SdBot variant

[Guest]

Hi, Several coworkers and myself seem to have picked up a tough version of
SdBot, which is detected by WD (and little else - thank you WD!!). Although
WD removes the primary SdBot file, winmon.exe from WINDOWS/system32, the file
is replaced upon the next boot. We're aware of the usual instructions for
removing associated registry keys that reinstall winmon.exe, but those don't
seem to exist in our registry - yet the file reappears without fail upon
rebooting. If it was just one or two of us, we'd reinstall Windows, but
several of us (and some servers too) have this monster. Any suggestions?

 

[Guest]

First remove all temporarily junk with CCleaner
http://www.ccleaner.com
Then try Ewido for removal:
http://www.ewido.net/en/download/
http://safety.live.com/site/en-US/default.htm
http://www.symantec.com/avcenter/venc/data/backdoor.sdbot.html
Еиςеl

 

[Bill Sanderson MVP]

Have you tried cleaning in safe mode, with both Windows Defender (check in
help, about to see if you are on 1347--(top version number) If not, do a
new download from the download center and run it--it will upgrade.

After the upgrade, check that you are on the latest definitions--I'd go by
Windows Update.

Then update your antivirus application as well, restart windows in safe
mode, and scan with both the antivirus app and Windows Defender