Microsoft Knowledge Base Article 897079 (at the bottom of this tip) describes a problem that may occur if a computer is infected with a variant of the Sdbot virus.
The article has two (2) problems:
1. It directs you delete an 'entry' from a \Services key, but it should have you delete the entire key.
2. The fix process is very labor intensive.
I have scripted KB897079_Sdbot.bat to automate the fix process, one you have booted to Safe Mode.
KB897079_Sdbot.bat contains:
@echo off
setlocal ENABLEDELAYEDEXPANSION
set key="HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
call :find1
set key="HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"
call :find1
set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
call :find1
set key="HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
call :find1
set key="HKLM\SYSTEM\ControlSet001\Services"
call :find2
set key="HKLM\SYSTEM\ControlSet002\Services"
call :find2
set key="HKLM\SYSTEM\CurrentControlSet\Services"
call :find2
for /f "Tokens=*" %%a in ('dir /b /a /s /a-d %SystemDrive%^|findstr /I /L "haxdrv.sys msdirectx.sys msdrv.exe sdkcore.exe"') do (
@echo DELETING "%%a"
attrib -R -S -H "%%a"
del /q "%%a"
)
endlocal
goto :EOF
:find1
for /f "Tokens=*" %%a in ('reg query %key%^|FINDSTR /I /L "Msdrv.exe sdkcore.exe"') Do (
set VN=%%a
call :del1
)
goto :EOF
:del1
set /a cnt=0
:delloop
set /a cnt=%cnt% + 1
call set wrk1=%%VN:~0,%cnt%%%
set wrk2=%wrk1:REG_=%
if "%wrk1%" EQU "%wrk2%" goto delloop
set /a cnt=%cnt% - 5
:delloop1
call set wrk2=%%wrk1:~%cnt%^,1%%
if "%wrk2%" EQU " " goto delloop1
call set wrk2=%%wrk1:~0,%cnt%%%
@echo REG DELETE %key% /V "%wrk2%" /F because %VN%
REG DELETE %key% /V "%wrk2%" /F
goto :EOF
:find2
for /f "Tokens=*" %%a in ('reg query %key%^|FIND /I "HKEY_LOCAL_MACHINE\SYSTEM\C"') do (
for /f "Tokens=*" %%b in ('reg query "%%a"^|FINDSTR /I /L "msdirectx Haxdrv"') Do (
set key2="%%a"
set VN=%%b
call :del2
)
)
goto :EOF
:del2
@echo Delete key: %key2% because %VN%
REG DELETE %key2% /F
0 comments
Hide comments
