How do I remove Backdoorbot.exe

[VickG]

Hi,

I ran a Malware bytes scan and it told me I had backdoorbot.exe in my registry. I have had to completely reformat my computer so many times because of trojans etc, and would really appreciate it if someone could help me get rid of it so I don't have to go through all that again.

Log is below.

Thanks in advance,

Vick

x

Malwarebytes' Anti-Malware 1.44

Database version: 3808

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

28/02/2010 20:44:00

mbam-log-2010-02-28 (20-43-50).txt

Scan type: Full Scan (C:\|S:\|)

Objects scanned: 22526

Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[VickG]

Sorry, here is a full log. I think I did the last one wrong. Any help would be really really appreciated! Thanks

Malwarebytes' Anti-Malware 1.44

Database version: 3808

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

01/03/2010 08:33:33

mbam-log-2010-03-01 (08-33-00).txt

Scan type: Full Scan (C:\|S:\|)

Objects scanned: 261311

Time elapsed: 2 hour(s), 41 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> No action taken.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Vick\AppData\Local\stfx32.dll (Trojan.Hiloti) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2OCUDE7A\hyxrmxs[1].htm (Trojan.Ertfor) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2OCUDE7A\ycpxe[1].htm (Malware.Packer.Gen) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2OCUDE7A\bfzhfdywe[1].htm (Malware.Packer.Gen) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZFP6R2D\vzgomuf[1].htm (Trojan.Downloader) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\76IE3YR3\ysautnmg[1].htm (Malware.Packer.Gen) -> No action taken.

C:\Users\Vick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\76IE3YR3\hyxrmxs[1].htm (Trojan.Ertfor) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\orcmaxwnes.exe (Trojan.Downloader) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\orwamxscne.exe (Trojan.Hiloti) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\38A9.tmp (Malware.Packer.Gen) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\4354.tmp (Trojan.Dropper) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\76b70c81.tmp (Malware.Packer.Gen) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\wxsncaeomr.exe (Trojan.FakeAlert) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\rigslhn.exe (Trojan.Downloader) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\ronsxceawm.exe (Trojan.Inject) -> No action taken.

C:\Users\Vick\AppData\Local\Temp\ktygxno.exe (Malware.Packer.Gen) -> No action taken.

C:\Windows\System32\drivers\xjfbjz.sys (Rootkit.Agent) -> No action taken.

[Elise]

Hello , and welcome to Malwarebytes forum!

First of all we need to see some more information about what is running on your computer.

OTL

-----

Please download OTL from one of the following mirrors:

• • This is THE Mirror
    

[*]Save it to your desktop.

[*]Double click on the icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]Push the button.

[*]Two reports will open, copy and paste them in a reply here:

• OTListIt.txt <-- Will be opened
  
• Extra.txt <-- Will be minimized
  

GMER

-------

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.
  

-- If you encounter any problems, try running GMER in Safe Mode.

In your next reply, please include the following:

• OTL report
  
• GMER log
  

[VickG]

Hi elise,

Thanks so much for your help. I have attached the files below.

Best,

Vick

Extras.Txt

OTL.Txt

gmer.txt

[Elise]

Hello, please follow the steps below.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  
• Double click on Combofix.exe and follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[VickG]

Hi Elise,

I ran the combofix, and it rebooted my computer. It didn't show up any of the prompts you mentioned, but just opened a blank .txt document.

Should I run it again?

Thanks

[VickG]

I searched for the file and have attached it.

ComboFix.txt

[Elise]

Hi again

Can you please re-run Malwarebytes antimalware, update it first and run a quick scan?

[VickG]

New log file

mbam_log_2010_03_01__14_17_35_.txt

[Elise]

Hello , that looks a lot better

Please let me know how everything is running now, any problems left?

UPDATE JAVA

------------------

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 18.
  
• Click the Download button to the right.
  
• Select your Platform: "Windows".
  
• Select your Language: "Multi-language".
  
• Read the License Agreement, and then check the box that says: "Accept License Agreement".
  
• Click Continue and the page will refresh.
  
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  
• Close any programs you may have running - especially your web browser.
  

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.
  

