Help - how do I get rid of this Trojan

A Virus Scan with AVG revealed a trojan/backdoor described as 'Trojan Horse IRC/Backdoor/SdBot.27.BK' in 'C:WINDOWS/SETTINGS22/LSRV.EXE'. Following the scan, I receive constant pop-ups telling me about the trojan and advising me to use AVG to deal with it. However, AVG refuses to deal with the file.

Does anyone know what all this means? What do I have to do to deal with it?

Please help!

 

Hi thebluerabbit

Welcome to Wilders.

Try and clean it with one of these free online scans,

http://housecall.trendmicro.com/housecall/start_corp.asp

http://www.wilders.org/free_services.htm

http://www.kaspersky.com/remoteviruschk.html

Post back and let us know if u were successful.



snowbound

 

Thanks for the suggestions - unfortunately they have not worked. They identify the trojan, but won't remove it because it is in a protected file.

It is described as a Trojan Horse IRC/Backdoor.SDbot.27.BK in the C/WINDOWS/SYSTEM32/LSRV.EXE file.

What can I do?

 

ok,

Follow the instructions here,

https://www.wilderssecurity.com/showthread.php?t=15913

then post your HijackThis log in the hijack cleaning forums with a full description of your problem and one of the experts will give u recommendations on how to clean out this Malware.


snowbound

 

if 'lsrv.exe' is running as a process in task manager you can try to stop it and then remove lsrv.exe file.

 

Before learning of more sophisticated methods, I found that changing the extension of a bad ".exe" file to ".txt" turns an executable file into a text file which will not execute. This is also true of ".dll" files that are protected, as well. This is a "quick fix" that works only until the same evil file is reloaded onto your computer at a later time, however.

 

I have exactly the same problem...

 

The second piece of advice didnt work either as HiJack is disabled by the Trojan

 

try this, rename your hijackthis program file or just reboot in safe mode of windows and then scan again with your av program

 

Is it this http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.WY. Try to get exact name of it by running a online scan. Here is some online scans
http://housecall.antivirus.com/housecall/start_corp.asp
http://www.mcafee.com/myapps/mfs/default.asp http://security1.norton.com/ssc/vc_scan.asp?langid=us&venid=sym&plfid=23&pkj=GRCBPWFYJOKMFIDPMSV http://www.bitdefender.com/scan/licence.php http://www.pcpitstop.com/antivirus/default.asp http://www.pandasoftware.com/activescan/com/
Or try stinger http://vil.nai.com/vil/stinger/

 

I have the same problem with this virus except mine seems very weird. I just finished formatting and I put on windows. The only things I installed were my Nvidia drivers and then Norton Anti-virus. I was only connected to the internet for about 50 sec. before I installed Norton. About 1 minute later Norton detected thins virus. How could I have got this virus so quickly on a pure windows format and install? When I search for the lsrv.exe file, I can't find it anywhere, even after selecting to view all folder hidden and system files. I looked where Norton told me to look but there is nothing there.

 

Hey Raiden,

An infection like the one you mention can happen JUST that fast. No, it wasn't your files or Windows install that were infected, as soon as you connect to the internet, if you have no firewall running (turn on the Internet Connection Firewall--ICF--for the easiest solution), and have not installed all current Windows Updates, you will likely get infected within minutes, as diferent crapware will enter through unpatched holes in XP. I know what you're thinking; ok, so HOW am I to update Windows if I can't get online? One way is to download all the patches (obviously on another computer that is updated) from Microsoft--that is a true pain. Another is to order their Security Update CD, which is free, but is only up to date through February of 2004. In theory, a firewall SHOULD protect you and allow you to download these updates straight from the Windows Update website, but I don't know how well this works in practice. There are also ways to "slipstream" a brand new XP install (have the updates installed as you install your brand new copy of XP), but I haven't tried it. You could search here or Google for more info. Any other differing opinions than mine are welcome...

 

Thank you very much Phillyphil, I will try those suggestions!