What can I do about virus Backdoor.padmin?

Question

My Norton Anti-Virus has found "Backdoor.Padmin" a virus. It says it has infected object name: C:\winnt\system32\qossrv\csrss.exe.

What do you recommend? Symantec's Website is no help. Can I delete the "object"? If so how?

Thanks very much for your help.

Answer

This question was answered on September 4, 2003. Much of the information contained herein may have changed since posting.

I have found the following information:

Description:

This backdoor program installs itself in memory and is capable of running as a hidden process While in memory, it performs port scanning and network flooding

It is written in Microsoft Visual Basic 6 and usually arrives UPX-compressed

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program

Scan your system with Trend Micro antivirus and NOTE all files detected as BKDR_PADMIN.E To do this, Trend Micro customers must download the latest pattern file and scan their system Other Internet users can use HouseCall, Trend Micro's free online virus scanner

Terminating the Malware Program

This procedure terminates the running malware process from memory You will need the name(s) of the file(s) detected earlier

Open Windows Task Manager.

On Windows 95/98/ME systems, press

CTRL ALT DELETE

On Windows NT/2000/XP systems, press

CTRL SHIFT ESC, then click the Processes tab

In the list of running programs*, locate the malware file or files detected earlier

Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system

Do the same for all detected malware files in the list of running processes

To check if the malware process has been terminated, close Task Manager, and then open it again

Close Task Manager

*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes You may use a third party process viewer to terminate the malware process Otherwise, continue with the next procedure, noting additional instructions

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup

Open Registry Editor To do this, click Start>Run, type Regedit, then press Enter

In the left panel, double-click the following:

HKEY_LOCAL_MACHINE>Software>Microsoft>

Windows>CurrentVersion>Run

In the right panel, locate and delete the entry or entries:

TaskMan=<file path of malware>

Close Registry Editor.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_PADMIN.E To do this, Trend Micro customers must download the latest pattern file and scan their system Other Internet users can use HouseCall, Trend Micro’s free online virus scanner

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Student of Katharine Gibbs School - New York on September 4, 2003