Error message and virus problems

[Guest]

Just tell me if I'm in the wrong place for this but I need some advice. I've
installed and run the Beta and experienced both the Updates problem mentioned
and the problem trying to remove components where you get the 0x80004003
error. The real problem is that Defender found a Backdoor.Prayer on my
system which has this week allowed somebody to steal my identity online.
I've got it back now but would quite like to remove this software.
Unfortunately, only Defender has managed to find it. I've tried McAfee, AVG,
Spybot, Sophos and whatever the Windows Spyware detector was before this but
none of them can find it. Does anyone have any suggestions where I might be
able to find some software capable of getting rid of this thing?

Thanks

 

[Guest]

Hi

Thanks for the suggestion but I tried ewido and it didn't find it either. I
also tried McAfee, Spyguard and Ad-Aware too with no success. I've used a
programme called Hijack This and am waiting for one of my friends to provide
a translation of the results!

Thanks anyway

Max

 

[Guest]

I'll post what I can find in the System Event log when I get home tonight. I
can't remember the error message exactly either so I'll get that too.

 

[Guest]

The possibilities include: Object found is in some location it can't be
removed from--System Restore storage, quarantine for an antivirus, etc, or,
Object found is part of an archive--zip, arj, cab, exe zip--etc--and
Microsoft doesn't want to blow away the whole archive for the one bad apple.
So--between the full path and filename in the system event log, and the error
message, it should be possible to both understand what is happening, and
decide what's a good way to go at it. Additionally--let's be sure the
detection is real, and not a false positive. I understand from your original
message that you feel this was a valid find--but it's good to double check.

 

[Guest]

HI again

the error is this:

Threat Name: The Prayer
Threat Id: 12988
Threat Severity: 5
Threat Category: 6
Action: Remove
Error Code: 0x80508026
Error description: Windows Defender cannot remove a potentially harmful > item from the contents of an archived file. To remove the item, you need >to delete the archive or you can search for options for removing spyware in Help >and Support.

It didn't say that much info when it appeared. It found the trojan in a Rar
file that I've never opened. Can the Trojan still operate from there?

Here's the details of the initial warning

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 24/03/2006
Time: 02:03:27
User: N/A
Computer: HOME
Scan ID: {38D80E63-C982-40C8-99CB-4C29F09E8257}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: NT AUTHORITY\NETWORK SERVICE
Threat Name: The Prayer
Threat Id: 12988
Threat Severity: 5
Threat Category: 6
Path Found: file:c:\documents and settings\max c\Desktop\SAMSUNG PLATINUM
CD\PLATINUM POLYTONES PACK 3.rar->21000 MID polyphonic ringtones for mobile
phones\blackened.mid;file:c:\documents and settings\max c\Desktop\SAMSUNG
PLATINUM CD\PLATINUM POLYTONES PACK 3.rar->21000 MID polyphonic ringtones for
mobile phones\blacken.mid;file:c:\documents and settings\max
c\Desktop\SAMSUNG PLATINUM CD\PLATINUM POLYTONES PACK 1.rar->4900 PLATINUM
POLYTONES\metallica\blackened.mid;file:c:\documents and settings\max
c\Desktop\SAMSUNG PLATINUM CD\PLATINUM POLYTONES PACK 3.rar->21000 MID
polyphonic ringtones for mobile phones\Pop_and_Top40\metallica\blacken.mid
Detection Type: Signatures

The software arrived on a CD that came with a Bluetooth device for my
computer. I never extracted any of the contents though.

To answer some of your other questions, I can only assume this is what's
allowed someone to hack into some of my online accounts but it's not
impossible that its a false positive. The Prayer Backdoor doesn't seem to be
new so it seems a bit weird that nothing else can find it.

Thanks for all your help, I finally feel like I'm getting somewhere with
this : )

 

[Guest]

Thanks so much for all your help on this. I was starting to think the same
about it being a false positive. From what I've been able to see the Prayer
is not a particularly new trojan and I would have thought that one of the
other dozen or so scans I have run would have picked it up as well. It
turned up on Defender on both a Quick and Full Scan.

I can't be 100% certain my credentials were lost here but the only other
machine I ever access the internet from is my work machine and, as I work for
the government, I would expect the chances of the problem lying there to be
minimal. I will investigate those rootkit links tomorrow morning and get
back to you with the results but right now I'm thinking I'd just be better
wiping the disk and starting again. It seems the only way to be sure.

Max

 

[Bill Sanderson MVP]

With a rootkit, or a trojan in place, wiping and reinstalling is the only
way to be certain. However, it is by no means a panacea. You need to be
careful to be protected by a firewall or NAT while applying the service
packs and security patches that will need to be re-applied after the
reinstall.

And you need to consider whether you really have a good handle on how you
were compromised in the first place--otherwise you may be doomed to repeat
the experience.

The files and settings transfer wizard can be helpful in transferring stuff
between the two installs, if you can create a safe place to park the data
across the transition.
--

 

[Guest]

Before I re-install I'm going to replace my USB modem with a router with
hardware firewall for a bit more protection and tighten up the firewall
security settings too. I'm still not 100% sure how this all happened
assuming that The Prayer was a false positive but I think the important thing
is that I'm now much more aware of the necessary precautions to take to limit
damage and what signs to look out for in future. And of course I will now be
comlpetely paranoid about anything I download from the internet!

Thanks again for all your help

Max

 

[Bill Sanderson MVP]

It occurs to me that I should have mentioned that Microsoft does have free
help for any user with problems due to a virus infection or with security
patches. In the U.S. or Canada, a free call to 1-866-pcsafety will get you
connected to Microsoft PSS engineers.

If you are at all uncomfortable about the process of reinstalling, you
should be able to get help this way.
--