backdoor virus, access denied windows xp..Help

By darjud
Jun 8, 2003
Topic Status:
Not open for further replies.
  1. First off, I am sorry if this is in the wrong place...I am new here and I have a serious problem with my pc.

    I have windows xp home edition...
    I got a virus called Backdoor.Sdbot that is residing in Windows\sYSTEM32\SYSTEM32.EXE

    I know what the virus is, I know where it is, but every program I have tried (norton, mcafee, swat it, f prot, cleaner..etc) recognizes that it isthere, but none of them can delete or repair it
    due to not being able to access this file.

    I get a "Unable to delete file due to access denied" or that "the file cannot be scanned because it was not able to be accessed"

    My question is...

    How can I remove or allow these programs to access this area of my pc?

    How can I access anything on my computer...I do not see anywhere for me to change administrator access...and I am the only one who uses my pc.

    Does anyone know how to get rid of this backdoor.sdbot virus?

    I already tried the suggestions on symantecs page, however it did not work.

    Any suggestions?

    Alos, I am new to xp..not sure if I like it, or if I hate it..it sure is buggy and sensitive.

    Thanks to anyone who can help.
  2. Rick

    Rick TechSpot Staff Posts: 6,304   +52 Staff Member

    Here's something you might have not thought about - There is no such thing as SYSTEM32.EXE... So the easiest thing is to just delete it in Safe Mode! :) It isn't a system file.. But a "dummy file" made by the virus. Viruses love to do little things like this to trick you.

    To delete the file, you can boot into Safe Mode by tapping F8 a split second before the XP boot logo appears. Once in Safe Mode, you should be able to delete the file. If you still can't, then you may have not removed the virus well enough from you system (it is probably running in the background still).

    If this is the case, let me know - I will give you instructions on how to delete it using XP's recovery console.
  3. Rick

    Rick TechSpot Staff Posts: 6,304   +52 Staff Member

    By default, your account should be administrative. If you do not see "Administrator" at logon, that means your account is an Administrator account.

    Even though it sounds like you are an Administrator, you may still want to TRY logging in as Administrator. This can be done either in Safe Mode (Administrator is ALWAYS an option when logging in under Safe Mode) or you can try pressing CTRL + ALT + DEL twice at the logon screen (Normal mode) and the option should appear.
  4. Kurgis

    Kurgis Newcomer, in training

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

    If you ever get a virus - check symantec's website for info. Note that while your version of the virus seems to have created a slightly different named file - this virus automatically updates itself via the web so you may have to run another search on symantecs site under "sdbot" to get a list of all current recorded versions.

    Hope that helps a bit.
  5. darjud

    darjud Newcomer, in training Topic Starter

    Thanks guys...

    I already visited symantec...and tried what they had..did not work. I had other problems on the pc as well so I ended up reformatting...

    Luckily I just got this computer and hardly had anything on it.

    I am going to visit various sites that are devoted to xp and learn as much as I can about it.

    Right now I hate it...but given time, i could learn to only depise it. lol.

    Thanks for the offers of help!
  6. Rick

    Rick TechSpot Staff Posts: 6,304   +52 Staff Member

    One way that is SURE to get rid of that file is to delete it from the recovery console. First, I would like you to take some precautionary procedures though.. Since you cannot delete the file, it is obvious that the virus is still RUNNING on your computer. Being on your hard drive and running are two different things... So there is a possibility that this virus has manifested itself in such a way that if you delete the file, it could render your system unbootable or give you problems. I recommend copy the file to a save location (like C:\SYSTEM32.exe) just in case.

    FIRST, run your virus scanner in safe mode to remove any registry keys or files that may be reinitializing the virus (sounds like this is what is happening to you). Once the scan is complete and the virus is "fixed", reboot. DO NOT START WINDOWS AGAIN. Go straight to the recovery console from the XP CD. If you have to start Windows again, then run the virus scan again to remove any references to the virus because it probably reinstalls itself every time you boot Windows.

    If you get out your trusty XP CD and pop it in the CD drive, then you can boot into the installation process of Windows XP. It is here, you will be able to use Recovery Console and delete the file. Directions on how to access and use Recovery Console can be found here:

    http://www.winsupersite.com/showcase/win2k_recoverycon.asp


    It is a command prompt program.. DOS style ..with the ability to move, copy and view files. You will want to make a copy of the file, and then you will want to delete it.

    Make a copy of the file, type:
    copy C:\Windows\SYSTEM32\SYSTEM32.EXE C:\SYSTEM32.EXE

    This makes a copy of the file on C:\ for safe keeping.

    You can delete system32 by typing in the following command...

    del C:\Windows\SYSTEM32\SYSTEM32.EXE

    Now reboot and see if that solves your problem. I recommend rebooting into Safe Mode immediately after you delete the file and scanning for viruses one last time to remove anything else that might be left behind.

    It's extremely unlikely, but if you encounter Windows problems (XP will not boot), then you will have to copy your backup (C:\SYSTEM32.EXE) back into the C:\Windows\System32 folder using Recovery Console.
  7. grandmastapoop

    grandmastapoop Newcomer, in training

    hm

    I had the same problem a couple weeks ago, and I figured out a much easier way to take care of it.

