Is this a false positive?

Radiation · 8 Mar 2009 at 11:50

A while ago i started getting the blue screen crash which dumps the memory, im using avast and it found "Win32:SdBot-gen28 [Trj]" in "C:\WINDOWS\MEMORY.DMP", the weird thing is whenever i've scanned either on boot or in windows it never finds it anywhere, yet after a blue sceen it finds it in the memory.dmp as it's happened a few times, i've since done a reinstall of xp just in case and today had a crash and did a scan of just the memory.dmp which found it again, also i've tested the memory and it passed 3 times so im not sure whats going on, nothing seems suspicious on the pc as i've checked startups and only installed a few things and everything seems to be fine otherwise, i try to keep decent security as well so i don't get whats going on, please help!

Radiation · 8 Mar 2009 at 12:06

Oh yeah i did also wipe the hard drive by writing zeros to disk with a wd boot disk before reinstalling windows, never had this sort of problem before a few weeks ago.

theheyes · 8 Mar 2009 at 12:14

Are you using XP 64?

Radiation · 8 Mar 2009 at 12:20

No just normal XP with all updates.

theheyes · 8 Mar 2009 at 13:19

It could be a false positive but the fact it is finding the same virus after a format/reinstall is strange. Is there any way it could have been reinfected? USB drives? Are all your drivers from trusted sources?

Getting regular blue screen crashes is not normal. What have you got security wise? Avast Free?

Radiation · 8 Mar 2009 at 13:29

I know it's weird, im just hoping the crash is a sign it's failed to do anything. Im using Avast, Spybot, Kerio firewall and a host block list from mvps.org as well, firefox, limited connections on the firewall plus i have common sense using the net, i've only installed a handful of programs and drivers since reinstalling and they're all the latest versions, my pda is the only usb thing i've connected since reinstall but there are other pc's on the network, however no sharing and limited connections like i said, this is why it seems so odd to me, i just don't get where this is coming from.

Im doing a scan now using nod32, anything else that's recommended?

Radiation · 8 Mar 2009 at 14:01

Nod32 didn't find anything, though i stupidly deleted the memory.dmp without thinking, should have kept it to see what it found in there.

Rainmaker · 8 Mar 2009 at 14:30

Next time you get a memory.dmp upload it to virustotal. VT is free and instantly checks user submitted files instantly against all the main AV providers' engines (over 30 of them iirc).

If the only vendors flagging it are Avast and, say, Symantec, I wouldn't worry too much.