I have nailed the Backdoor.sdbot virus on my computer. Norton tells me every few minutes and I have followed the instructions how to delete it but they are not working. First Norton told me to goto Task Manager and locate CNFGLDR.exe and stop it, I was not able to locate that file running on there. Then run Norton anti virus and delete the file from there. Norton says it located it in windows\system32\service.exe but when I look for that file under windows explorer its not there. Norton was also unable to delete the file. So I am lost, have I found a strain that cannot be deleted or odds are I am just doing something wrong. Please help

Click Start > Run > type regedit and click OK Click the + next to the following keys HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Scroll down and click on the RUN folder. In the right hand window look for any refrence to any of these files: Cnfgldr.exe,Sysmon16.exe,Syscfg32.exe Right click on the entry and click delete. Scroll down and click on the RunServices folder. In the right hand window look for any refrence to any of these files: Cnfgldr.exe,Sysmon16.exe,Syscfg32.exe Right click on the entry and click delete. Collapse the registry tree, close regedit and reboot. Do a find files for Cnfgldr.exe,Sysmon16.exe,Syscfg32.exe and delete any found. **Make sure you are able to view hidden files and folders and are searching in hidden files and folders.

Does any of this need to be done in safe mode or with the restore disabled? I have been reading quite a bit about that, Thanks for the help

safe mode if you want wont make andiferance for this one as far as i know. unless you find infected files in system restore you wont have to disable it. have a nice day self portrait lol

Ok I have followed the above instructions. Looked for Cnfgldr.exe, Sysmon.exe and Syscfg32.exe and found none of them. I have system restore turned off but am not in safe mode. I am ghaving a hard time geting into safe mode on my HP. I ran NAV again and it told me that the virus Backdoor.sdbot was still in windows\system32\service.exe and it was unable to delete it. One thought and I don't think this makes a difference, I run NAV through Norton System Works not its own stand alone program. Don't thing that would make a difference. Any other ideas? Please help me kill this nasty thing

actually, all you have to do is go to HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices and remove the two new registry entries in there, reboot the machine and then delete the file explorer32.exe from C:\WINDOWS\SYSTEM32\ if you want to know who controls the bot, then open a DOS prompt and type ``netstat -a'' and look for the remote address of a machine that you are connected to on ports from 6667 to 7000. then use an IRC client to logon to that server on same port, now get a packet sniffer like SpyNet and load it onto your machine, monitor traffic inbound and outbound on ports 6667-7000 and use it to read the packets and see what the channel is that the cracker has the bot going to, if there is a password for that channel be sure to note it, now change your nick to look something like ``fhjhk'' and your ident as well and go into the channel, if you are using mIRC then enable auto-logging of the channel and eventually the owner will come into the channel and try to login to the bots and control them, when he does you will have the passwd, know who he is and be able to confront him, you can also login to the bots yourself and as soon as you see his passwd and have decided to confront him you should type: ``.login [his passwd here]'' and then ``.remove'' which will remove the bots from all infected machines... leaving him defenseless in many cases, watch out sometimes people that run botnets will have more then one network so if you kill one they still have more to work with

Hi firedawgy. Follow the above instructions for editing the registry and look for any reference to service.exe in the right hand window and delete it. Then reboot and delete the file. If there is no registry entry for service.exe at either HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\RunServices. Then look here: HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run Whatever you do, Make sure you don't delete the services.exe file in C:\Windows\System32.