Microsoft Knowledge Base Article 897079 (at the bottom of this tip) describes a problem that may occur if a computer is infected with a variant of the Sdbot virus.

The article has two (2) problems:

1. It directs you delete an 'entry' from a \Services key, but it should have you delete the entire key.

2. The fix process is very labor intensive.

I have scripted KB897079_Sdbot.bat to automate the fix process, one you have booted to Safe Mode.

KB897079_Sdbot.bat contains:

@echo off                              setlocal ENABLEDELAYEDEXPANSION                              set key="HKCU\Software\Microsoft\Windows\CurrentVersion\Run"                              call :find1                              set key="HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"                              call :find1                              set key="HKLM\Software\Microsoft\Windows\CurrentVersion\Run"                              call :find1                              set key="HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"                              call :find1                              set key="HKLM\SYSTEM\ControlSet001\Services"                              call :find2                              set key="HKLM\SYSTEM\ControlSet002\Services"                              call :find2                              set key="HKLM\SYSTEM\CurrentControlSet\Services"                              call :find2                              for /f "Tokens=*" %%a in ('dir /b /a /s /a-d %SystemDrive%^|findstr /I /L "haxdrv.sys msdirectx.sys msdrv.exe sdkcore.exe"') do (                               @echo DELETING "%%a"                               attrib -R -S -H "%%a"                               del /q "%%a"                              )                              endlocal                              goto :EOF                              :find1                              for /f "Tokens=*" %%a in ('reg query %key%^|FINDSTR /I /L "Msdrv.exe sdkcore.exe"') Do (                               set VN=%%a                               call :del1                              )                              goto :EOF                              :del1                              set /a cnt=0                              :delloop                              set /a cnt=%cnt% + 1                              call set wrk1=%%VN:~0,%cnt%%%                              set wrk2=%wrk1:REG_=%                              if "%wrk1%" EQU "%wrk2%" goto delloop                              set /a cnt=%cnt% - 5                              :delloop1                              call set wrk2=%%wrk1:~%cnt%^,1%%                              if "%wrk2%" EQU " " goto delloop1                              call set wrk2=%%wrk1:~0,%cnt%%%                              @echo REG DELETE %key% /V "%wrk2%" /F because %VN%                              REG DELETE %key% /V "%wrk2%" /F                              goto :EOF                              :find2                              for /f "Tokens=*" %%a in ('reg query %key%^|FIND /I "HKEY_LOCAL_MACHINE\SYSTEM\C"') do (                               for /f "Tokens=*" %%b in ('reg query "%%a"^|FINDSTR /I /L "msdirectx Haxdrv"') Do (                                set key2="%%a"                                set VN=%%b                                call :del2                               )                              )                              goto :EOF                              :del2                              @echo Delete key: %key2% because %VN%                              REG DELETE %key2% /F