-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.

-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.

-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       
       In your next reply, please include the following:
       • ESET online scan results
         

[VickG]

Hi,

Sorry, not sure what you mean when you ask if everything is running OK . The antimalware doctor keeps coming up still.

The ESET acan had been stuck on the file C:\combofix\cf17535.cfxxe for the past ten minutes and isn't moving.

x

[Elise]

Sorry, not sure what you mean when you ask if everything is running OK . The antimalware doctor keeps coming up still

Which means things are still not as they should Lets see if we can change that!

OTL FIX

------------

We need to run an OTL Fix

1. Please reopen on your desktop.
   
2. Copy and Paste the following code into the textbox. Do not include the word "Code"
   

   :otl
   O4 - HKU\S-1-5-21-982137252-2902945743-3686302165-1000..\Run: [dbf70700.exe] C:\Users\Vick\AppData\Roaming\149B04F0CAA6C95B6AA7A0E34FDBC211\dbf70700.exe (MS)
   O4 - HKU\S-1-5-21-982137252-2902945743-3686302165-1000..\Run: [userinit] C:\Users\Vick\AppData\Roaming\mskqhe32.exe ()
   
   :commands
   [emptytemp]

   
   

3. Push
   
4. OTL may ask to reboot the machine. Please do so if asked.
   
5. Click .
   
6. A report will open. Copy and Paste that report in your next reply.
   

[VickG]

All processes killed

========== OTL ==========

Registry value HKEY_USERS\S-1-5-21-982137252-2902945743-3686302165-1000\Software\Microsoft\Windows\CurrentVersion\Run\\dbf70700.exe deleted successfully.

C:\Users\Vick\AppData\Roaming\149B04F0CAA6C95B6AA7A0E34FDBC211\dbf70700.exe moved successfully.

Registry value HKEY_USERS\S-1-5-21-982137252-2902945743-3686302165-1000\Software\Microsoft\Windows\CurrentVersion\Run\\userinit not found.

C:\Users\Vick\AppData\Roaming\mskqhe32.exe moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: Default User

User: Public

->Temp folder emptied: 0 bytes

User: Vick

->Temp folder emptied: 1125554 bytes

->Temporary Internet Files folder emptied: 8480310 bytes

->Java cache emptied: 49259167 bytes

->FireFox cache emptied: 31234991 bytes

->Flash cache emptied: 2102 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 524288 bytes

RecycleBin emptied: 21273548 bytes

Total Files Cleaned = 107.00 mb

OTL by OldTimer - Version 3.1.32.0 log created on 03012010_161859

Files\Folders moved on Reboot...

File\Folder C:\Windows\temp\TMP00000015C1358CF159AB8556 not found!

Registry entries deleted on Reboot...

[Elise]

How are things now? Do you still have the Antimalware dr. popups?

[VickG]

When my computer rebooted, it didn't come up like it did the times before that. That's good, right?

[VickG]

Malwarebytes is still saying backdoor.bot is there still

[Elise]

Please post me the last MBAM log.

[VickG]

Malwarebytes' Anti-Malware 1.44

Database version: 3808

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

01/03/2010 18:30:48

mbam-log-2010-03-01 (18-30-38).txt

Scan type: Full Scan (C:\|S:\|)

Objects scanned: 254898

Time elapsed: 1 hour(s), 33 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> No action taken.

HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\Vick\AppData\Local\stfx32.dll (Trojan.Hiloti) -> No action taken.

[Elise]

Well, your log shows "no action taken" on all items. Please select "remove" for all 4 items and afterwards re-run the quick scan.

[VickG]

Hi Elise,

That seems to have removed them all now. Thanks so much for taking the time to help me, it's really appreciated x

[Elise]

Hi, lets run one other scan.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the icon on your desktop.
      
      
   4. Check
      
   5. Click the button.
      
   6. Accept any security warnings from your browser.
      
   7. Check
      
   8. Push the Start button.
      
   9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   10. When the scan completes, push
       
   11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       Note - when ESET doesn't find any threats, no report will be created.
       
   12. Push the button.
       
   13. Push
       
       

[Elise]

Hello, are you still there?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!