TechSpot

b4ckdoor worm--hijackthis log

By quincy451
Mar 14, 2007
  1. This box has this button in the system tray which indicates "b4ckdoor worm". So I assume the box is compromised in some way. Here is the hijackthis log if it gives any details. I have run virus scan, spybot search and destory, adware, etc and nothing seems to catch it.

    Any advise, thanks
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Your system is riddled with nasties and the version of HijackThis you`re using is probably a fake, get rid of it immediately.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. quincy451

    quincy451 TS Rookie Topic Starter

    Ok the hijackthis was from microtrends. The new owner of that software. But I deinstalled that and installed the version in the pages you pointed to. I have attached a log from hijackthis after switching the version of that software. A retro.csv file which did not find much of anything. And a hijackthis after I ran the utilities as instructed.

    The b4ckdoor worm is still present.

    What next, Thanks,
    David
    ok this is not taking the .csv file avgretro generated. This is what it contains:
    C:\WINNT\system32\wbem\winmgmt.exe,Hidden application
    Nothing more.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Thanks for the info on Trends HJT. It is indeed legit.

    Unfortunately, your system is still riddled with nasties.

    I asked you to post AVG Antispyware and Combofix logs. Please do so in your next reply. along with a fresh HJT log after running AVG Antispyware and combofix. Also, please let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. quincy451

    quincy451 TS Rookie Topic Starter

    Ok avg anti retrokit just found the winmgmt.exe which I posted about in my last message. That one line was it for the .csv logfile.

    combofix??? where do I get that. I could not find that in any instructions. I google for it and there are various pages telling you do not run it. Only want to run the genuine thing if anyhing at all.

    Thanks,
    David
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All the instructions links etc are in this thread HERE.

    It is important that you follow the instructions exactly and in the order(steps) they are given.

    The problem that Combofix had has been fixed, See this thread HERE for details.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. quincy451

    quincy451 TS Rookie Topic Starter

    ok found combofix on a 3rd read of the instructions. I am off to run stuff.

    Thanks,
    David
     
  8. quincy451

    quincy451 TS Rookie Topic Starter

    Ok I ran combofix.exe. In safe mode I ran combofix, anivirus, SS&D, adware, AVG antispyware. They found nothing.

    Then I ran AVG antirootkit in normal windows and it found nothing.
    Then I reran hijackthis and the log is attached. as is the rapport.txt log and the log from one of the other ultities that was logging to c:\.

    What next.
    Thanks,
    David
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Microsoft sdk core (sdk)<Disable the service name and/or the name in brackets.

    Clic-U TCP Helper (Clic-U)<Disable the service name and/or the name in brackets.[/b]

    Windows System 32

    Network helper Service (MSDisk)<Disable the service name and/or the name in brackets.

    kq82

    h

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    sys32.exe
    irdvxc.exe
    kq82.exe
    h.exe
    cliconfig32.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O4 - HKLM\..\Run: [h] C:\WINNT\system32\h.exe

    O4 - HKLM\..\RunServices: [h] C:\WINNT\system32\h.exe

    O4 - Startup: Call Detail Report.lnk = C:\Program Files\microspan\data\AccessDb_Extended.mdb

    O17 - HKLM\System\CCS\Services\Tcpip\..\{37FE1933-9CE0-4580-89C0-55274084E947}: NameServer = 209.152.99.146,209.152.99.147

    O17 - HKLM\System\CS1\Services\Tcpip\..\{37FE1933-9CE0-4580-89C0-55274084E947}: NameServer = 209.152.99.146,209.152.99.147

    O17 - HKLM\System\CS2\Services\Tcpip\..\{37FE1933-9CE0-4580-89C0-55274084E947}: NameServer = 209.152.99.146,209.152.99.147

    Only fix the above 017 entries if they don`t belong to your ISP.

    O23 - Service: Clic-U TCP Helper (Clic-U) - Cli Ooff - C:\WINNT\security\logs\cliconfig32.exe

    O23 - Service: kq82 - Unknown owner - C:\WINNT\kq82.exe (file missing)

    O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINNT\system32\irdvxc.exe" /service (file missing)

    O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINNT\lsass.exe (file missing)

    O23 - Service: Windows System 32 - Unknown owner - C:\WINNT\sys32.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINNT\sys32.exe
    C:\WINNT\lsass.exe
    C:\WINNT\system32\irdvxc.exe
    C:\WINNT\kq82.exe
    C:\WINNT\security\logs\cliconfig32.exe
    C:\WINNT\system32\h.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. quincy451

    quincy451 TS Rookie Topic Starter

    Ok I did as instructed. I did not remove:
    04 - startup: call detail report.lnk

    That brings up microsoft access and a call count database. It is ligit for this machine as it is a telephony dialogic server box.

    I also removed yahoo toolbar and yahoo install manager. The toolbar is unneeded by this machine. No one should use this machine for web surfing but the box does need things like basic windows updates. The yahoo install manager just seemed like fluff.

    b4ckdoor worm is still with us. Machine is otherwise running fine, but it has been all along.

    I did look at the log file for cliconfig32.exe. That 'clic-u TCP Helper' is actually a covert ftp server.

    I found all the services you mentioned but h. I did not find any h.exe either. Something else might have gotten that.

    What next, thanks,
    David hijack log attached.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log looks clean now.

    I can find no useful info on the b4ckdoor worm.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here. I would also like to see a Combofix log, regardless of whether you think it`s clean or not.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. quincy451

    quincy451 TS Rookie Topic Starter

    ok here is the combofix log. sorry I missed it the last time I was sending logs. And the autorun log. I looked in the autorun log for anything I could say was b4ckdoor worm and found nothing. I can find zero information on it myself either.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m a little concerned at this entry from your Combofix log.

    scanning hidden processes ...

    CMD.EXE [448]

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    scan completed successfully
    hidden processes: 1
    hidden services: 0
    hidden files: 0

    I`m thinking you may have a rootkit infection of some kind.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Download Rootkit Revealer and run the programme.

    Let me know the results.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. quincy451

    quincy451 TS Rookie Topic Starter

    Ok the blacklight program did not find anything.
    The retrokit reveal found several items. Only one seems to be of concern because it has size != 0. it is listed in winapi but not in MFT or directory.

    I would be tempted to try and delete that with a C++ DeleteFile() function.
    I have attached the log from retrokit reveal.

    Thanks,
    David
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Mmm, doesn`t look good. There`s obviously something not right. If you decide to start deleting Reg keys, you should backup your registry first.

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply. Also, attach a fresh Rootkit revealer log.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. quincy451

    quincy451 TS Rookie Topic Starter

    ok I think we was succesful in getting rid of that file in spite of some of the log avenger log results. New logs attached.
    b4ckdoor worm still with us.
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Give this Grozomon rootkit tool a try.

    I`m running out of ideas fast here. You may need to think about a reformat, in order to get rid if this infection.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. quincy451

    quincy451 TS Rookie Topic Starter

    Ok I tried that, I did a scan and it did not find that retrokit. It offered to proceed with removal anyway, but that did not make any sense to me so I did not do it.

    Now this is where it gets interesting. A ad of sorts for PREVX1 pops up.
    I run that. A problem with explorer.exe is found in several locations. It is jailed as this software calls it and b4ckdoor worm is GONE.

    I am doing a rescan on this machine now. I now want to put PREVX1 on every machine I have.

    Thanks,
    David
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news.

    Looks like problem solved.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of quincy451 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...