Privacy & Security
Remove stubborn malware
Remove Sdbot-ADD AKA Win32.Aimbot.aj,.
lockx.exe, express.exe, www.eza1netsearch.com, www.clickhere4search.comA new virus, named Sdbot-ADD, which has also been named Win32.Aimbot.aj, is spreading via links sent in a message to users of AOL Instant messenger (AIM).
It is the latest in Sdbot family of worms, but this one appears to be regularly modified, possibly by crackers to further hamper its detection and removal. Once a user clicks on the link in a Instant message the virus loads a rootkit, identified by its process name lockx.exe or a more recent version express.exe.
A rootkit allows a remote attacker to hide his login and any actions or files from the computers legitimate users. He can also take full control of the infected machine.
The virus also downloads a wide variety of other malware including including 180Solutions, Zango (formerly known as ncase), the Freepod Toolbar, MaxSearch, Media Gateway, and SearchMiracle.
Visible symptoms of infection include -
CPU usage is at 100% ,
The machine slows down to a crawl.
Search enquiries re-directed to http://www.eza1netsearch.com although recent variants appear to be redirecting to http://www.clickhere4search.com
A wide variety of pop up advertisements can often be seen, but these are generated by malware that is bundled with the virus and on their own cannot be used for a positive identification of this infection.
You will need
An application called AIMfix, created by www.jayloden.com to specifically remove viruses distributed via the AIM messenger.
AIMfix (direct download) to your desktop.
AIMfix for Windows 98 or ME (direct download) to your desktop.
Authors home page http://www.jayloden.com/index.htm.
ETR (Direct download) Save to desktop. Elite toolbar is sometimes installed, this is a specific removal tool from SimplyTech
Hijack this, downloaded into its own folder, download and illustrated instructions. How to install Hijack this
Download and update Ewidow Security suite to remove the additional malware installed. The free trial reverts to a free version after evaluation period.
Disk and registry cleaner Ace Utilities (free trial)
Removal Proceedure
Set Windows to show hidden files and folders How to
1) Right click on the icon for AIMFix on your desktop. The application will run and display the box shown below.
 Once complete, close the box.
2) Open Hijack this and click Scan.
Put a check mark in the box for any of the following entries, if present.
Any R1 entry that gives a URL for any address you do not normally use, typical examples
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.eza1netsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = htp://ww.clickhere4search.com/sp2.php
Any of the following 04 entries -
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [freestyle] lockx.exe
O4 - HKLM\..\RunServices: [freestyle] lockx.exe
O4 - HKCU\..\Run: [freestyle] lockx.exe
O4 - HKLM\..\Run: [stratas] express.exe
O4 - HKLM\..\RunServices: [stratas] express.exe
O4 - HKCU\..\Run: [stratas] express.exe
If you have any entries that include-
pokapoka.
For example O4 - HKLM\..\Run: [System service75] C:\WINDOWS\etb\pokapoka75.exe
You have a version of Elite toolbar and will also need to select these items for removal and follow the additional instructions to delete this, shown below in yellow boxes.
|
Important. Please take extra care not to delete other entries as it could damage your computers ability to function correctly.
Click the Fix button to remove the infections remnants.
3) If your log file showed pokapoka, open ETR and click Kill Elite Toolbar. |
4) Run the Open and run the Ewido security scanner to remove any malware that was installed by this virus.
5) Open the Ace Utilities clean up utility and perform the following.
Click clean up , select remove Junk Files. Scan and delete everything found. Close the remove junk files box.
Select Clean system registry. Click options and select Thorough. Scan and delete everything found. Close the Clean system registry box.
Select Delete History, click the Windows tab and select the following-
Empty the Windows Prefetch Folder.
Delete empty folders on the Windows Temp folder.
Erase Folder streams in the Windows registry.
Click Execute Now
Click the internet Explorer/MSN tab and select the following-
Delete cookies
Delete locked URL cache file.
Delete all auto-complete Data.
Clear typed URL's of Address bar
Clear Browser History
Delete Cache (Files in temporary Internet folder)
Click Execute Now.
If your log file showed pokapoka, Restart PC in safe mode
Open Windows explorer (Right click Start and select Explore.
In the left panel, navigate to
C:\Windows
Locate and delete a file called etb in the right panel.
Restart PC normally. |
Your computer should now be clear of the Sdbot-ADD worm and the malware it installed. If however you have any difficulties deleting the virus or any of the malware bundles with it, restart your computer in Safe mode and re-run the scanners. How to start in safe mode.
This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
|
Privacy & Security
Information
E-mail
Viruses
hackers, crackers & firewalls
Trojans
Spyware
Keyloggers
Cookies
BHO's & Hijackers
Drive by downloads
diallers
Scams & Hoaxes
Hijack this-
automatic analysis
Free pest scan
Unwanted processes
How to-Tutorials
Clean up/repair after malware infection
Prevent malware installing
Install Hijackthis
Start in Safe mode
Show hidden files/folders
enable/disable Active X controls
Disable Messenger service pop-ups
Use the Host file
Kill BraveSentry
Kill PSGuard, spysheriff, spytrooper, AntivirusGold, RazeSpyware, smitfraud-c
Kill Winfixer2005
Kill SysProtect
Kill seeve.exe / mediamotors pop ups
Kill Sdbot-ADD / lockx.exe
Kill Spyaxe
Kill Spyfalcon
Kill SpywareStrike
Kill Spyware Quake
Kill Adware punisher
Kill Aurora pop ups
Kill E2Give
Kill MySearch
News/Articles
New Winfixer infection displays fake Blackworm warning
The real cost of Free security software
|