Emergency Help Needed!

by **Yappinator** on Fri Jan 10, 2003 2:54 pm

ok guys
Backdoor.OptixPro.11

is what our poor Rip has

[url]http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.11.html
[/url]

he needs to get the computer back upto B4 I Sent him to that site

by **Yappinator** on Fri Jan 10, 2003 4:07 pm

BUMP
help guys

by **SCgone** on Fri Jan 10, 2003 4:22 pm

Have you checked to see if it will do a repair install. I've done 4 or 5 of those without a hitch. If the repair install works, then you won't lose any settings. You'll need to boot to the CD though.

by **Yappinator** on Fri Jan 10, 2003 4:25 pm

TX bell

Me mind was disgomvobulated :blink

by **RIP!** on Fri Jan 10, 2003 7:28 pm

CD isn't bootable.

by ***Starz*** on Fri Jan 10, 2003 8:10 pm

I'm asking everyone for help right now in behalf of RIP, I have him on MSN right now...he has finally managed to get into his registry...and is looking for the problem...is anyone able to be of assistance...if so please pm me and I will invite you into the conversation...He's in serious need of help with this one...he has his business files in there and can't afford to loose them...

Thanks in Advance

by **Stan** on Fri Jan 10, 2003 8:34 pm

Rip...I found this

Delete the Winstart.bat file
Most variants of Backdoor.Optix will create a batch file named Winstart.bat in the %Windows% folder. Winstart.bat is a standard Windows file that can be created and used by programs when you install software. If the Winstart.bat file exists, it will run when you start Windows, and any commands in it will be executed. by default this is C:\Windows or C:\Winnt) and copies itself to that location.
Backdoor.Optix keeps a second copy of itself on the hard drive. if you delete the Trojan from its original location, when Winstart.bat is run, it will recreate the Trojan file.
Therefore, if Backdoor.Optix is found on the computer, use Windows Explorer to locate and delete the \Windows\Winstart.bat file before you restart the computer.
To do this:
1. Start Windows Explorer.
2. Browse to the folder where Windows is installed. By default this is C:\Windows or C:\Winnt.
3. Locate and delete the Winstart.bat file.
also check this out:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Troj/Optix will also copy the Trojan to the Startup group in the Start Menu.
here's how it works:
When first run, the Trojan creates the sub-directory \OleFiles\, moves itself there and creates the following registry entry :
HKLM\Software\Microsoft\Windows\
CurrentVersion\explorer\User Shell Folders\ Common Startup = \OleFiles\.

This ensures that the server process is run automatically each time the machine is restarted.
so delete the value in that key: eg;\OLEFILES\delete the trojan value
hope this helps, all the best

by ***Starz*** on Fri Jan 10, 2003 8:41 pm

Thanks Stan

He's at the site now reading your post... :peanutbutta

by **Xstream** on Fri Jan 10, 2003 8:50 pm

this doesnt help rip, but it is a good lesson. either have a second hard drive, or a second partition on your drive that is only for non-installed files such as regular data, photos, music, etc. then if you have to do a reinstall, you can still get to the other drive/partition after you get back up, without losing it.
Rip, I've pm'ed my meager attempt at help to stars. good luck!

by ***Starz*** on Fri Jan 10, 2003 8:59 pm

Update...

None of the files mentioned in Stan's post were showing up on his system. X...I sent him a copy of your PM...he's doing another scan right now...still looking for assistance...if anyone can help with more ideas...it would be most appreciated...

Emergency Help Needed!

Who is online

PROnetworks - Technology News, Analysis, and Support