Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Backdoor Trojan

  • 20-01-2010 1:03pm
    #1
    Registered Users, Registered Users 2 Posts: 247 ✭✭


    After running a virus scan last night, antivir located a backdoor trojan. I followed the instruction to quarantine. After rebooting the system was barely responsive and the internet no longer worked.

    Today I rebooted in safe mode and am currently running another virus scan.

    Any help greatly appreciated.

    Dell Dimension 3000 running windows xp by the way.


Comments

  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    got the avira logs ?


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Report file date: 19 January 2010 12:00

    Scanning for 1566500 virus strains and unwanted programs.

    Licensed to: Avira AntiVir Personal - FREE Antivirus
    Serial number: 0000149996-ADJIE-0000001
    Platform: Windows XP
    Windows version: (Service Pack 2) [5.1.2600]
    Boot mode: Normally booted
    Username: SYSTEM
    Computer name:
    Version information:
    BUILD.DAT : 8.2.0.354 17048 Bytes 10/23/2009 13:15:00
    AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/25/2008 09:50:33
    AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:40
    LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:19
    LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:52
    ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:45:48
    ANTIVIR1.VDF : 7.10.1.11 1395568 Bytes 11/19/2009 13:47:23
    ANTIVIR2.VDF : 7.10.2.224 2514336 Bytes 1/18/2010 11:23:56
    ANTIVIR3.VDF : 7.10.2.227 173056 Bytes 1/19/2010 11:23:58
    Engineversion : 8.2.1.142
    AEVDF.DLL : 8.1.1.2 106867 Bytes 9/16/2009 12:12:47
    AESCRIPT.DLL : 8.1.3.7 594296 Bytes 1/5/2010 11:23:43
    AESCN.DLL : 8.1.3.1 127348 Bytes 1/14/2010 11:25:29
    AESBX.DLL : 8.1.1.1 246132 Bytes 11/21/2009 13:48:05
    AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 13:15:33
    AEPACK.DLL : 8.2.0.5 422262 Bytes 1/14/2010 11:25:27
    AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/29/2009 22:54:18
    AEHEUR.DLL : 8.1.0.195 2232695 Bytes 1/14/2010 11:25:22
    AEHELP.DLL : 8.1.10.0 237942 Bytes 1/14/2010 11:25:06
    AEGEN.DLL : 8.1.1.83 369014 Bytes 1/5/2010 11:23:16
    AEEMU.DLL : 8.1.1.0 393587 Bytes 10/4/2009 12:16:01
    AECORE.DLL : 8.1.9.5 184693 Bytes 1/14/2010 11:25:04
    AEBB.DLL : 8.1.0.3 53618 Bytes 10/15/2008 18:06:43
    AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:05
    AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:01
    AVREP.DLL : 8.0.0.3 155688 Bytes 4/21/2009 13:52:38
    AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:40
    AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23
    AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:49
    SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02
    SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:40
    NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10
    RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:07
    RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:37

    Configuration settings for the scan:
    Jobname..........................: Local Hard Disks
    Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\alldiscs.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:,
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: off
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: 19 January 2010 12:00

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avnotify.exe' - '1' Module(s) have been scanned
    Scan process 'update.exe' - '1' Module(s) have been scanned
    Scan process 'guardgui.exe' - '1' Module(s) have been scanned
    Scan process 'CONTI_~1.SCR' - '1' Module(s) have been scanned
    Scan process 'jucheck.exe' - '1' Module(s) have been scanned
    Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
    Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'alg.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
    Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
    Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'realsched.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'PicasaMediaDetector.exe' - '1' Module(s) have been scanned
    Scan process 'qttask.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'jusched.exe' - '1' Module(s) have been scanned
    Scan process 'E_S4I0S2.EXE' - '1' Module(s) have been scanned
    Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    41 processes with 41 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    Starting to scan the registry.
    The registry was scanned ( '60' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\Owner\Local Settings\Temp\e.exe
    [DETECTION] Is the TR/Spy.ZBot.adub Trojan
    [NOTE] The file was moved to '4bbaf459.qua'!
    C:\WINDOWS\system32\sdra64.exe
    [WARNING] The file could not be opened!
    C:\WINDOWS\Temp\4D.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '4b842eb5.qua'!


    End of the scan: 19 January 2010 22:13
    Used time: 10:13:11 Hour(s)

    The scan has been done completely.

    5190 Scanning directories
    219033 Files were scanned
    2 viruses and/or unwanted programs were found
    0 Files were classified as suspicious:
    0 files were deleted
    0 files were repaired
    2 files were moved to quarantine
    0 files were renamed
    2 Files cannot be scanned
    219029 Files not concerned
    917 Archives were scanned
    2 Warnings
    2 Notes


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    Slimity wrote: »
    Report file date: 19 January 2010 12:00

    Starting to scan the registry.
    The registry was scanned ( '60' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    C:\Documents and Settings\Owner\Local Settings\Temp\e.exe
    [DETECTION] Is the TR/Spy.ZBot.adub Trojan
    [NOTE] The file was moved to '4bbaf459.qua'!
    C:\WINDOWS\system32\sdra64.exe
    [WARNING] The file could not be opened!
    C:\WINDOWS\Temp\4D.tmp
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [NOTE] The file was moved to '4b842eb5.qua'!


