Got that Backdoor.bot virus HELP

[zookmaster]

Hi Folks.

 

I'm on Vista and have run MalwareBytes. I picks up Backdoor.bot and two other generic virus that come with it and when I remove them they come back(usually on restart)

 

How can I get rid of this once and for all?

[Abbebb]

After the scan you should restart your computer immediately. Also, if its not too much to ask, could you post a scan log?

[zookmaster]

Malwarebytes' Anti-Malware 1.40

Database version: 2670

Windows 6.0.6000

 

25/08/2009 00:24:20

mbam-log-2009-08-25 (00-24-20).txt

 

Scan type: Quick Scan

Objects scanned: 80149

Time elapsed: 3 minute(s), 26 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Userinit (Trojan.Agent) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Users\Mr. Matty\AppData\Roaming\sdra64.exe (Trojan.Agent) -> Delete on reboot.

[Abbebb]

Update Malwarebytes, scan, and try to quarantine the detected malware. Restart your computer, and run another scan.

[Mongoose]

Run the Full Scan not the Quick Scan to make sure you get it all. Also try running SuperAntiSpyware

[Abbebb]

And make sure to update any other programs you use, because Malwarebytes was not fully updated (around 30 definition versions behind)

[leofelix]

Mongoose and abbebb are right,

however it is not easy to get rid of this Trojan.

If MalwareBytes (updated, of course ) should fail, please read sdra64.exe - Remove the Trojan menace.

 

If the above mentioned method should fail too, please downalod Avira Rescue System to your desktop

 

http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.exe (56 MB)

 

Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer and run a ful scan

 

http://www.avira.com/en/support/kbdetails.php?id=230

 

You should also consider updating Vista Service Pack 2

Windows 6.0.6002 Service Pack 2

[Mongoose]

You could also try A-Squared and SpyBot.

[zookmaster]

Updated and did the full scan. Will restart. I did not quarantine though.

 

Here is the log and It seems to have two new things. Trojan.Dropper. Weird thing is the laptop is running fast. I only had some odd random shut down yesterday. Latest log:

 

Malwarebytes' Anti-Malware 1.40

Database version: 2692

Windows 6.0.6000

 

25/08/2009 04:18:03

mbam-log-2009-08-25 (04-18-03).txt

 

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 182929

Time elapsed: 40 minute(s), 32 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Users\Mr. Matty\AppData\Local\Temp\A2A4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Users\Mr. Matty\AppData\Local\Temp\c.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

[demitris]

hi

 

read this thread

 

http://forums.iobit.com/showthread.php?t=3534

 

cheers

[zookmaster]

Scanned a few more times and it looks like it's gone. I wonder if it has though?

[sunny staines]

when ever you get a bad infection repaired you should clear system restore re run the scan and reboot. one satisfied its gone re enable the system restore tick.

 

spyware/virus often hide in system restore so they can regenerate at next boot if they have been cleaned from the main system, although you might see in logs that they have been cleaned from S/R its good practice to clear it.

[zookmaster]

FFS scanned with malwarebytes and it's back again.

 

Is this just from some website that I'm using or does this thing just decide to come back after a few days?

[enoskype]

Hi zookmaster,

 

You can keep the Temp folder open for a while, and actually see when they are written there.

 

Cheers.