Microsoft Knowledge Base Article 897079 (at the bottom of this tip) describes a problem that may occur if a computer is infected with a variant of the Sdbot virus.
The article has two (2) problems:
1. It directs you delete an 'entry' from a \Services key, but it should have you delete the entire key.
2. The fix process is very labor intensive.
I have scripted KB897079_Sdbot.bat to automate the fix process, one you have booted to Safe Mode.
KB897079_Sdbot.bat contains:
@echo off setlocal ENABLEDELAYEDEXPANSION set key="HKCU\Software\Microsoft\Windows\CurrentVersion\Run" call :find1 set key="HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices" call :find1 set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Run" call :find1 set key="HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" call :find1 set key="HKLM\SYSTEM\ControlSet001\Services" call :find2 set key="HKLM\SYSTEM\ControlSet002\Services" call :find2 set key="HKLM\SYSTEM\CurrentControlSet\Services" call :find2 for /f "Tokens=*" %%a in ('dir /b /a /s /a-d %SystemDrive%^|findstr /I /L "haxdrv.sys msdirectx.sys msdrv.exe sdkcore.exe"') do ( @echo DELETING "%%a" attrib -R -S -H "%%a" del /q "%%a" ) endlocal goto :EOF :find1 for /f "Tokens=*" %%a in ('reg query %key%^|FINDSTR /I /L "Msdrv.exe sdkcore.exe"') Do ( set VN=%%a call :del1 ) goto :EOF :del1 set /a cnt=0 :delloop set /a cnt=%cnt% + 1 call set wrk1=%%VN:~0,%cnt%%% set wrk2=%wrk1:REG_=% if "%wrk1%" EQU "%wrk2%" goto delloop set /a cnt=%cnt% - 5 :delloop1 call set wrk2=%%wrk1:~%cnt%^,1%% if "%wrk2%" EQU " " goto delloop1 call set wrk2=%%wrk1:~0,%cnt%%% @echo REG DELETE %key% /V "%wrk2%" /F because %VN% REG DELETE %key% /V "%wrk2%" /F goto :EOF :find2 for /f "Tokens=*" %%a in ('reg query %key%^|FIND /I "HKEY_LOCAL_MACHINE\SYSTEM\C"') do ( for /f "Tokens=*" %%b in ('reg query "%%a"^|FINDSTR /I /L "msdirectx Haxdrv"') Do ( set key2="%%a" set VN=%%b call :del2 ) ) goto :EOF :del2 @echo Delete key: %key2% because %VN% REG DELETE %key2% /F
0 comments
Hide comments