print version

SDBot

ParetoLogic's XoftSpySE is our best recommendation for a safe and reliable method to remove SDBot. ParetoLogic is a member of the Better Business Bureau and the Software & Information Association, so you can be sure of their ethicacy and ability to resolve your SDBot problem:

XoftSpySE Website           Download XoftSpySE

SDBot - A Visitor to Eliminate

SDBot is a 64,000 byte file that was first noticed in 2002, but new versions of it are still being noticed. It seems to be mutating and changing its form to help hide from users and computer authorities. Protecting yourself can be tough, but essential. More than one thousand people have reported having SDBot on their systems, as it's not one of the better distributed adware products, but that number seems to be growing by the day.

How Does SDBot Work?

SDBot uses random ports on your computer and exploits a weakness in Microsoft to become a part of your machine. In addition to slowing your machine down, it also has the ability to deliver other adware to your machine, stop the programs you are currently running, and leave your machine open to other adware programs each time you browse online. Moreover, it can wipe your firewall and completely change your current security settings. You may even notice blue screen errors on a regular basis with SDBot. Because SDBot creates a number of registry keys when it enters your machine, it will always be running in the background. This can clog up your machine and slow down every single program that you want to run. Essentially, SDBot opens a part of your system, via a trojan, and allows someone else to control your computer through IRC or Internet Relay Chat. In most cases, it attempts to communicate with one of the following IRC servers: bmu.h4x0rs.org, bmu.q8hell.org, or   bmu.FL0W1NG.NE. It can continually update itself, and it will use your connection even when your not on, causing a real hassle if you're a dial-up customer.

Are There Similar Programs?

Most experts suggest more than one thousands variants are loose online. It has several other aliases including: IRC-Sdbot [McAfee], Backdoor.IRC.SdBot [Kaspersky], BKDR_SDBOT.B [Trend], Troj/Sdbot-B [Sophos], and Win32.SdBot.14176 [CA].

What Systems are Affected by SDBot?

Most adware experts suggest that it can become a part of Windows XP, Windows 2000, Windows 98, Windows 95, and Windows Server. The primary port affected is 6667, or the default IRC port. Known file names for SDBot include

Aim95.exe

CMagesta.exe

Cmd32.exe

Cnfgldr.exe

Explorer.exe

FB_PNU.EXE

IEXPL0RE.EXE

MSTasks.exe

MSsrvs32.exe

Mssql.exe

Regrun.exe

Svchosts.exe

Sys32.exe

Sys3f2.exe

Syscfg32.exe

Sysmon16.exe

YahooMsgr.exe

cthelp.exe

iexplore.exe

ipcl32.exe

quicktimeprom.exe

service.exe

sock32.exe

spooler.exe

svhost.exe

syswin32.exe

vcvw.exe

winupdate32.exe

xmconfig.exe

Once your computer has SDBot, it will try to send the trojan to other computers and cause the same problems with machines it has communicated with. All of the system information, included the network information from your machine, can be sent to another viewer, putting you at serious security risks. Lots of files can get downloaded and run on your computer once SDBot becomes a part of your machine, and Denial of Service attacks can be performed on third parties, implicating your machine in destruction. Moreover, it can even uninstall itself, removing any trace of the fact that it ever existed.

How Did I Get SDBot?

Most users report that it installed through a trojan they picked up on one of many sites they were visiting. It might have used any of the following to become part of your system:

 DCOM RPC vulnerability (MS03-026)

WEBDAV vulnerability (MS03-007)

LSASS vulnerability (MS04-011)

ASN.1 vulnerability (MS04-007)

Workstation Service vulnerability (MS03-049)

PNP vulnerability (MS05-039)

Imail IMAPD LOGIN username vulnerability

Cisco IOS HTTP Authorization Vulnerability

How Can I Remove SDBot?

It's a fairly difficult one to remove, but it certainly isn't so difficult that a Windows reinstall will be necessary to take care of the problem. There are several ways you can take care of this problem. First, you can try to restore your machine to its last known good settings. This, however, only works with some Windows users. If you're interested in this option, it can be accessed just before you start Windows. Simply press F8, and choose "Last Known Good Configuration." Keep in mind, though, that this could cause you to lose data, and it will only work on the first restart after SDBot has become part of your system. Another option is to edit your registry. A list of registry keys affected by SDBot follows this article. Working with your registry is both difficult and dangerous, and if you're not sure how to do it, it's best to employ the help of a professional during the process. The registry is quite delicate, and while working with it may help to remove SDBot, making a mistake will most certainly further compromise your system. Your final option is to run your current anti-spyware software. If you don't have anti-spyware software on your machine, it's time to get one. ParetoLogic is a good choice, but if you intend to look around, make sure you do so in reputable places. Lots of adware poses as anti-spyware products, and downloading it will only put you in more of a pickle than you were to start with.

SDBot is not only annoying, it's dangerous in terms of your personal information. Remove SDBot at your first opportunity.

The following registry subkeys can be affected:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

These registry subkeys may also be present, and they should also be removed
"Configuration Loader" = "%System%iexplore.exe"
"Configuration Loader" = "MSTasks.exe"
"Configuration Loader" = "aim95.exe"
"Configuration Loader" = "cmd32.exe"
"Configuration Loader"= "IEXPL0RE.EXE"
"Configuration Manager" = "Cnfgldr.exe"
"Fixnice" = "vcvw.exe"
"Internet Config" = "svchosts.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe
"MSSQL" = "Mssql.exe"
"MachineTest" = "CMagesta.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"Registry Checker" = "%System%Regrun.exe"
"Sock32" = "sock32.exe"
"System Monitor" = "Sysmon16.exe"
"System33" = "%System%FB_PNU.EXE"
"Windows Configuration" = "spooler.exe"
"Windows Explorer" = " Explorer.exe"
"Windows Services" = "service.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"cthelp" = "cthelp.exe"
"stratas" = "xmconfig.exe"
"syswin32" = "syswin32.exe"

Occasionally new variants are released to thwart antispyware programs. If you require personal assistance removing SDBot please email your log file for analysis by using the Backup List button in XoftSpySE. Otherwise use the Help button in XoftSpySE to contact ParetoLogic support directly.

This webpage was setup to provide information on SDBot removal. We do not own or endorse SDBot.

 to top