Backdoor.SDBot.MYX is driving me spare

Please run ALL the steps in the READ ME.

No online scanners were run and neither was Microsoft Antispyware. Anything else??

 

At least two online scans should have been run and I cannot believe they would not find the below trojan.

C:\Program Files\MsMovies\MsMovies.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

Does MsMovies appear in Add/Remove programs?


Online scanners also leave traces in your log. Did you remove those too? Why???

 

If the MSMovies program is not in Add/Remove programs, use the below procedure to remove it.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\MsMovies\MsMovies.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MsMovies <--- the whole folder

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Well there is nothing in your HJT log that indicates any problems. Let's dig a little deeper:

Run this Running Ewido Security Suite and attach the log from Ewido


Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

You may have a few items left around from an old Look2Me infection. Please run the steps in the below link:

Look2Me VX2 Removal

The below all showed in your WinPfind log and are not valid. There should be EXE files with the same base filename (base filename means regedit for example). So there should be a regedit.exe. Look to see if all the EXE files exist and what there file sizes are.

Afterwards post a new log from WinPfind.

 

Did your PC come preinstalled with WinXP SP2 or did you upgrade to it?
Do you have a WinXP SP2 CD?

Also check to see if the following folder is on your PC:
C:\WINDOWS\ServicePackFiles\i386

 

Check your WinXP SP2 CD for a i386 folder. We should be able to restore you missing files from this folder. They could be compressed. That is, instead of seeing the .exe extensions on the filenames, you will see .ex_

If that is the case, we will have to expand them. The command prompt is used to do that. Let's see what you find first. Also, since you have a C and a D drive that are harddisks, is your CD drive letter E?

 

Since regedit.exe is not compressed, just copy it from your CD to the C:\WINDOWS\System32 folder. That should hopefully resolve your problems with regedit not working.

Do you have WinXP Pro or Home? If it is the Home version, that is more than likely why there is no tasklist.exe or taskkill.exe.

 

But one of your problems was also the regedit would not work. Does it work now?

Open a command prompt and enter the below command:

sfc /scannow

Did it find anything to fix? You may be ask for your WinXP CD.

 

So did you supply the XP disc and let it fix the files. Did it tell you which ones?

 

Okay! So you did not get any error messages I assume while doing this and it was able to locate all files it needed. Is that correct?

Is the Windows XP disk you inserted a Windows XP SP2 disk? If not, you may need to check Windows Updates for updates to your OS now.

How are things working now?

 

When is it very slow? What programs are you running when you believe it is slow?

Are you the Administrator of this PC and are you currently logged in with an account that has administator priviledges? Do you get any error message when you try to disable system restore?


Please download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

These may not be malware related. They could just be due to software/hardware conflicts on your PC or some other aspect of the software possibly requiring a reinstall.

Please boot into safe mode and locate and rename the files given below:

C:\WINDOWS\SYSTEM32\dprsx.dll rename to dprsx.ddd
C:\WINDOWS\SYSTEM32\msasf.exe rename to msasf.xxx
C:\WINDOWS\SYSTEM32\rdtapjv0.ini rename to rdtapjv0.iii
C:\WINDOWS\SYSTEM32\t3lujmpq.ini rename to t3lujmpq.iii
C:\WINDOWS\SYSTEM32\u6oiurji.ini rename to u6oiurji.iii
C:\WINDOWS\system32\A80103E9AD.sys rename to A80103E9AD.sss

Then reboot into normal mode and tell me if you get any error messages. Also let me know if there is any change to any of your problems.

Also download GetService.zip from here: Getservice.zip

Extract the file to a folder where you can find it, then go to the folder and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad file as an attachment too. Call it service.txt.

 

Download the attach GetRunKey-V114.zip to your PC someplace you can locate it. Then extract the getrunkeys.bat file from the ZIP. Locate the getrunkeys.bat file and double click on it to run it. It will create a file named runkeys.txt in the root of drive C: (C:\runkeys.txt) . This log will also popup in a notepad window which your can just close. Unload the runkeys.txt file here are an attachment.

 

Okay! It is possible that something is still hiding. We may need to dig deeper. However it does not make sense that only two programs would be affected by whatever malware could potentially be hiding. It would make more sense that everything would be slower.

 

Also take a look at the procedure below for trouble shooting System Restore and see if it helps:

How to troubleshoot the System Restore tool in Windows XP

 

Please download F-Secure Blacklight to its own folder (someplace you can find it).

After download is complete, double click on the blbeta.exe file run the program. Click "Accept" to continue and then click SCAN to begin scanning your system.

Once the scan is complete it will attempt to clean the found infections. There should be a log in the folder that you ran the program from, attach this log to your next post.

 

Well this is why we try to disable system restore but since you cannot, who knows what is in there.

The information you gave just indicates a typically system restore type file name. What virus or malware was found?

If you still have problems, I would just boot into safe mode, try again but while in safe mode to diable system restore and then try delete that whole RP162 folder. If System Restore does not get disabled this will be denied.

If that does not work! Boot into normal mode and download the below registry patch to your Desktop.

http://www.kellys-korner-xp.com/regs_edits/disablesystemrestore.reg

Once downloaded double click on it and answer yes to add it into your registry. Check to see if system restore is disabled now.