1. /
  2. Security Response/
  3. Backdoor.Autoupder Removal Tool

Backdoor.Autoupder Removal Tool

Discovered:
May 13, 2002
Updated:
January 31, 2006 12:00:00 AM
Type:
Removal Information
What the tool does
The Backdoor.Autoupder Removal Tool does the following:
Terminates all the viral Backdoor.Autoupder processes
Deletes any Backdoor.Autoupder executable files
Removes registry entries that are used by Backdoor.Autoupder to start with Windows

Command-line switches available with this tool

Switch Description
/SILENT, /S Enables silent mode.
/LOG=[PATH NAME] Creates a log file where [PATH NAME] is the location in which to store the output of the tool.
/START Forces the tool to start scanning immediately.

To obtain and run the tool
After you run the tool, delete temporary files and temporary Internet files to prevent future virus scans from detecting files in those locations.

CAUTION: After a computer has been attacked by Backdoor.Autoupder, it is possible that the security of the system has been compromised. For this reason, you should change all of the passwords that are used on an infected computer. This includes remote access and dial-up networking passwords, remote shares passwords, and so on.

NOTE: You must have administrative rights to run this tool on Windows NT.

Download the FixAutoupder.exe file from http://securityresponse.symantec.com/avcenter/FixAutoupder.exe.
Save the file to a convenient location, such as your download folder or the Windows desktop (or removable media that is known to be uninfected, if possible).
To check the authenticity of the digital signature, read the section The digital signature.
Exit all programs before you run the tool.
If you are on a network or have a full-time connection to the Internet, disconnect the computer from the network and/or the Internet.
If you are running Windows Me or Windows XP, then disable System Restore. Read the section System Restore option in Windows Me/XP later in this document for details.

NOTE: If you are running Windows Me/XP, do not skip this step.

Double-click the FixAutoupder.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.

NOTE: If you see error messages when running the tool, or if the tool does not appear to run correctly, restart the computer in Safe mode, and run the tool again. All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. Read the document that applies to your version of Windows.
How to start Windows XP in Safe Mode.
How to start Windows 2000 in Safe mode.
How to restart Windows 9x or Windows Me in Safe Mode.

After the tool has run, restart the computer.
Run the removal tool again to ensure that the system is clean.

NOTE: The removal procedure might be unsuccessful if Windows Me/XP System Restore is not disabled as previously directed. This is because Windows prevents System Restore from being modified by outside programs.

When the tool has finished running, you will see a message that indicates whether the computer was infected by Backdoor.Autoupder. In the case of a removal of the worm, the program displays the following results:
The total number of files that were scanned
The number of files that were deleted
The number of viral processes that were terminated
The number of registry entries that were modified

Run LiveUpdate to make sure that you are using the most current virus definitions.
Start your Symantec antivirus program, and make sure that it is configured to scan all files.
Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
Run a full system scan.
Delete all files that are detected as Backdoor.Autoupder.
If you are running Windows Me or XP, re-enable System Restore.

To delete temporary files and empty the Recycle Bin:
Double-click the My Computer icon on the Windows desktop, or if you are running Windows XP, from the Start menu.
Click once anywhere in the Address bar to select all the text.



Type %temp% and then press Enter:



The \Temp folder for the currently logged-on user appears.
Click Edit, and then click Select All. Press Delete, and click Yes if you are asked to confirm the deletion.
Close the My Computer window.
On the Windows desktop, right-click the Recycle Bin, and then click Empty Recycle Bin.

To delete temporary internet files:
How you do this depends on your Web browser. For example, in Internet Explorer, click the Tools menu and then click Internet Options. Then, in the Temporary Internet files section, click Delete Files.

The digital signature
FixAutoupder.exe is digitally signed. Symantec recommends that you only use copies of FixAutoupder.exe that have been downloaded directly from the Symantec Security Response download site. To check the authenticity of the digital signature, follow these steps:
Go to http://www.wmsoftware.com/free.htm
Download and save the Chktrust.exe file to the same folder in which you saved FixAutoupder.exe (for example, C:\Downloads).
Depending on your version of Windows, do one of the following:
Click Start, point to Programs, and click MS-DOS Prompt.
Click Start, point to Programs, click Accessories, and then click Command Prompt.
Change to the folder where FixAutoupder.exe and Chktrust.exe are stored, and then type

chktrust -i fixautoupder.exe

For example, if you saved the file to the C:\Downloads folder, type the following commands (press Enter after you type each command):

cdcd downloads
chktrust -i fixautoupder.exe

If the digital signature is valid, you will see the following prompt:

Do you want to install and run "Backdoor.Autoupder Fix Tool" signed on 5/14/2002 1:25 PM and distributed by Symantec Corporation?

NOTES:
The date and time that appear in this dialog box will be adjusted to your time zone if your computer is not set to the Pacific time zone.
If you are using Daylight Saving Time, the time that appears is exactly one hour earlier.
If this dialog box does not appear, there are two possible reasons:
The tool is not from Symantec. Unless you are sure that the tool is legitimate, and that you downloaded it from the legitimate Symantec Web site, you should not run it.
The tool is from Symantec, and is legitimate. However, your operating system was previously instructed to always trust content from Symantec. For information on this, and how to view the confirmation dialog again, read the document How to restore the Publisher Authenticity confirmation dialog box.
Click Yes to close the dialog box.
Type exit and then press Enter to close the MS-DOS session.

System Restore option in Windows Me/XP
Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
How to disable or enable Windows Me System Restore
How to disable or enable Windows XP System Restore
For additional information, and an alternative to disabling System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455.

How to run the tool from a floppy disk
Insert the floppy disk that contains the FixAutoupder.exe file into the floppy disk drive.
Click Start, and then click Run.
Type the following, and then click OK:

a:\fixautoupder.exe

NOTES:
There are no spaces in the command.
If you are running Windows Me and the System Restore remains enabled, you will see a warning message. You can choose to run the removal tool with the System Restore option enabled, or exit the removal tool.

Click Start to begin the process, and then allow the tool to run.
Run LiveUpdate to make sure that you are using the most current virus definitions.
Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
Run a full system scan.
Delete all files that are detected as Backdoor.Autoupder.
If you are running Windows Me or XP, re-enable System Restore.

Summary

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver