Jump to content

Dead Computer After A MB scan & removal procedure


LeoM

Recommended Posts

I am a paying customer but after contacting support I was left hanging there with no further responses beyond the initial contact. Thus, I am trying the forums to see if I have a better luck.

Here is the problem described in my initial communication to support:

Yesterday morning Malwarebytes (MB from now on) ran a scan and flagged a zillion things as being infected with Backdoor.bot. After removal of the virus the computer is essentially dead in the the sense that I cannot load windows anymore not even in safe mode. Errors are: services.exe cannot find SCESRV.DLL and lsass.exe cannot start because of missing LSASRV.DLL. I was able to boot the computer using a knoppix CD and retrieve the log for the scan which I reproduce below (see end of this post). Looking at the log I can see why my computer is dead as many system files seemed to have been flagged and put into quarantine. So, what can I do now to get my computer up and running again? I have a Toshiba Satellite A105-S4074, 2GB of memory, running Windows XP with SP3.

Please help. I am really desperate to get my system back!!!

Thank you in advance.

=========================

I got an initial contact from support with the following content:

This could be due to incomplete removal of the infection, or due to system files that have been damaged or corrupted by the infection. Lets assume incomplete removal first, and try some bootable anti-virus CD's. Here are links to a couple:

Dr.Web LiveCD:

http://www.freedrweb.com/livecd/

Avira AntiVir Rescue System:

http://www.free-av.com/en/tools/12/avira_a...cue_system.html

==========================

Both scans ran without finding any infections. I contacted support with the following theory of my own:

Thanks for your help. Scanning is in progress and I will let you know how it turrns out.

Meanwhile, I would like you to consider another theory.Please, look at the following thread in your support forums:

http://forums.malwarebytes.org/index.php?showtopic=69246

Backdoor.Boot seems to have been reported repeatedly today as a false positive through scans with Malwarezbytes versions less than 1.50 and with databases of number similar to the one I was using.

I'm wondering (although I'm almost certain) that this is the real reason behind what it is happening to me. If so, how do I recover the files that I hope are quarantined? Notice that precisely the two missing files that windows cannot find are indeed marked in the log I sent you earlier as "delete on boot". I assume that restoring them should make my system bootable again.

===========================

So, again, my question is, is there any way I can get my computer up and running?

Please help, I canoot have this computer down much longer as it is affecting my work. Thanks!

============================

============================

The scan log is the following:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 5232

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

12/2/2010 8:14:12 AM

mbam-log-2010-12-02 (08-14-12).txt

Scan type: Quick scan

Objects scanned: 164497

Time elapsed: 39 minute(s), 49 second(s)

Memory Processes Infected: 3

Memory Modules Infected: 22

Registry Keys Infected: 4

Registry Values Infected: 25

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 103

Memory Processes Infected:

C:Program FilesIntelWirelessBinZCfgSvc.exe (=Backdoor.Bot) -> Unloaded process successfully.

C:Program FilesAdobeAdobe Acrobat 7.0Distillracrotray.exe (=Backdoor.Bot) -> Unloaded process successfully.

C:Program FilesMemeoAutoBackupMemeoBackup.exe (=Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

C:Program FilesNorton Internet SecurityEngine17.8.0.5srtsp32.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesNorton Internet SecurityEngine17.8.0.5ccipc.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesNorton Internet SecurityEngine17.8.0.5ccsubeng.dll (=Backdoor.Bot) -> Delete on reboot.

C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NIS_17.1.0.19DefinitionsBASHDefs20101123.003BHEngine.dll (=Backdoor.Bot) -> Delete on reboot.

c:program filescommon filesAOL1140083713EEservicesaolsystrayservicever3_1_3_2AOLSysTrayService.

dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesMemeoAutoBackupTanagra.DataClad.DataAccess.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQualcommEudorapluginsEsp.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesCommon FilesAppleApple Application SupportCoreAudioToolbox.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeCapture.qtx (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeH264.qtx (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeMPEG4Authoring.qtx (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32dbghelp.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32lsasrv.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msgina.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msls31.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msvcr71.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32scesrv.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32WMADMOD.dll (=Backdoor.Bot) -> Delete on reboot.

c:WINDOWSsystem32WUDFPlatform.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32pngfilt.dll (=Backdoor.Bot) -> Delete on reboot.

c:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorjit.dll (=Backdoor.Bot) -> Delete on reboot.

c:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorsec.dll (=Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionModuleUsageC:/WINDOWS/system32/lnod32umc.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmrxsmb (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesvx3000 (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionModuleUsageC:/WINDOWS/Downloaded Program Files/cpcScan.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:Progr

am FilesIntelWirelessBinZCfgSvc.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunintelzeroconfig (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunacrobat assistant 7.0 (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32LCWizard.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32lnod32umc.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32msls31.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32msvcp70.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32msvcr71.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32tosBtShell.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSsystem32setupsup.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSDownloaded Program FilescpcScan.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.0.3705Microsoft.VisualBasic.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.0.3705mscorcfg.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.0.3705msvcp70.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.1.4322ConfigWizards.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.1.4322msvcr71.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv1.1.4322System.Management.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727System.XML.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727aspnet_wp.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727ilasm.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727Microsoft.Build.Tasks.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727mscorjit.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727mscorsec.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727System.Deployment.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionSharedDLLsC:WINDO

WSMicrosoft.NETFrameworkv2.0.50727System.Messaging.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:Program FilesNorton Internet SecurityEngine17.8.0.5srtsp32.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesNorton Internet SecurityEngine17.8.0.5ccipc.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesNorton Internet SecurityEngine17.8.0.5ccsubeng.dll (=Backdoor.Bot) -> Delete on reboot.

C:Documents and SettingsAll UsersApplication DataNorton{0C55C096-0F1D-4F28-AAA2-85EF591126E7}NIS_17.1.0.19DefinitionsBASHDefs20101123.003BHEngine.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesIntelWirelessBinZCfgSvc.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesAdobeAdobe Acrobat 7.0Distillracrotray.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

c:program filescommon filesAOL1140083713EEservicesaolsystrayservicever3_1_3_2AOLSysTrayService.

dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesMemeoAutoBackupMemeoBackup.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesMemeoAutoBackupTanagra.DataClad.DataAccess.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesQualcommEudorapluginsEsp.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesCommon FilesAppleApple Application SupportCoreAudioToolbox.dll (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeCapture.qtx (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeH264.qtx (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesQuickTimeQTSystemQuickTimeMPEG4Authoring.qtx (=Backdoor.Bot) -> Delete on reboot.

C:Program FilesCommon FilesMicrosoft SharedMSInfoOINFO11.OCX (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesCommon FilesSystemadomsadomd.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesMozilla Firefoxnspr4.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:Program FilesMozilla Firefoxcrashreporter.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32adsnw.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32ativvaxx.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32cdosys.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32cmdial32.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32CNQL4802.DLL (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32comuid.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32cscript.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32c_g18030.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32dbghelp.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32dsuiext.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32eapp3hst.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32fontsub.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32hpowiax2.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32imjp81.ime (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32LCWizard.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32lnod32umc.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32lsasrv.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32mdmxsdk.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32msgina.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msh261.drv (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32msls31.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msltus40.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32mspaint.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32msvcp70.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32msvcr71.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32msxml.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32ntkrnlpa.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32RtlCPAPI.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32scesrv.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32slextspk.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32synceng.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32tosBtShell.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32usrprbda.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32WMADMOD.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32WMADMOE.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32wmphoto.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32WMVDECOD.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32WMVSENCD.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32wpdsp.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32wuaucpl.cpl (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32igfxdo.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32igfxrcht.lrc (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32igfxress.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32WudfPlatform.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32mssitlb.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32setupsup.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32pngfilt.dll (=Backdoor.Bot) -> Delete on reboot.

C:WINDOWSsystem32drivershsfcxts2.sys (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32driversmrxsmb.sys (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSsystem32driversVX3000.sys (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSFirehand Ember Screen Saver.scr (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSwinhlp32.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACehiProxy6.0.3000.0__31bf3856ad364e35ehiProxy.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACGemMaster33.0.0.0__1bf1415c4c44d353GemMaster3.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.AudioVideoPlayback1.0.2902.0__31bf385

6ad364e35Microsoft.DirectX.AudioVideoPlayback.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.Direct3DX1.0.2904.0__31bf3856ad364e35

Microsoft.DirectX.Direct3DX.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.Direct3DX1.0.2906.0__31bf3856ad364e35

Microsoft.DirectX.Direct3DX.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.Direct3DX1.0.2907.0__31bf3856ad364e35

Microsoft.DirectX.Direct3DX.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.Direct3DX1.0.2910.0__31bf3856ad364e35

Microsoft.DirectX.Direct3DX.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.Direct3DX1.0.2911.0__31bf3856ad364e35

Microsoft.DirectX.Direct3DX.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.DirectX.DirectPlay1.0.2902.0__31bf3856ad364e3

