W32/Sdbot.worm!ftp Cant get rid of it... Win2003 SP1 INSTALLED

Cant get rid off W32/SDbot.Warm!FTP
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.

This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.

Running:
WINDOWS 2003 SERVER SP1
McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
nagibAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

r-kCommented:
The worm may have installed an ftp server on your system. I would look for anything unusual that is installed or running as follows:

 Download and run Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
 Use Options -> Hide Microsoft Entries to reduce the display.
 Look for anything unusual.
 If not sure, save the log to a text file and cut and paste it here.

Second, maybe a good idea to download RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
and scan your system. If anything interesting post it here (but don't post the entire log if it is very big)

Third, review what patches your server might need by running MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
0
David-HowardCommented:
Information on what you have.
http://vil.mcafeesecurity.com/vil/content/v_128082.htm#top
Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
http://vil.nai.com/vil/content/v_128685.htm#RemovalInstructions
Microsoft Security Bulletin concerning this issue (2004).
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
:-)
0
nagibAuthor Commented:
Forgot to say I am Running SQL2000 SP3
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

r-kCommented:
"..Running SQL2000 SP3"

You probably should upgrade to SP4. I believe there are a number of weaknesses in SP3.

Also want to make sure important passwords are long and hard to guess.

Review usernames on the server, sometimes hackers will create a bogus username for later breakins.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nagibAuthor Commented:
Automatic Update is ON

All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
0
r-kCommented:
If you're saying that the RootkitRevealer scan results in a big list, save that to a text file, then examine carefully the first 50 lines or so in that. If you find anything that refers to a device driver, perhaps a *.sys or *.dll file, that may be a hint of trouble so please post that section here.

In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.
0
nagibAuthor Commented:
Guys, I solved the problem by closing the port number 1433 (SQL port) and the virus did not bother me again.  
Thanks,
Nagib Melo
Belém - Para - Brasil
The place of girls, parties and stuff... :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.