    Press CTRL-ALT-DEL and in the Task Manager, click on the Processes tab. Double click "Image Name" to alphabetize the files, and then selcect "System32.exe." After clicking it, click the "End Task" button. Then, run Norton or McAfee again, and it should delete the file no problem.
  8. ---agissi---

    ---agissi--- TechSpot Paladin Posts: 2,382   +15

    ^lol^

    yeah, or just do that...It probbly didnt work for him though, thats why hes come here... ;)

    Btw Rick, very nice instuctions on how to get rid of the virus :)
  9. Elcarion

    Elcarion TechSpot Paladin Posts: 188

    The other potential is once you have a backdoor virus is very possible for someone to load another backdoor that you don't know about. I should always reformat.
    I suggest you download the Microsoft Baseline Security Analyzer (MBSA) and run it on the system. It will tell you of any insecure settings that you have. You should do this prior to connecting the computer to the Internet; especially, if you don't have a firewall.
  10. aoj145

    aoj145 Newcomer, in training Posts: 90

    I once had a backdoor virus, but the Doctor gave me some cream and antibiotics to clear it up.
  11. Phantasm66

    Phantasm66 Newcomer, in training Posts: 6,504

    Well done for spotting this quickly. This is indeed a common trick employed by the sad virus writers.
  12. Erasor17

    Erasor17 Newcomer, in training

    System32.exe

    hi

    how was your day guys??

    when i star my computer ..i got a window popup ..said

    system32.exe cant load some file or path

    after that my virus found a virus call system32.exe

    i press Ctrl Alt delete ..to stop system32.exe to able to delete

    that virus ..but i cant find any system32.exe running

    (i did a mistake..run regedit and motify sysem32.exe to expleror.exe ..now i cant find it and change it back to normal)

    anyidea to help me ??thazzz
  13. acidosmosis

    acidosmosis TechSpot Chancellor Posts: 1,574

    If you found anything in your registry to do with system32.exe I would just delete it from registry.

    Also booting to DOS or recovery console is a good idea to delete the file since you wont be in Windows, Windows cant be accessing the file and therefore you should be able to delete it.

    If you have a large hard drive this is one place that partitions come in handy. I have a partition only for Windows and the rest of my partitions hold most of the actual programs and data such as games, applications, images, etc. If I need to remove and reinstall Windows later on all I have to do is format the Windows partition from the Windows CD (after booting to the CD) and then install Windows again.

    That's just a little tip that might help you in the future if you have problems in general.
     
  14. cubota

    cubota Newcomer, in training

    W32/Gibe.F.Worm

    I've checked out all of the remedies but can't actually use my .exe files to implement a cure. Is this virus the same type as a backdoor and can I use the remedies?
  15. filthy_mcnasty

    filthy_mcnasty Newcomer, in training Posts: 89

    as previous people have said if you can find the virus and kill it yourself it shouldn't be hard. first off, try to kill it. ctrl-alt-del should be the obvious first method about doing this. then check the registry and other startups (services) to make sure it isn't being loaded from any of those. *type "msconfig.exe" in the run box* it's important that you kill it before removing it's startup entries because many viruses refresh them every few seconds. if you are unsuccessful in finding it anywhere there then you've got a smart virus writer after you and it's probably running in another processes' space (yes, even exes can do that like a dll) and if that's the case you've got a headache to fix and need to boot into a recovery console like others have said and delete the file manually but if that's the case then there are still fragments of it infecting some program so then do a complete virus scan with the newest norton defs even after you have 'deleted' the virus.
  16. cubota

    cubota Newcomer, in training

    W32Gibe virus

    For information finally sorted this irksome pest. Get the fix from Symantec then change the file ext from.exe to .cmd then execute. Worked for me.
  17. mwcomp

    mwcomp Newcomer, in training Posts: 16

    Here is the best solution. At least I think it is.

    Download free AVG anti-virus from www.grisoft.com
    Uninstall your current virus software.
    Install AVG
    Make a floppy boot disk.
    Boot your PC up with the floppy.
    Type C: <enter>
    Type cd\progra~1\grisoft\AVG6 <enter>
    Type AVG <enter> (This is the DOS version of software)

    Because no files on the hard drive are being used (except a couple in the AVG6 folder), every single file will be able to scanned, fixed and/or deleted. Although for safety reasons allow AVG to put any files that it might need to delete in its "vault".

    Also, depending on the size of System32.exe, move it to the floppy otherwise make an obscurely named folder on C:, ie, "mnbvcxz" and put it in there. Depending on how "smart" the virus is, it may search in certain directories and it may reactivate itself or do something even nastier.

    Continue to use AVG. It's free and it works.

    Reply if you need a bit of help making the boot disk or using the DOS commands.
  18. Canadian

    Canadian Newcomer, in training Posts: 102

    there is a easier way(i find)

    the ever so nice, repair option in windows. You put your windows xp cd into the drive, and go into the setup. Then go through till you find Repair. It will then re-install windows. The best part, is it will leave your account, left with all your files, backgrounds ect. All it does, is basically reset windows.
  19. anastasia

    anastasia Newcomer, in training

    I've had a similar problem. The infected file was called something like c:\windows\system32\l20l2.dll. Norton would and AVG woul give me pop-ups every 15 seconds that the virus is detected, but delete failed, because access was denied. I could not find any associated processes in the task manager, nor could I manually delete the file. When I logged in in the Safe Mode I still could not delete the file. However strangely enough, I was able to rename it (!!!). I tried all kinds of obscure names like stupidvirus.txt and alike. Even though it accepted the new name, I stil could not delete it (I even tried to modify it in notepad, but it wouldn't accept the changes) (access denied). Discouraged, I went back into the standard mode just to find out that now I could easily delete the file.

    Now that's what I call original methids of dealing with a problem. I don't know if it is going to help anyone but good luck..;) :wave:
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.