Re: Backdoor.sdbot

From: Doug Knox MS-MVP (dknox_at_mvps.org)
Date: 01/28/04


Date: Tue, 27 Jan 2004 21:08:44 -0500

System32.exe is not a valid Windows file. See www.dougknox.com, Win XP Fixes, Clean KWBot Worm Entries.

You can also clean this entry manually by going to Start, Run and entering MSCONFIG Go to the Startup tab and uncheck any entry that references the System32.exe file.

Additionally, you can click Start, Run and enter REGEDIT Go to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Look in the right pane for any entry that references the System32.exe file and delete it. Also look in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Locate the Shell value in the right pane. It should read "explorer.exe", without the quotes. If it reads anything else, double click this entry and change it to read explorer.exe

-- 
Doug Knox, MS-MVP Windows XP/ Windows Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.
 
"Ted" <anonymous@discussions.microsoft.com> wrote in message news:54fa01c3e531$bc21b630$a001280a@phx.gbl...
> Hi,
> 
> I've got a virus called backdoor.sdbot attached to my 
> system32.exe.  Everytime I start up windows, it tells me 
> that the system32.exe is missing.  However, I know for a 
> fact that the system32.exe is being quarantined by Norton 
> Antivirus.  Norton cannot repair the file.  How do I get 
> a new system32.exe?


Relevant Pages

  • Re: Executable enty points incorrectly documented
    ... All these things are correct but this is more specific and related to the .NET Framework than to Windows API and the C++ linker and does not mention the actual entry point signatures either. ... The documentation problem to which you allude is that it is the CRT entry point that calls one of the versions of main / WinMain that is defined in your program. ... This is the signature of the managed entry point that has nothing to do with native executables/DLLs. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Executable enty points incorrectly documented
    ... You wrote that WinMain is not a starting function in CRT, but an user-defined entry point for a Windows application. ... I believe that the fact that this function is called by the C/C++ runtime clearly backs my opinion that WinMain has nothing to do with the operating system. ... Even if WinMain documentation remains in Windows SDK it would be wise to explicitly state that support for this entry point is provided by the C/C++ runtime rather than Windows itself. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: The system file cannot be specified
    ... entry has magically reappeared. ... just an entry in the MFT. ... But when it tried to delete the file, Windows ... from Windows Explorer and dropping it at the command prompt command? ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Executable enty points incorrectly documented
    ... I was speaking about Windows SDK not MSDN Library entirely, but even if Windows SDK conatins C/C++ documentation I believe that main/WinMain belong to C/C++ documentation rather than Windows API documentation. ... It's correct about the default entry point names used by the linker and also correct about what those entry points call and because this is the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: The system file cannot be specified
    ... entry has magically reappeared. ... just an entry in the MFT. ...  But when it tried to delete the file, Windows ... from Windows Explorer and dropping it at the command prompt command? ...
    (microsoft.public.windowsxp.help_and_support)