    I had this trojan on a machine last week. There is a bit of trick to getting rid of it. Try following the steps at this blog:

    http://campolar.me/safety/how-to-delete-sdra64-exe.html


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Itsdacraic wrote: »
    I had this trojan on a machine last week. There is a bit of trick to getting rid of it. Try following the steps at this blog:

    http://campolar.me/safety/how-to-delete-sdra64-exe.html

    Can't get that link to open.


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Would any of these trojans cause the internet not to work? I can't get online even in safe mode, so downloading something to kill the trojans is impossible at the moment.

    Thanks


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    Slimity wrote: »
    Can't get that link to open.

    Here is the main body of that post:
    When you go to delete the sdra64.exe file located in the system32 folder, you can’t delete it because it says its being used. And yes, its being used in the registery. To clear it from the registery, open your registry editor by typing in regedit in Start > Run. Once there follow:
    [HKEY_LOCAL_MACHINE]\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
    Once there, look for the entry called “userinit”. In that you will see that the data includes “C:\WINDOWS\system32\sdra64.exe”. All you have to do is edit it, and replace it all with “C:\WINDOWS\system32\Userinit.exe,” (without quotations). Once you do that it disappears. But if you move out of that registry directory and come back in, you see that the sdra64.exe is added again. That keeps on happening.
    This is where we will get a bit tricky. Start by ending all your unnecessary processes, which includes chat messengers, download managers, and other programs you installed including your antivirus. Once done that, start ending the svchost.exe processes. You will then get a countdown telling the computer will shutdown in 60 secs.
    After the counter starts, go back to the register editor and replace everything in the userinit data with “C:\WINDOWS\system32\Userinit.exe” (without quotations) but DON’T PRESS ENTER OR CLICK OK YET! Wait for the countdown to end. Click OK when the counter almost ends (i pressed it betweek 1 and 0 seconds). As soon as you click and the counter ends, your computer will be restarted.
    What happened is that we edited the registry and gave the virus no time to come back (because the computer shutted down). After your computer starts again, you should be able to delete the C:\WINDOWS\system32\sdra64.exe file.


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Itsdacraic wrote: »
    Here is the main body of that post:

    Thanks Itsdacraic,

    Followed those instructions, rebooted in safe mode, and now can't even get the start menu to appear. Just black screen with safe mode on it.:confused:


  • Closed Accounts Posts: 1,970 ✭✭✭ActorSeeksJob


    you shouldn't have followed those instructions

    can you get the machine to log into normal or safe mode at all ?


    if not, have you tried last known good configuration ?


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    you shouldn't have followed those instructions

    can you get the machine to log into normal or safe mode at all ?


    if not, have you tried last known good configuration ?

    Eh? What was wrong with those instructions?
    They worked perfectly on a machine I had with the same issue last week.


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Ok lads, after managing to get in using safe mode and running explorer.exe, I transfered Mbam from my laptop onto to the infected pc. I'll post the log in the next post. It found and deleted several trojans. I then ran antivir again and it picked up one more which was deleted. Ran Mbam and antivir again today and both scans were clean.

    Problem is the trojans seem to have wreaked havoc, no internet, objects missing from the tray, and to top it all, when i tried to re-install windows the disk won't run. I'm at a bit of a loss now and considering writing it off.:o

    Thanks.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 247 ✭✭Slimity


    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 6.0.2900.2180

    21/01/2010 15:22:34
    mbam-log-2010-01-21 (15-22-34).txt

    Scan type: Full Scan (A:\|C:\|D:\|E:\|)
    Objects scanned: 219379
    Time elapsed: 1 hour(s), 7 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 21
    Registry Values Infected: 10
    Registry Data Items Infected: 9
    Folders Infected: 1
    Files Infected: 10

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{c48635ad-d6b5-3ee4-aaa2-540d5a173658} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xpsecuritycenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\xp_securitycenter (Rogue.XPSecurityCenter) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\glaide32 (Rootkit.Rustock) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft driver setup (Worm.Palevo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmdm pmsp service (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe",C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Owner\Local Settings\Temp\131.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Local Settings\Temp\ccdrive32.exe.trtmp (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{366167F6-AD74-4139-B5FA-D90AA5C1BA8A}\RP1574\A0062136.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{366167F6-AD74-4139-B5FA-D90AA5C1BA8A}\RP1574\A0062137.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{366167F6-AD74-4139-B5FA-D90AA5C1BA8A}\RP1574\A0062138.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
    C:\WINDOWS\ccdrive32.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\sonimir.reg (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Owner\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.


  • Site Banned Posts: 1,167 ✭✭✭ASJ112


    hi

    Looking at your system now, one or more of the identified infections is a backdoor Trojan.

    If this computer is ever used for on-line banking, I suggest you do the following immediately:

    1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

    2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.



    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    RcAuto1.gif


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Advertisement