W32/Sdbot.worm!ftp Cant get rid of it... Win2003 SP1 INSTALLED

Posted on 2006-03-30
Last Modified: 2010-08-05
Cant get rid off W32/SDbot.Warm!FTP
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.

This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.

McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
Question by:nagib
    LVL 32

    Expert Comment

    The worm may have installed an ftp server on your system. I would look for anything unusual that is installed or running as follows:

     Download and run Autoruns from:
     Use Options -> Hide Microsoft Entries to reduce the display.
     Look for anything unusual.
     If not sure, save the log to a text file and cut and paste it here.

    Second, maybe a good idea to download RootkitRevealer from:
    and scan your system. If anything interesting post it here (but don't post the entire log if it is very big)

    Third, review what patches your server might need by running MBSA from:
    LVL 27

    Expert Comment

    Information on what you have.
    Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
    Microsoft Security Bulletin concerning this issue (2004).

    Author Comment

    Forgot to say I am Running SQL2000 SP3
    LVL 32

    Accepted Solution

    "..Running SQL2000 SP3"

    You probably should upgrade to SP4. I believe there are a number of weaknesses in SP3.

    Also want to make sure important passwords are long and hard to guess.

    Review usernames on the server, sometimes hackers will create a bogus username for later breakins.

    Author Comment

    Automatic Update is ON

    All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
    LVL 32

    Expert Comment

    If you're saying that the RootkitRevealer scan results in a big list, save that to a text file, then examine carefully the first 50 lines or so in that. If you find anything that refers to a device driver, perhaps a *.sys or *.dll file, that may be a hint of trouble so please post that section here.

    In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.

    Author Comment

    Guys, I solved the problem by closing the port number 1433 (SQL port) and the virus did not bother me again.  
    Nagib Melo
    Belém - Para - Brasil
    The place of girls, parties and stuff... :)

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
    By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now