Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Anitspyware 2009 Infection (have backdoor.bots)


  • Please log in to reply
7 replies to this topic

#1 Rky

Rky

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 27 August 2009 - 11:09 PM

I think that I had MS Antispyware 2009. My son and a friend used RevoUnistaller, IOBit360, and Anit-Maleware to recover part way. (I did not observe this portion, so details are shaky). I am told that many screens were popping up. Also IE would not follow links correctly, but go to other sites (Firefox too).

Many of the symptoms seemed similar to the problems in this post
http://www.bleepingcomputer.com/forums/lof...hp/t205514.html


My computer is still not working correctly:
* Every IObit360 scans finds essentially the same items in the registry (even after 'removing them'). Will post below.
* I cannot boot in safe mode (or any mode but normally)
* McAfee will perform a manual scan (their online chat help had me try IERegfix, but did not help - could not get in safe mode, so that might have been part of it)
* neither DDS or RootRepeal will result in text files with the desired information.
For DDS, it starts to run (get black window), but never get any text windows
For RootRepeal, I make all the selections, but after initiating scan, the window disappears.
Trying to restart it just gives me a window that says that I do not have appropriate permisisons
(note that I did have McAfee virus protection disabled during these tools)
So I unfortunately cannot post the desired information. I am happy to post it, but seem stuck.

Here is the IObit360 report
IObit Security 360

OS:Windows XP
Version:0.4.0.20
Define Version:1123
Time Elapsed:8/26/2009 9:23:41 PM
Objects Scanned:55757
Threats Found:2

|Name|Type|Description|ID|
Malware.Trace - Removed, Registry Value, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Value=idstrf, 4-22480
Malware.Trace - Removed, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network Value=UID, 4-27110

(there have been scans with other items found, but this is what repeats when I keep repeating the scan)


Windows is a Compaq
Here is Winver result:
Version 5.1 (Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3)
Running IE Version 6 (removed 7 when trying to fix they problems of redirecting links)

I appreciate any help
Roger

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:10 PM

Posted 28 August 2009 - 09:57 AM

This infection takes special custom scripts to get rid of
If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Rky

Rky
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 28 August 2009 - 08:05 PM

I tried RSIT. It fared no better than the others. I appears to run, but the window closes and I never get a text window.
If I try to start it again I get an error. The same as with RootRepeal. If I try to run RootRepeal again, even after rebooting, I get the same error.

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to acces the item.

(I did see the DDS window come up on two occassions and eventually close, but still no text window.)

I am going to leave the PC on and sitting idle for a while to see if it is just a matter of things taking a very long time.

I worry that it will be hard for the experts to help me if I cannot give them the data they need. I was able to run IObit360. This time there were 30 some errors (they seem to grow with time). ---note I shut it and McAfee off before running RSIT.

Here is the IObit report in case this helps:
IObit Security 360

OS:Windows XP
Version:0.4.0.20
Define Version:1143
Time Elapsed:8/28/2009 7:46:53 PM
Objects Scanned:56547
Threats Found:36

|Name|Type|Description|ID|
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\Created00, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\dds.cmd, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\DDS.txt, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\EDS.exe, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\ETPATHS.exe, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\ffdefstr.dll, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\FI.exe, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\FILES00, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\InstallDate, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\MSClsid.exe, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\MSGB.pif, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\notifykeysB.com, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\osidDDS.pif, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\OSProp.pif, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\Policies.exe, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\Screentxt, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\StartUp, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\svclist.dat, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\SvcWhtDDS.dll, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\SvcWhtDDSVista.dll, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\WhiteDir, 3-2951
Trojan.Backdoor - Removed, Folder, C:\WINDOWS\temp\RarSFX0\whitedirB, 3-2951
Trojan.Backdoor - Quarantined, File, C:\WINDOWS\temp\RarSFX0\WREGS.exe, 3-2951
Backdoor.Bot - Removed, Folder, C:\WINDOWS\system32\terrapof32, 3-3285
Backdoor.Bot - Quarantined, File, C:\WINDOWS\system32\terrapof32\efwef23.gds, 3-3285
Backdoor.Bot - Quarantined, File, C:\WINDOWS\system32\terrapof32\g45hged.gdp, 3-3285
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}, 5-1479
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7}, 5-1479
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-1504
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6}, 5-1504
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7}, 5-12114
Backdoor.Bot - Removed, Registry Key, HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7}, 5-12114
Malware.Trace - Removed, Registry Value, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer Value=idstrf, 4-22480
Malware.Trace - Removed, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network Value=UID, 4-27110
Trojan.Ertfor - Quarantined, File, C:\WINDOWS\system32\tajf83ikdmf.dll, 4-34393

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:10 PM

Posted 29 August 2009 - 05:24 PM

Try the first and if that doesn't work try the second


If you cannot get DDS to work, please try this instead.

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run. If Runscanner did not work, then reply back here.


If that doesn't work:
OT Listit
http://oldtimer.geekstogo.com/OTL.exe
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Rky

Rky
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 30 August 2009 - 12:17 PM

In both cases (RunScanner and OTL) the programs start, run for a while, the abruptly stop. I can never get them to run again. When I try I get a window with this message:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to acces the item.

When I tried to move or delete RootRepeal and RIST (which had previously died like this), I cannot do so. Get no Access Denied messages.

Maybe I need to go collect all the information manually. I would need some detailed instructions on how to do so as I do not have this level of computer knowledge.

To sum up: All these programs had died when I tried to run them to get the system information needed to enable others to help me solve my problem:
DDS, RootRepeal, RIST, RunScanner, OTL.

Thanks for any advice! I am stuck! Am I going to have to wipe the hard drive clean (hopefully there are instructions on this step if it comes to that.)

Roger

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:10 PM

Posted 30 August 2009 - 06:54 PM

Don't give up quite yet
Try OTListit
http://oldtimer.geekstogo.com/OTL.exe
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Rky

Rky
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 30 August 2009 - 07:59 PM

MarK:

Thank you very much for sticking with me on this problem. I appreciate your taking the time to suggest new options.

Alas, I already tried OTList. It was the second thing that you recommend in the previous post. I bascially left all the default settings and told it to scan. It started out fine for about 15-30 seconds, and then it abruptly ended. I cannot get it to run again (same error about lack of access.) No text windows or logs appeared.

I did run DDI on my work Portable. It ran fine and generated a long list of information.

Is there something that I should do to fix the problem where all these programs get interupted? Then some of these might work (although I am not sure what to do about the ones that are stuck and will not move, delete, or run.)

As a last resort, I can try to find all the information the hard way.

Roger

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:10 PM

Posted 31 August 2009 - 06:42 PM

If you want, you can use the IObit log and post in the HJT forum
Be sure to say right up front that you have tried other scan tools and that's the only one you had luck with
You will have a bit of a wait, they're swamped right now

I would suggest you reformat and reinstall the OS
It's up to you
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users