Win32ssr.exe virus

Put this reg file on an accessibel network share (preferably in your netlogon on your DC):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003

Also put instsrv.exe (which is a part of the Windows Resource Kit, which is freely available for download from Microsoft's website) in the same folder.
For the rest of these instructions we'll suppose you saved the files as: \\server\neetlogon\scripts\regchg1.reg and \\server\netlogon\scripts\instsrv.exe (change them in the following batch file to the real location). If your network has any Windows 2000 computers you will also need shutdown.exe from the reskit. Put it in the same folder.

Now create the following batch file and install it on yur domain as a script:

@echo off
REM W32.SdBot.AOS elimination scriptstartup
if not exist %systemroot%\win32ssr.exe goto end
REM Stop the worm service
net stop Win32Sr
REM Remove the worm service
\\server\netlogon\scripts\instsrv.exe Win32Sr REMOVE
REM Delete the worm
del %systemroot%\win32ssr.exe
REM Undo changes made to the registry
regedit /s \\server\netlogon\scripts\regchg1.reg
REM Restart the computer
\\server\netlogon\scripts\shutdown.exe /r
:end

Now create the following batch file and install it on your domain as a *startup* script