Hello and welcome!! No problem as I just got back myself. First this advice about the Backdor Bots removed.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information
and download and execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.Next you should run these.
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
From your regular user account..
Download Attribune's ATF Cleaner
and then SUPERAntiSpyware
, Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update
Under Scanner Options
make sure the following are checked (leave all others unchecked):Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
Click the "Close
" button to leave the control center screen and exit the program. DO NOT run yet.
Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 MethodRestart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
to run the program.
Under Main "Select Files to Delete
" choose: Select All
Click the Empty Selected
button.If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive
Perform a Complete
scan. After scan,Verify they are all
on the summary screen to quarantine all
If asked if you want to reboot, click "Yes"
and reboot normally.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
, then click the Statistics/Logs
Under Scanner Logs
, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current
dated log and press View
A text file will open in your default text editor.Please copy and paste the Scan Log results in your next reply
to exit the program.Follow with an ARK by Sophos.
Please download Sophos Anti-rootkit
& save it to your desktop.alternate download linkNote: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes
- Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
- Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
- A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
- Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
- If the scan did not start automatically, make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
- Click Start scan.
- Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
- When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
- Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
- Files tagged as Removable: No are not marked for removal and cannot be removed.
- Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
- Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
- Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
- A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
- After reboot, a dialog box displays the files you selected for removal and the action taken.
- Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
- When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
- This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Please post back the SAS and Sophos logs,thanks.
- Disconnect from the Internet or physically unplug you Internet cable connection.
- Clean out your temporary files.
- Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
- Temporarily disable your anti-virus and real-time anti-spyware protection.
- After starting the scan, do not use the computer until the scan has completed.
- When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.