Follow the directions at the link it is a spyware removal site, don't fool around with back door Trojans there there to try and steal information, limit your internet, don't do banking until you know the threat is gone, have a professional malware person look at it, the guy's on the site I gave you are very good I am also a member here but not qualified to remove malware yet---I'm not here to alarm you but may consider getting to a clean computer and change you online banking passwords never can be to careful with a back door trojan...

Here is a link that might be useful: help2go

The path you gave is the control set in the windows registry every time you reboot these Trojans become active on the system again..

Zep516,
Thank you for responding. I've saved the link that you posted and will get on it in the morning. I'll update the post when i'm finished.

Thanks again

When you go to the link on the top of the page written in BLACK you will see ANNOUNCEMENT: Browser hijacks, spyware problems, Read before posting----Click on that and follow the instructions give yourself time you have scans to run, panda & housecall take for ever, after that you will post a hijacklog and all of that is explained... you will need to create an account and user name very friendly site most other sites have 3-4 day wait, steamwiz is head of security there and Microsoft certified your in good hands there....

This is wife of kabb ....I need to add some info to our problem.

Our computers are not networked, but we use a 2 wire modem jointly to connect through our DSL provider, AT&T.

The day we got this trojan, the only common site we both went to was to sign in at the web based mail for AT&T.

Kabb was having problems with his one email account, so he had to contact tech support at AT&T.

When the tech asked him for the password to our main user account which controls all 8 email accounts, kabb refused due to what he felt was a security risk.

It was after this, that we both ran our normal nightly scans using XoptspySE scan and discovered the trojan.

I have ran an offline virus scan at Panda: clean
Also a Bazooka virus scan: clean
A deep Norton virus scan: clean
A Spybot scan: clean
An online Norton scan: clean

Each time I start my computer, my Norton is disabled.
I enable the auto protect and run my spyware scan, which always finds the trojan, then I delete it before doing anything else.

We plan on going to the link that zep516 supplied and trying that, but I am really wondering if the tech at AT&T had something to do with this......there has to be a connection with AT&T somehow, because that is the only common denominator between kabb and I that night.

Our general habit is to always clear cache and run our scans before shutting down each night.

I guess I am worried that if, and I stress IF, we can finally get rid of this nasty critter, how do we protect ourselves from it happening again?

I just wanted to add this info.

Thanks for any help!
This is still a GREAT resource place for assistance!!!

....Kate

If youre deleting those keys in the registry that probably is the reason your norton is not starting. Those keys are not neccessarly a trojan. If y0u search those keys you should see many questions.. How do I manually uninstall norton... and those keys are part of the manual removal.

Your hubby has that program that found the trojan,, that program might just remove the main part if he was to run it in Safe mode.

Scan the file here and see what these 23 virus scanners say about the file.

Good luck at the site, even though you have run scans please run the ones they recommend. The only information they need when you post is the hijacklog,& What program is finding the Trojan and its location (The name of the spyware program)..

Big thing here is your personal data could be at risk, The people at the site I sent you can confirm your machine is clean & safe when your done with the process, also there could be other infections on the machine that no one is aware of.

This Looks like what you have it is a network worm so that is how it spreads through the network the only difference is the letter this one is (BVK) and yours is (BKV) I'm sure they do the same thing, you can see all the registry changes it makes, and it appears to disable some software and then tries to connect to a server.

W32/Sdbot-BVK is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-BVK can spread via network shares protected by weak passwords, or by exploiting common vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039), and ASN.1 (MS04-007).

W32/Sdbot-BVK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Sdbot-BVK includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Sdbot-BVK copies itself to \netbtd.exe.

The file netbtd.exe is registered as a new system driver service named "NetBTD", with a display name of "NetBTD(ntbtd)" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NetBTD\

W32/Sdbot-BVK sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\Messenger
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
Start
4

Registry entries are set as follows:

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
RSS:Atom
Get reports on the latest virus threats delivered to your computer

Just an quick update here.
We are currently following the article procedure from Help2 Go.

My wife is running Windows defender as I type and I just downloaded Windows Critical updates.

My wife has found nothing so far on her scans that relate to this Trojan, although she has found other spyware that have been deleted thru Housecall.

I have a log file saved for when I ost to Help 2 Go from Panda, found four http cookies on the scan from House call .

That's where we are right now, like my wife said in her post, we think it's from the Yahoo tech that was talking to in conjunction with a fault email that I had trouble with. He asked me for the main password to our account and I didn't give it to him. At that point thinking back on it i think that is where he went in with his tools.

Right now we are mentally preparing to go through a total reformat because we are thinking that is how we are going to have to get rid of this.

We will complete all steps that Help 2 Go suggests.

That's it for now

Not an expert but I looked at the log & don't see much as I said your in good hands and I do not think a reformat is going to be needed, Steamwiz will enter the picture if necessary... he over sees the security there and is well known in the Malware community. And it is great news if it can save you from the pain of reinstalling...

I have the same problem with this sdbot trojan ,can anyone help please!!!!

I want to thank everone that tried to help us with this nasty Trojan. After working on this thing until 2 0-clock this morning and downloading and running at least a dozen virus scanners, we have come to the conclusion that the best thing that we can do is reformat both computers.

This seems to be the most logical decision that e can make being that this virus can run remotely from anywhere, given how we use our pomputers it is the safest thing that we can do.

Thanks again for all the help, this forum is just like it was 5 or 6 years ago when we were here on a constant basis. People willing to help people....what a neat concept. :-)

Scott

Those keys are not necessarily a trojan
I agree Mikie.
I wouldn't believe what XoftspySE says.
This could be a false positive since navapsvc is a part of Norton.

You can click start > run >and type regedit
Find HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\navapsvc

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\navpsvc

and delete the navapsvc folders, then it wouldn't show in XoftspySE, since they won't be on your system anymore, but you'll probably hose your Norton 2006 Suite or Norton will reinstall these files on boot.

Click start > run > and type MRT and do a scan, if you have win32/sdbot, it'll be removed.
Go to Windows Live OneCare and at least do the protection scan.
I wouldn't format because some program tells me norton is a backdoor trojan.
I can't see how only a 1000 people in the world have it from 10 websites, that it would end up on your 2 computers.

I have to agree here I'd follow up with the other forum and let them know your intentions, Didn't mean to pull the alarm bells but I'm in a learning process myself..

Now I see that (xoftspySE) use to be on the rogue/ suspect Anti-Spyware list for false positives, this would explain why other scanners do not find anything..

Zep, you got it...

Process name: Norton AntiVirus Auto-Protect Service

Product: Norton Antivirus

Company: Symantec

File: navapsvc.exe

"navapsvc.exe" belongs to Norton AntiVirus

navapsvc.exe is a part of the Norton AntiVirus application. It is running in the background and provides auto-protection features to the system. This process should not be removed to ensure that your system is secure.

...just a final follow-up...

We just got an email back from Xoftspy; our assumptions were correct: they are false positives (I always say negatives because nothing good ever comes from them)

The techs at Xoftspy said there were 2 different false positives, gave the information, and apologized.

Yea, well, I apologize too, for never recommending your program and removing it from more than one computer!

kabb and I both appreciate all the help and advice!!!!

However, we both still plan on doing a full reformat of both computers this weekend, if for nothing else, to rid our machines of useless garbage.

MANY THANKS to everyone!
Take care,
Kate and Scott