Bkdr.sbot.gen Help needed.

  • Thread starter Thread starter Dave Croft
  • Start date Start date
D

Dave Croft

I am running 98SE with EZ-AntiVirus and Zone Alarm firewall so
I thought I was safe.
Someone on this group sugested trying Trend Micro's Housecall.
When I tried it it said that I was infected with Bkdr.sbot.gen in
C:\windows\system\winservices.exe. This wasn't cleanable.
I immediately did a scan with EZ-AV which came up as clear.
Does anyone know where I go next. (I am not expert in any way)
TIA

--
Dave Croft
Warrington
England
http://www.oldengine.org/members/croft/homepage/
http://community.webshots.com/user/crftdv
 
I am running 98SE with EZ-AntiVirus and Zone Alarm firewall so
I thought I was safe.
Someone on this group sugested trying Trend Micro's Housecall.
When I tried it it said that I was infected with Bkdr.sbot.gen in
C:\windows\system\winservices.exe. This wasn't cleanable.
I immediately did a scan with EZ-AV which came up as clear.
Does anyone know where I go next. (I am not expert in any way)
TIA
Click to expand...

Sure it wasn't Bkdr.sdbot.gen ??
You can read a description of sdbot and see if you have any of the
files and registry entries:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

You can also upload suspect files for av scanning:

http://www.claymania.com/anti-virus.html

Especially try KAV.


Art
http://www.epix.net/~artnpeg
 
Sure it wasn't Bkdr.sdbot.gen ??
Click to expand...

http://www.megasecurity.org/trojans/s/sbot/Sbot1.0.html
Presumably the version that uses the winservices.exe is 1.2 or 2.0, or
the filename is programmable in those versions.

Dave, without knowing exactly how this file is starting, I'd advise
you to not just delete the file - instead get Trojan Remover from
http://www.simplysup.com/tremover/ It will also take care of any
registry, win.ini, system.ini, and autoexec.bat changes - you'll be
fine just accepting the defaults and letting it do its thing.

Carol
 
http://www.megasecurity.org/trojans/s/sbot/Sbot1.0.html
Presumably the version that uses the winservices.exe is 1.2 or 2.0, or
the filename is programmable in those versions.
Dave, without knowing exactly how this file is starting, I'd advise
you to not just delete the file - instead get Trojan Remover from
http://www.simplysup.com/tremover/ It will also take care of any
registry, win.ini, system.ini, and autoexec.bat changes - you'll be
fine just accepting the defaults and letting it do its thing.
Carol
Click to expand...

Thanks everyone for help.
It is Bkdr.sdbot.gen (I will have to clean my glasses) 8^)
I have loaded the Trojan Remover that Carol recommended
but that tells me I have no infection.
Housecall still tells me I have the infection.
Is there another program for a third opinion?
--
Dave Croft
Warrington
England
http://www.oldengine.org/members/croft/homepage/
http://community.webshots.com/user/crftdv
 
Thanks everyone for help.
It is Bkdr.sdbot.gen (I will have to clean my glasses) 8^)
I have loaded the Trojan Remover that Carol recommended
but that tells me I have no infection.
Housecall still tells me I have the infection.
Is there another program for a third opinion?
Click to expand...

Did you upload the suspect file for av scanning as I suggested? Did
you send a copy of it to Trend for analysis? Have you tried scanning
with F-Prot DOS? Or one of the other on-line av scanners listed on the
claymania link I gave?


Art
http://www.epix.net/~artnpeg
 
Did you upload the suspect file for av scanning as I suggested? Did
you send a copy of it to Trend for analysis? Have you tried scanning
with F-Prot DOS? Or one of the other on-line av scanners listed on the
claymania link I gave?
Art
Click to expand...

Thanks Art, I uploaded the Winservices.exe to Kaspersky.
It confirmed the infection. I am now going to pass the problem
over to a friend & give him the info I have been given here.
He has more computer ability than me & if anyone needs to alter
the registry, I trust him more than I do myself.
Thanks again,
 
Thanks Art, I uploaded the Winservices.exe to Kaspersky.
It confirmed the infection. I am now going to pass the problem
over to a friend & give him the info I have been given here.
He has more computer ability than me & if anyone needs to alter
the registry, I trust him more than I do myself.
Click to expand...

Good. Tell your friend that Trend's Sysclean has cleaning ability for
several different variants of sdbot. You can download a program from
my web site which will in turn d/l the required files and update
Sysclean.
Thanks again,
Click to expand...

You're welcome.


Art
http://www.epix.net/~artnpeg
 
Good. Tell your friend that Trend's Sysclean has cleaning ability for
several different variants of sdbot. You can download a program from
my web site which will in turn d/l the required files and update
Sysclean.
Click to expand...
You know I tried to locate that program on Trends site and couldn't. Where
should I be looking?
 
You know I tried to locate that program on Trends site and couldn't. Where
should I be looking?
Click to expand...

Here:

http://www.trendmicro.com/download/dcs.asp

You need both sysclean.com and the latest pattern file. That's partly
why I created a little proggy (to make it convenient) which downloads
them both and acts as a updater of both. Trend updates sysclean.com
periodically as well so it's important to get the latest of both.


Art
http://www.epix.net/~artnpeg
 
Here:

http://www.trendmicro.com/download/dcs.asp

You need both sysclean.com and the latest pattern file. That's partly
why I created a little proggy (to make it convenient) which downloads
them both and acts as a updater of both. Trend updates sysclean.com
periodically as well so it's important to get the latest of both.
Click to expand...

Thanks. Found it. Installed. Works nicely on my NTFS machines.
 
Just a results posting. We followed Trends instructions
about the registry OK but when we tried to delete
windows/system/winservices.exe it wouldn't go despite
trying several methods.
My friend noticed that I had Mccaffee Uninstaller on the machine
so we tried it & it worked first time. I must keep Mccaffee on the machine.
Thanks for the help everbody!

--
Dave Croft
Warrington
England
http://www.oldengine.org/members/croft/homepage/
http://community.webshots.com/user/crftdv
 
Back
Top