I need help to remove backdoor.bot

I am using vista 32bit home premium, 1 hour ago i may have stumbled upon the wrong website, cutting a long story short it opened up the process “e.exe” on my machine, so i was self alerted that i had been infected with a virus (which should have been avasts job to do, but avast did not detect this).

(I have not ran a virus scan of any kind for quite some time, so i do not know if backdoor.bot came from this incident, what i am saying is that it was this incident that alerted me to do a virus scan)

After updating malwarebytes and running a scan it uncovered 12 infected fiiles most of them being trojan.downloader, which were all removed.

The one that seems to be stick around, and does not want to leave is backdoor.dot, it is a nasty keylogger, i do things such as internet banking and play games of value such as world of warcraft, i can not afford to lose my personal information to this virus, and i need some help with removing it please!

Currently i am running a thorough scan with avast “while awaiting your response”! i know avast will not be much help in terminating the virus, and using smaller programs to manually directly target backdoor.bot will be much more effective.

PLEASE HELP!

Also: i have unconvered the following path manually, i am not sure if it is a virus, but i know it has negative reputation to the good, in the world of data stealing.

C:\Users"unsername"\AppData\Roaming\sdra64.exe

Google is your friend

http://www.google.com/search?q=sdra64.exe&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

http://www.google.com/search?q=backdoor.bot&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

http://www.spywareremove.com/removeBackdoorBot.html

I have read every google search available for my situation! I AM GOING CRAZY because it is not as simple as “read an artical, remove it”.

I need an “expert” to guide me through the process, or at least somebody knowlegdable to help me.

Take this small guide for example.

http://www.spywareremove.com/removeBackdoorBot.html

This is nonsense, infect your machine with backdoor.bot and see if you are able to remove it following this guide, you will understand what i mean.

Try these

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Dr.Web CureIt! http://www.freedrweb.com/cureit/
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

You have to start somewhere. I can see what the spyware remove people are getting at. I have no idea what steps you’ve taken other than what you have said in yr OP.

I reformatted.

What I gather from this is that avast! doesn’t have a product that can product us from Bots? Is this true?

How sad that someone has to re-format.

For those obnoxious mimics who help no one with their “Google is your friend”, if you don’t know what your doing and/or don’t give a crap about helping others, then GET OFF THE FORUM. Forums are about each member sharing their time and experience to help another person. If you want others to waste hours searching, then just get off the forum.

Jon

did you try the tools pondus suggested?

you should not give up that easy.

i would recomend a scan with superantispyware becouse sometimes that picking up things malwarebytes don’t and vice versa.

http://www.superantispyware.com/

if that does not solve your problem. make a scan with hijack this and post the result here so we could see if we could find the infection from there.

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

good luck

quote author=Needshelppp link=topic=52028.msg440318#msg440318 date=1260350323]

I have read every google search available for my situation! I AM GOING CRAZY because it is not as simple as “read an artical, remove it”.

I need an “expert” to guide me through the process, or at least somebody knowlegdable to help me.

you give no indication in yr OP that you already thoroughly searched for information on BackdoorBot.
So sorry i was only trying to contribute understanding of the issue in what little time was available. In which case Google is a most convenient vehicle, perhaps not always yr friend but that is just something we say anyway.

I did not say the spywareremove page would remove an the infection for you. After you read the page, I ask you now what you do not understand about BackdoorBot.

Also worth bearing in mind that no antivirus will detect 100%.

This weekend as always I disinfected systems of malware - Sality in one bad case (see pictue below), and Antivirus Action. I then returned these systems to smooth running. As you say, Needshelppp, not that simple a procedure. At times I was nearly locked out of the system. And when it comes to the forum, I just dont have the same amount of time to spare. of the forum. All credit to people like Pondus who I rely on to fill in gaps that are left.

Edit - 13/12/2010 2.31AM - just booted into PC infected with Sality and checking the system - will post reply here

That was a version of Zeus so it was keylogging. It can be removed but not automatically, manual removal is needed for some elements

sdra64.exe is one of the key files. Although I gather the Zeus author has now come up with a better version, that will start relying on bootkits like whistler

Taking out sality - the PS2 keyboard that was plugged into the computer was hopelessly lost to the variant, but slipping in a USB keyboard under the radar enabled me to log in and remove the user’s passwords.

otherwise gaining access may have become impossible - the Linux discs I use for circumventing passwords were being turned into confetti by the virus.

Edit - that is to say, the PS2 keyboard reading of the disks was turned into confetti

here’s an interesting one I’ve had in the past - when you open the commandline, the / key on the keyboard starts reading #
but thats okay the / key still works okay, just forget about the fact that it’s reading #, and yr commands will effect as per norm

here is probably recent information - shows relation between sdra64.exe and Sality

http://www.threatexpert.com/files/palma.exe.html (edit - sorry very busy, forgot to insert link first time round)

I have yet to run an analysis of the Sality infection - removal including manual were completed satisfactorily (for now)
in this case, I plugged a friend’s USB into the PC and detected Sality but the steps I took to sort the threat were too superficial
and nonetheless i let the person continue to use the system
the following day when I returned to that PC I noted the change in functionality - so stepped up my defenses before it was too late

while disinfecting PCs is a good practice, it is not much fun to the user of the computer
if sufficient steps are not taken to prevent infection, the disinfection can prove very time-consuming to all concerned

Needshelppp try gdata boot cd https://www.gdatasoftware.co.uk/support/main-subjects/upgrade-service/download.html

thread was a year old when jolo stepped in
perhaps not a bad thing, we can carry the issues further if there is something to gain

gdata boot CD may have bypassed the keylogger, I dont know, some of the variants I would expect to be very elusive

  • and oops, have yet to send files to avast

well I checked the infected PC each day and seems all good now

last thing I needed was an infection on a PC that was not in everyday use - it may not have been fully protected
and so silly to let person continue to use after removing a threat and without first running full check

so very rushed keeping up
I have inserted the link above that shows a relation between sdra64.exe and Sality (I forgot it at the time)
here it is again http://www.threatexpert.com/files/palma.exe.html

Damn tough! - was other nasties bundled in the malware package so it seems -

http://www.threatexpert.com/report.aspx?md5=d751fbeae92ebb65b641bfdfba3e03ea

though only bits and pieces left, so I dont really know - I would say the infection did not have time to spread
possibly bootkit behavior in the short time that I was watching it as active entity

usually have a bit more time to play with and removal procedure is not so pressing - this time nearly got bombed!

I have sent the files to avast

you meant rootkit not bootkit

the PC was no longer in front line use, mainly for other people, lend-out, etc…so that and because busy with other important things meant unfortunately a rush disinfection where i couldn’t record and document as I was going

  • but I am still doing brief check each day so can reply post here if anything else comes up

and btw, the nasty bugger also changed settings in Internet Options > Connections > LAN settings - from Automatic Configuration It changed the setting to Proxy Server

  • this is a common behavior for malware and something that should always be checked when internet settings are not functioning as they should

Another area to check is the router as they change the DNS settings in there as well - nice people

hahaha yes so nice that I’d like to get my hands on them

I will make sure to ring my local ISP (slingshot.co.nz) and run through the router settings with them

  • from what I can gather all seems okay on the sheets, but there is a few things there that I dont understand, so will be a good exercise to get to know my gateway a bit better.

At the time I was using a Netgear switch and I had I think it was four computers running at once as stand-alone units (no software LAN setup as such)
Do you think it possible for the malware to infect the switch and so the other computers under these condition? myself I think maybe yes

like, I think the switch has an individual ARP for each computer linking it to the router, I guess - and then on to the internet
I suppose if the infection creeps outward from one computer to the router, then each computer on the other side of the switch will also come under threat

  • even tho there is no real intranet as such, directly linking them all together (so each has its own ARP list rather than sharing one)

I’m not using the switch at the moment because its too noisy - and also I’ve put some of my LAN ideas to one side for the moment
I think maybe look at some protection at the router location - I may have been lucky not to get a fully blown breakout on all four computers

bad enough as it was anyway - I had to reset the Services this morning as they were all reading ‘disabled’
in fact lots of little bits and pieces to tidy up amongst the tools and utilities - still, a nice learning curve in this little experience :slight_smile: