I go to the Windows update and regularly apply the critical updates but now after the infection I cannot go to that Windows update site. I had default admin shares on my C drive(so I think a infected machine on my network may have infected mine which I now disabled). I cannot open the Add/Remove Programs in Control Panel to see if any unwanted programs are there(When I try to open it I get a window with no entries of any programs). I have Zonealarm free edition installed but even then I am unable to remove the worm. After the infection I unplugged my machine from the network and connected only to go to Windows update site which was not successful. I went to these sites and ran their scans http://housecall.trendmicro.com/housecall/start_corp.asp http://www.kaspersky.com/remoteviruschk.html http://security.symantec.com/sscv6/default.asp http://www.pandasoftware.com/activescan/activescan.asp http://commandondemand.com/eval/index.cfm http://www.ravantivirus.com/scan/ http://www.bitdefender.com/scan/licence.php http://www.pcpitstop.com/antivirus/default.asp http://scan.sygatetech.com/prestealthscan.html but that could not help me. Now the worm has disabled even my going to those sites. I cannot go to any such site and start the Active X control to start a scan. I ran the scans in normal and safe mode,connected and disconnected from the network but of no help. The scans are set for all files,compressed and also to decode MIME files. Msconfig does not work for me. Sysedit does not show anything suspicious. But going to registry I removed the suspicious program entries in safe mode. Also using the Advanced mode of Spybot search and destroy I inspected the programs in startup but everything seems normal. I still dont know where the worm may be hidden. I selected the option of showing all files(even the operating system files) but cannot still find the reason. I have to try restoring the registry to a week or month back and see if that helps me(I know it is very faint since the problems is not by faulty registry entries but a worm so I doubt it will work). If it does not I think what I have been told in the 24hr support helpdesk at http://groups-beta.google.com/group/24hoursupport.helpdesk/browse_frm/thread/01ce866fc8db40fd/c15b417c11c64c81#c15b417c11c64c81 is the only option. //////////////////////////// My apologies for posting this in 24hr support helpdesk,dirverzone.com and then here and I dont mean to make anybody upset but I need help and options suggested in that group could not help me. I would appreciate any ideas in helping me or pointing me to a right newsgroup. Thanks for your help. Thanks Dave,
The machine has two physical hard disks(Disk 1 and Disk 2). Disk 1 contains the infected Win2k. To be on the safe side do I have to format both of them(Disk 1 and Disk 2) and do a clean install of Win2k on Disk 1 or if I do a format and then clean install on just Disk 1 will I be fine. I am sorry if the question is unclear or silly but the thing is now I cannot copy something from one location to another i.e from Desktop to C drive even though I have permissions and space (even the DOS command does not do that). That machine does not have a CD Writer. So the only way is to get the files I need is through a network from Disk 2(which is also highly risky considering the worm has infected deeply the OS) or do a Disk to Disk transfer which I dont want to for the fear of endangering another machine. So I am puzzled. I was told to backup and I did move all the files I needed from Disk 1 to Disk 2 so incase i need to format and reinstall on Disk 1. But now the problem is if I leave Disk 2 unformatted can I catch the infection again once I do a clean install on Disk 1. And what is the safest way for me to get the files and not the worm again from the backed up files. Thanks for your help. In most cases you should be OK doing the clean install on the first disk,
install your anti-virus, update the definitions and scan the other disk before doing anything with the files. -- Show quoteHide quoteRegards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect <s@mailinator.com> wrote: | Thanks Dave, | | The machine has two physical hard disks(Disk 1 and Disk 2). Disk 1 | contains the infected Win2k. To be on the safe side do I have to format | both of them(Disk 1 and Disk 2) and do a clean install of Win2k on Disk | 1 or if I do a format and then clean install on just Disk 1 will I be | fine. I am sorry if the question is unclear or silly but the thing is | now I cannot copy something from one location to another i.e from | Desktop to C drive even though I have permissions and space (even the | DOS command does not do that). That machine does not have a CD Writer. | So the only way is to get the files I need is through a network from | Disk 2(which is also highly risky considering the worm has infected | deeply the OS) or do a Disk to Disk transfer which I dont want to for | the fear of endangering another machine. So I am puzzled. I was told to | backup and I did move all the files I needed from Disk 1 to Disk 2 so | incase i need to format and reinstall on Disk 1. | | But now the problem is if I leave Disk 2 unformatted can I catch the | infection again once I do a clean install on Disk 1. | | And what is the safest way for me to get the files and not the worm | again from the backed up files. | | Thanks for your help. | 
Other interesting topics
Dr Watson: Explorer Access Violation
Cannot copy and paste New Virus? sasser/blaster clone? Expired Password within Windows 2000 Any Utility to kill PocketPC ActiveSync running on the PC ? MAC and SMB or AFP File /registry monitor program W2K Server - SP4 kill internet connection. compression formats |
|||||||||||||||||||||||
