please help with a virus problem?

Discussion in 'malware problems & news' started by tsla1, Sep 14, 2003.

Thread Status:
Not open for further replies.
  1. tsla1

    tsla1 Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    3
    Running AVG on my Windows ME (insert joke here) it finally found a virus it couldn't fix. Virus found is IRC/BackDoor.SdBot
    I've tried the online scan with Trend Micro and it found it as well. The infected file is C:\WINDOWS\SYSTEM\SYS32AB.EXE

    Apparently the system file is always in use and the only other time I tried to tinker with a system file resulted in a hard drive reformatting.
    I was just wondering if this file is possible to fix or replace by a fairly novice operator. :doubt:
     
  2. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Well, first do a Ctrl+Alt+Delete and see if the file is running, if it is, shut it down, attempt to repair it, or maybe one of the Antvirus sites has a removal tool? I'm not too sure, if you're running AVG, how did you get it in the first place? mine stopped it from infecting me, with my 9/11/03 update :doubt: also, if its not in Ctrl+Alt+Delete, go to http://www.sysinternals.com/ntw2k/freeware/procexp.shtml and download Process Explore, run that, see if its running, if it is, kill the process as stated before, and try to repair.. Sorry, I'm a relative n00bie myself at this stuff, but getitng better everyday, I do however know a little bit more about viruses and stuff then firewalls :doubt:
     
  3. tsla1

    tsla1 Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    3
    :eek: Thanks Comp01... That sysinternals proggie is pretty neat. I had tried several start up and shut down programs, but none of them could find that particular system file.
    My last update with AVG was on the first of the month. On a dial-up connection, I check for updates manually, usually once a week. (maybe more often now...)

    Anyhow, after killing the process AVG could place the infected file in its' "virus vault" so hopefully that will be the end of the problem.

    Thanks again :D
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Since you're on win ME make sue when you're clean, to disable sysetm restore, reboot, check if you're still clean, enable system restore, make manually a new restore point, you might like to reboot and check if that new point works properly before continuing happy on your clean system.
    Spybots are more in the trojan area then in viruses, in my opinion :)
    If you look at the Diamondcs site you'll find in the free tools the AutostartViewer, which enables you to look and kill processes and their registry keys. You might like to give that a try too.
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Where do you want your joke in that line?
    This last major worm outbreak didn't touch your machine. This RPC-DCOM vulnerability only affects Windows NT+ systems (although there's a SecurityFocus report (although undocumented) indicating otherwise...
     
  6. tsla1

    tsla1 Registered Member

    Joined:
    Sep 14, 2003
    Posts:
    3
    Thanks for the reminder about the system restore. :)

    The infection seemed a lot more characteristic of a Trojan to me also, but my trojan remover didn't even pick up a problem... :doubt:

    I'm still not even sure if it was picked up via e-mail or scripting. I usually don't even open mail unless I know the sender, and haven't opened anything at all for a good while. Due to fantasy football season I've been doing a lot of surfing and downloading using med. security (active x enabled) which is why I think it might have been a a script.

    The Win ME OS works fine for my purposes (graphics, music, and games), but it seems that techies in general have nothing but scorn for it. Something about no access to DOS really seems to aggravate programmers. Thus the (insert joke here) line.

    Thanks again guys... :D
     
Loading...
Thread Status:
Not open for further replies.