nagib
asked on
W32/Sdbot.worm!ftp Cant get rid of it... Win2003 SP1 INSTALLED
Cant get rid off W32/SDbot.Warm!FTP
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.
This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.
Running:
WINDOWS 2003 SERVER SP1
McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.
This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.
Running:
WINDOWS 2003 SERVER SP1
McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
Information on what you have.
http://vil.mcafeesecurity.com/vil/content/v_128082.htm#top
Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
http://vil.nai.com/vil/content/v_128685.htm#RemovalInstructions
Microsoft Security Bulletin concerning this issue (2004).
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
:-)
http://vil.mcafeesecurity.com/vil/content/v_128082.htm#top
Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
http://vil.nai.com/vil/content/v_128685.htm#RemovalInstructions
Microsoft Security Bulletin concerning this issue (2004).
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
:-)
ASKER
Forgot to say I am Running SQL2000 SP3
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Automatic Update is ON
All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
If you're saying that the RootkitRevealer scan results in a big list, save that to a text file, then examine carefully the first 50 lines or so in that. If you find anything that refers to a device driver, perhaps a *.sys or *.dll file, that may be a hint of trouble so please post that section here.
In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.
In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.
ASKER
Guys, I solved the problem by closing the port number 1433 (SQL port) and the virus did not bother me again.
Thanks,
Nagib Melo
Belém - Para - Brasil
The place of girls, parties and stuff... :)
Thanks,
Nagib Melo
Belém - Para - Brasil
The place of girls, parties and stuff... :)
Download and run Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
Use Options -> Hide Microsoft Entries to reduce the display.
Look for anything unusual.
If not sure, save the log to a text file and cut and paste it here.
Second, maybe a good idea to download RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
and scan your system. If anything interesting post it here (but don't post the entire log if it is very big)
Third, review what patches your server might need by running MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx