internetinspiration logo
             
Home Internet Guides Privacy & Security Must have software Internet Shopping Earn Money Fun & Games Freebies

Privacy & Security
Remove stubborn malware


Remove Sdbot-ADD AKA Win32.Aimbot.aj,.
lockx.exe, express.exe, www.eza1netsearch.com, www.clickhere4search.com

A new virus, named Sdbot-ADD, which has also been named Win32.Aimbot.aj, is spreading via links sent in a message to users of AOL Instant messenger (AIM).

It is the latest in Sdbot family of worms, but this one appears to be regularly modified, possibly by crackers to further hamper its detection and removal. Once a user clicks on the link in a Instant message the virus loads a rootkit, identified by its process name lockx.exe or a more recent version express.exe.
A rootkit allows a remote attacker to hide his login and any actions or files from the computers legitimate users. He can also take full control of the infected machine.

The virus also downloads a wide variety of other malware including including 180Solutions, Zango (formerly known as ncase), the Freepod Toolbar, MaxSearch, Media Gateway, and SearchMiracle.

Visible symptoms of infection include -
CPU usage is at 100% ,
The machine slows down to a crawl.
Search enquiries re-directed to http://www.eza1netsearch.com although recent variants appear to be redirecting to http://www.clickhere4search.com

A wide variety of pop up advertisements can often be seen, but these are generated by malware that is bundled with the virus and on their own cannot be used for a positive identification of this infection.

You will need

An application called AIMfix, created by www.jayloden.com to specifically remove viruses distributed via the AIM messenger.
AIMfix (direct download) to your desktop.
AIMfix for Windows 98 or ME (direct download) to your desktop.
Authors home page http://www.jayloden.com/index.htm.

ETR (Direct download) Save to desktop. Elite toolbar is sometimes installed, this is a specific removal tool from SimplyTech

Hijack this, downloaded into its own folder, download and illustrated instructions. How to install Hijack this

Download and update Ewidow Security suite to remove the additional malware installed. The free trial reverts to a free version after evaluation period.

Disk and registry cleaner Ace Utilities (free trial)

Removal Proceedure

Set Windows to show hidden files and folders How to

1) Right click on the icon for AIMFix on your desktop. The application will run and display the box shown below.

Once complete, close the box.

2) Open Hijack this and click Scan.

Put a check mark in the box for any of the following entries, if present.

Any R1 entry that gives a URL for any address you do not normally use, typical examples

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = htp://ww.clickhere4search.com/sp2.php

Any of the following 04 entries -

O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe


O4 - HKLM\..\Run: [freestyle] lockx.exe
O4 - HKLM\..\RunServices: [freestyle] lockx.exe
O4 - HKCU\..\Run: [freestyle] lockx.exe

O4 - HKLM\..\Run: [stratas] express.exe
O4 - HKLM\..\RunServices: [stratas] express.exe
O4 - HKCU\..\Run: [stratas] express.exe
If you have any entries that include-
pokapoka.
For example
O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
You have a version of Elite toolbar and will also need to select these items for removal and follow the additional instructions to delete this, shown below in yellow boxes.
Important. Please take extra care not to delete other entries as it could damage your computers ability to function correctly.

Click the Fix button to remove the infections remnants.

3) If your log file showed pokapoka, open ETR and click Kill Elite Toolbar.

4) Run the Open and run the Ewido security scanner to remove any malware that was installed by this virus.

5) Open the Ace Utilities clean up utility and perform the following.

Click clean up , select remove Junk Files. Scan and delete everything found. Close the remove junk files box.

Select Clean system registry. Click options and select Thorough. Scan and delete everything found. Close the Clean system registry box.

Select Delete History, click the Windows tab and select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.

Click Execute Now

Click the internet Explorer/MSN tab and select the following-
Delete cookies
Delete locked URL cache file.
Delete all auto-complete Data.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)

Click Execute Now.
If your log file showed pokapoka, Restart PC in safe mode
Open Windows explorer (Right click Start and select Explore.
In the left panel, navigate to
 C:\Windows
Locate and delete a file called etb in the right panel.
Restart PC normally.
Your computer should now be clear of the Sdbot-ADD worm and the malware it installed. If however you have any difficulties deleting the virus or any of the malware bundles with it, restart your computer in Safe mode and re-run the scanners. How to start in safe mode.

This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.


Privacy & Security

Information

E-mail

Viruses

hackers, crackers & firewalls

Trojans

Spyware

Keyloggers

Cookies

BHO's & Hijackers

Drive by downloads

diallers

Scams & Hoaxes

Hijack this-
automatic analysis


Free pest scan

Unwanted processes

How to-Tutorials

Clean up/repair after malware infection

Prevent malware installing

Install Hijackthis

Start in Safe mode

Show hidden files/folders

enable/disable Active X controls

Disable Messenger service pop-ups

Use the Host file

Kill BraveSentry

Kill PSGuard, spysheriff, spytrooper, AntivirusGold, RazeSpyware, smitfraud-c

Kill Winfixer2005

Kill SysProtect

Kill seeve.exe / mediamotors pop ups

Kill Sdbot-ADD / lockx.exe

Kill Spyaxe

Kill Spyfalcon

Kill SpywareStrike

Kill Spyware Quake

Kill Adware punisher

Kill Aurora pop ups

Kill E2Give

Kill MySearch

News/Articles

New Winfixer infection displays fake Blackworm warning

The real cost of Free security software

About us Contact us FAQ Links Privacy Statement Site Map Webmasters
Click here to add this page to your favorites
©Internet Inspiration, 2003.      All registered trademarks are observed and respected.
If you receive advertising pop ups whilst viewing this site, you are infected with an ad-serving parasite, because we don't use pop ups. See our Privacy & security section for help with detection and removal.