5Microsoft.DirectX.DirectPlay.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACMicrosoft.VisualBasic7.0.3300.0__b03f5f7f11d50a3aMicro

soft.VisualBasic.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACmscorcfg1.0.3300.0__b03f5f7f11d50a3amscorcfg.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSassemblyGACSystem.Management1.0.5000.0__b03f5f7f11d50a3aSystem.Ma

nagement.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSDownloaded Program FilescpcScan.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSFontsjsmalle.fon (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.0.3705Microsoft.VisualBasic.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.0.3705mscorcfg.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.0.3705msvcp70.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.1.4322ConfigWizards.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.1.4322msvcr71.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.1.4322System.Management.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv1.1.4322SHADOW2940_msvcr71.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727System.XML.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727aspnet_wp.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727ilasm.exe (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727Microsoft.Build.Tasks.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorjit.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorsec.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727System.Deployment.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv2.0.50727System.Messaging.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft .NET Framework 3.5 SP1setupres.1046.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft .NET Framework 3.5 SP1setupres.2070.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft .NET Framework 3.5 SP1WapRes.1046.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

C:WINDOWSMicrosoft.NETFrameworkv3.5Microsoft .NET Framework 3.5 SP1WapRes.2070.dll (=Backdoor.Bot) -> Quarantined and deleted successfully.

========================================================

Hi GatorPC: Thanks for your help!

The attached file is missing scerv.dll and my dllcache directory doesn't have a copy of it.

Could you be so kind as to put it here for download.

So, the files on my system32 directory that were erased, are they complete gone?

Thanks again for your help.

GatorPC

Groups authorized to help with HJT logs

http://forums.malwarebytes.org/index.php?showtopic=12264

Link to post
Share on other sites

I am somewhat worried about the way MBAM is handling infections. Not sure whether this is the standard way to handle such problems or it is exclusive of MBAM. See, the issue is that lots of system files were flagged and many were marked for deletion. That essentially means that your computer's OS becomes dead after the spyware removal. To me this is a serious design flaw. I would have expected that copies of these files would have been placed on quaratine and the originals then are deleted on reboot. In this way there is always a way to recover in case there was a false positive issue like in the present situation.

Link to post
Share on other sites

  • Staff

We have narrowed down the cause of this and corrected the database to prevent this detection from happening. This was basically do to an unforeseen bug in 1.45 and 1.46 with in use files and the way it translated the 1.50 defs. I will mention to the developers about the backing up of files but i believe they arent backed up do to the in use status. The quarintine files are stored protected so its just not that simple to manually copy them back.

Best way unfortunately is to repair install then once back up restore anything that was backdoor bot related that are in quarintine.

Link to post
Share on other sites

My bad. Here's the updated .zip file.

GatorPC

Hi Gator:

Thank you so much. I was able to restart windows with the last missing file. Now I have to asses the extent of the damage caused by MBAM on my system as many things were actually deleted. I may even have to reinstall the whole computer software but at least I can do that now in a more ordered fashion. Thanks again. If it had been up to MBAM's support I would still have a dead system as I have barely heard anything from them so far.

Link to post
Share on other sites

We have narrowed down the cause of this and corrected the database to prevent this detection from happening. This was basically do to an unforeseen bug in 1.45 and 1.46 with in use files and the way it translated the 1.50 defs. I will mention to the developers about the backing up of files but i believe they arent backed up do to the in use status. The quarintine files are stored protected so its just not that simple to manually copy them back.

Best way unfortunately is to repair install then once back up restore anything that was backdoor bot related that are in quarintine.

Look, I understand that you are dealing with difficult issues here. However, your software should have a huge warning pop up when deleting files from a system folder. Something along the lines of: SYSTEM FILES ARE ABOUT TO BE DELETED. YOUR SYSTEM MAY BECOME NON-BOOTABLE AFTER DESINFECTION. MAKE SURE THIS IS NOT A FALSE POSITIVE SITUATION AND CONFIRM THAT YOU WANT TO PROCEED.

At least in that way the user is warned beforehand that his/her system may become dead once the infection is removed.

Link to post
Share on other sites

  • Staff

We are looking at extra insurances to prevent this and will add something similar to what you suggested in the next version to prevent this. The problem is it occurred with old versions of our software and there is nothing we can do to change the old software itself. This won't happen with 1.50 do to it not having the bug the previous versions had. We have added some precautions to help the previous versions through database updates.

I apologize for support but do to this bug they do have their hands pretty full at the moment. If ever they are non responsive in the future feel free to send me a PM. IF you are still having problems getting everything back please feel free to escalate to me by PM and i will get someone to help you through it.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.