Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published May 29, 2007 | Updated May 30, 2007

Backdoor:Win32/Sdbot!CC62

Detected by Microsoft Defender Antivirus

Aliases: Backdoor.Win32.VanBot.br (Kaspersky) Win32/Robt.GUO (CA) WORM_RBOT.GEZ (Trend Micro)

Summary

Backdoor:Win32/Sdbot!CC62 connects to a remote Internet Relay Chat (IRC) server and provides attackers with remote access to the impacted system. Commands that can be remotely executed include shutting down antivirus and other security-related software and using exploits to spread to other computers.
To recover manually from infection by Trojan:Win32/Bube.G, perform the following steps:
  • Disconnect from the Internet.
  • Restart the computer in safe mode.
  • End the Trojan process.
  • Delete the Trojan files from your computer.
  • Delete the Trojan registry entry.
  • Restart the computer. 
  • Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Restart the computer in safe mode

To start your computer in safe mode
  1. Remove all floppy disks and CDs from your computer, and then restart your computer.
  2. When prompted, press F8. If Windows starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
  3. From the Windows Advanced Options Menu, select a safe mode option.

End the Trojan process

To end the Trojan process
  1. Press CTRL+ALT+DEL once and click Task Manager
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Select the Trojan process 'runapidll.exe' and click End Process.

Delete the Trojan files from your computer

To delete the Trojan files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type the location of the Windows system folder, typically C:\Windows\System32
  3. Click OK.
  4. Click Name to sort files by name.
  5. Delete runapidll.exe from the <system folder>
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes to confirm the deletion.
If deleting the file fails, use the following steps to verify that the file is not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that the file 'runapidll.exe' is not in the list:

Delete the Trojan registry entry

To delete the Trojan registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, right-click the following value, if it exists: WebRun
  5. Click Delete and click Yes to delete the value.
  6. In the left pane, navigate to the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  7. In the right pane, right-click the following value, if it exists: Run
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  10. In the right pane, right-click the following value, if it exists: Microsoft Dll
  11. Click Delete and click Yes to delete the value.
    12. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  12. In the right pane, right-click the following value, if it exists: Microsoft Dll
  13. Click Delete and click Yes to delete the value.
  14. In the left pane, navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\OLE\
  15. Click Delete and click Yes to delete the value.
  16. Close the Registry Editor.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us