TechSpot

Backdoor.Nuclear.by, need logs read

By NorGitram
Feb 23, 2008
  1. I went through the 15 steps and there were no rootkits found with Panda. I can't seem to get rid of this. Any help would be greatly appreciated. My AVG log file is over 100kb so I couldn't attach it.
     
  2. NorGitram

    NorGitram TS Enthusiast Topic Starter Posts: 112

    OK, I managed to get the AVG A-S log under 100kb by deleting some old Firefox backups that AVG was listing in the log.
     
  3. tomrca

    tomrca TS Rookie Posts: 1,000

    it seems that you have a backdoor trojan. you have already possibly been hacked. s

    C:\WINDOWS\system32\cab\winmgnt.exe

    O4 - HKLM\..\Run: [Service] C:\WINDOWS\system32\cab\winmgnt.exe

    stop this service
    O23 - Service: spoolsv.exe - Unknown owner - c:\windows\system32\drivers\etc\Services.exe in bold..these should only run from systems 32 folder
    run avg antirootkit here
    there is no sign of a firewall in your log you can get a free one from zone alarm or comodo
    post another hjt log after stopping service and running avg antirootkit
     
  4. NorGitram

    NorGitram TS Enthusiast Topic Starter Posts: 112

    Thanks for your help. AVG antirootkit found this C:\WINDOWS\System32\Drivers\a6lry0rl.SYS,Hidden driver file. Should I remove it? I have a router and didn't think I still needed a software firewall ?
     
  5. tomrca

    tomrca TS Rookie Posts: 1,000

    as there is no information on it i would say yes. first try changing its name to interrupt it then if all is working ok then delete it
    run hijack this and place a tick next to
    O4 - HKLM\..\Run: [Service] C:\WINDOWS\system32\cab\winmgnt.exe
    C:\WINDOWS\system32\cab\winmgnt.exe go to their respective folders and delete the files marked in bold only if there

    then do a regedit if you feel confident
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit
    Then click OK. (The Registry Editor opens.)

    3. Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete any value which refers to the backdoor files, for instance:

    "NTDLM"="c:\winnt\system32\qossrv\csrss.exe"

    5. Navigate to the key:

    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\pAdmin\Settings

    6. In the right pane, delete the value:

    "port"="6351"

    7. Exit the Registry Editor.

    go here and run the scanner

    free firewall HERE
     
  6. NorGitram

    NorGitram TS Enthusiast Topic Starter Posts: 112

    I was able to complete everything but #6. There was no pAdmin under HKEY_CURRENT_USER\Software\VB and VBA Program Settings\.

    I ran ESET online scanner and it found 3 threats and deleted them.

    Attached is a new hijackthis.log
     
  7. tomrca

    tomrca TS Rookie Posts: 1,000

    with the exceptions of the following your log is clean. these are not necessarily intrusive entries, nevertheless if you do not know what they are you should consider removal. example: one is for a HP printer, so if you no longer have that printer remove it.

    C:\Program Files\Common Files\efax\HotTray.exe

    C:\Program Files\Common Files\efax\Dllcmd32.exe (hp printer)

    O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe -s /PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRPSO~1\MOTORO~1\LIVEUP~1\LISTOF ~1.DAT (motorola phones)

    O4 - Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe

    hope things go well, happy computing:grinthumb
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...