Okay, this is a bit convoluted...

Two days ago I updated my definitions and did my weekly Malwarebytes full scan, and the results showed three detections of Backdoor.bot: one in a program installer file that was in the My Downloads folder, one that was in the same place in the copy of the My Downloads folder that I keep on my external hard drive, and one was in a system restore point on the external hard drive. I removed all three using Malwarebytes, and a later Malwarebytes scan showed no detections. The program whose installer Malwarebytes said was infected was one that I've had on my machine for a couple of years but haven't used lately; I removed it just to be on the safe side, and turned off system restore on the external hard drive. I did another full scan the next day and although the deleted ones did not turn up again, I got another Backdoor.bot detection, this time in the registry, which I did not remove as it was given the value of msconfig and I was scared to try anything with it without help. However, postings on the Malwarebytes forums stated that this was a false positive and would be corrected in the next definitions update, so I did another full scan after updating. This time, there was no detection of Backdoor.bot. For all I know, the first detections were FPs too -- I had not experienced any odd behavior and still haven't. None of my other anti-scumware programs found anything. So I'm unsure if Backdoor.bot was ever really an issue or not.

After I got the detection in the registry but before I learned of the false positive, I came over here to look into what prework needed to be done before getting help, and downloaded the programs. I ran RootRepeal, and it says it detects an MBR rootkit in my external hard drive. I have not experienced any weird behavior with it either; I just use that drive as a big flash drive to back up my pictures, music, etc. So basically, I'm not entirely sure what I'm facing here, and any help is appreciated.

Here are my scans:

DDS (Ver_09-10-26.01) - NTFSx86
Run by ******* at 1:49:07.92 on Wed 11/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.110 [GMT -8:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Webroot Internet Security Essentials *disabled* {2DB6657C-B970-44d3-AB42-6325A913CCC2}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.ex e
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
SVCHOST.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\WebrootSecurity\SSU.EXE
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\logonmgr.exe
C:\Program Files\MSN\MSNIA\CC\MSNCC\msncc.exe
C:\Documents and Settings\*******\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] "c:\program files\intel\modem event monitor\IntelMEM.exe"
mRun: [UpdReg] "c:\windows\UpdReg.EXE"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe " /auto
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233485633203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233487960484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {FB719C61-4F89-48EA-BBEA-42F0252EFB12} = 209.244.0.3 209.244.0.4
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\*******\applic~1\mozilla\firefox\profi les\2ba9eoyz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\opera\program\plugins\npjpi160_11.dll
FF - plugin: c:\program files\opera\program\plugins\npoji610.dll
FF - plugin: c:\program files\opera\program\plugins\npstar.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs 0bbc.sys [2008-11-12 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-2-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 74480]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.ex e [2009-9-1 1086840]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\driv ers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]

=============== Created Last 30 ================

2009-10-14 10:27:46 0 d-----w- c:\docume~1\*******\applic~1\MSNInstaller

==================== Find3M ====================

2009-11-04 05:36:49 365528 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-11-04 05:36:48 30406688 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:33:52 133632 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-10 21:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2009-08-07 02:24:18 327896 ----a-w- c:\windows\system32\dllcache\wucltui.dll
2009-08-07 02:24:18 209632 ----a-w- c:\windows\system32\dllcache\wuweb.dll
2009-08-07 02:24:10 35552 ----a-w- c:\windows\system32\dllcache\wups.dll
2009-08-07 02:24:06 53472 ----a-w- c:\windows\system32\dllcache\wuauclt.exe
2009-08-07 02:24:04 96480 ----a-w- c:\windows\system32\dllcache\cdm.dll
2009-08-07 02:23:54 575704 ----a-w- c:\windows\system32\dllcache\wuapi.dll
2009-08-07 02:23:46 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 02:23:46 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 02:23:46 1929952 ----a-w- c:\windows\system32\dllcache\wuaueng.dll
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll

============= FINISH: 1:50:19.59 ===============



Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ZoneAlarm
``````````````````````````````
Anti-malware/Other Utilities Check:
SpywareBlaster 4.2
Spy Sweeper Core
Spy Sweeper
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
CCleaner (remove only)
Java(TM) 6 Update 15
Adobe Flash Player 10
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Zone Labs ZoneAlarm zlclient.exe
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

A member of the Security Team will assist you as soon as possible Reeby.

Thank you Wolfeymole. Will stay tuned.

Hi Reby,

I'm Crush and I'll be helping you to remove your Malware. Before we begin there aree some things that you should know:

1. We are all volunteer staff here at PCHF so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Please do not run any tools or fixes unless asked to do so by myself or a member of the Security Team

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous. PCHF does not assume any responsibility for users that decide to do so

6. If you have any questions or issues please stop and ask! We are all here to help.

With that out of the way:

Could you post the MBAM logs please?

Hi Crush, thanks for your assistance. Here is the first Malwarebytes log, the one that reported the three Backdoor.bot infections:

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 2

11/2/2009 1:17:36 AM
mbam-log-2009-11-02 (01-17-36).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 214448
Time elapsed: 1 hour(s), 43 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Rebecca\My Documents\My Downloads\RipIt4Me Installer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
F:\My Downloads\RipIt4Me Installer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
F:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0003495.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Weirdly enough, when I went to get the log for the scan that said there was a registry detection of Backdoor.bot, I can't find it. Maybe it got deleted somehow once I did the defintions update that corrected the supposed false positive? But it's not there. The clean scan I did with the new definitions is there, though.

Reeby,

It seems to me this is an instance of that one program being infected, and subsequently the restore point before installation.

Usually with a Bot that has backdoor functionality I would council you to reformat as they can be particularly nasty infections.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Thanks for getting back to me, Crush. Some questions:

Regarding reformatting -- this computer is a Dell, and has the Dell PC Restore partition to take the computer back to its factory settings. Would that work in this instance in the same way as a reformat and reinstall of Windows XP would? If not, I think I would like to try cleaning the computer before going to reformat/reinstall.

Also, in regards to whatever it is that RootRepeal found on the external hard drive -- would a total wipe of that drive solve that issue?