TechSpot

Backdoor virus?

By Luckymasu
Dec 31, 2009
  1. Uh, okay, so I had an alert from Avira AntiVir with a BackDoor Virus on it.

    I read up on it and found out that it can update it self, and so on. Should I deal with them like normal viruses (put them in quarantine)?

    Thanks in advance.
    -Josh

    EDIT: Am currently doing the 8 steps. Will post logs when ready.
    EDIT2: I use Facebook so don't know if I got the backdoor trojan from that.

    EDIT3: Logs uploaded.
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Yes the picture uploading\ downloading application service was infected in Facebook for a while... You may be lucky, and your system may be clean. Just for safety purposes, delete your temporary files using this free utility:
    Temp File Remover

    Then run the 3 Scans
     
  3. Luckymasu

    Luckymasu TS Rookie Topic Starter

    Logs have been uploaded, thanks if anyone can offer further advice.
     
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    First, you have to take action by deleting anything noted in the malwarebytes scan... Did you clean your temp files?
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot, Luckymasu. I checked the Mbam log which found a great deal of malware. However, you didn't check the line instructing the program to remove what it finds. So all the entries show No action taken.

    Please update Malwarebytes amd rescan, taking care to check this:
    Make sure that everything is checked, and click Remove Selected.

    There is a similar line in Superantispyware, so if you didn't not check it either, please update, check and rescan:
    Make sure everything found has a checkmark next to it,then press 'Next'.

    Your antivirus program is giving Warnings about the following files which are locked:
    Dreamlords-dreamlords.com_1.4.4.exe
    d3dcompiler_33.dll


    Neither of these should be in a locked status. A complete scan of them cannot be done. So they mmay-or may not- be infected.

    It looks like you're a heavy game downloader and are running many processes related to this. They can also cause vulnerabilities. Your system is heavily infected. Once you rerun Malwarebytes and Superantispyware, we can see what remains. Please rescan with HJT after running the 2 programs above..

    Leave all 3 new logs and I'll determine what the next step is.

    Edit: P2P or 'file sharing Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Add this to 'things to do':
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:
    • Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.
    • Please reopen HijackThis to 'do system scan only'. Check the following processes if found:

      O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-GB;_rv:1.9.1.6)_Gecko/20091201_Firefox/3.5.6_(.NET_CLR_3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=349&nc_referer=&age=1&hiscore=&sp=0&questi onSet=&r=8035173&width=600&height=440&quality=high"

    • Close all Windows except HijackThis and click "Fix Checked."

    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.

    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
     
  7. Luckymasu

    Luckymasu TS Rookie Topic Starter

    What's the offending BitTorrent program/process?

    As far as I know, I've already uninstalled uTorrent quite a while back. O.o" Unless if you meant Free Download Manager (which has the capability to be a medium for downloading BitTorrent fils but can download normal files as well), I'm not really sure.

    EDIT: Logs added. Aaarrgghh! Windows Advanced Options won't load up when I press F8 after pressing Restart. :mad: Help?
    EDIT2: By the way, I do remember deleting the malware during the first scan of MBAM and SUPERAntiSpyare (maybe not). I'm not sure if the logs are supposed to say whether I did this, but... o.o
     

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If we are to continue, it's important that you follow my instructions.

    As for BitTorrent: It is still installed. It is loading on startup:
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

    It is not showing as a 'download manager' of which you have several. To uninstall please go to Add/remove Programs in the Control Panel and uninstall. Once done, use Windows Explorer to access the Programs and delete the BitTorrent folder.

    As long as that is running in the background, it is useless to try and clean the malware.

    The Shockwave Updater is still running. It looks like you did remove the entry but you didn't disable the updater. It's important that you do that until we can get rid of the continuing MyWebSearch infection. Entry will be removed in HJT. Follow the uninstall directions as given.

    When the removal options is not checked in Malwarebytes, all the entries show as No Action Taken as your original log did. Since Superantispyware has a similar option, I always ask the user to make sure that option gets checked also.

    The AVG Security Toolbar is still on the system. Please download and run the removal tool HERE.Note: You may have to reinstall AVG to uninstall it fully.

    MyWebSearch is still on the system. You may notice the following:
    [​IMG]

    Please do the following:

    Reopen HJT to 'do system scan only'. Check the following entries if present:

    C:\Program Files\Window Hide Tool\Window Hide Tool.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.mywebsearch.com/myweb...ptnrS=ZRxdm690YYGB&ptb=UXzg2_lPuVscMo6onw9KfA
    O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)>> AVG Security Toolbar
    O4 - HKCU\..\Run: [Window Hide Tool] C:\Program Files\Window Hide Tool\Window Hide Tool.exe
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-GB;_rv:1.9.1.6)_Gecko/20091201_Firefox/3.5.6_(.NET_CLR_3.5.30729)" -"http://www.neopets.com/games/dgs/play_shockwave.phtml?va=&game_id=349&nc_referer=&age=1&hiscore=&sp=0&questionSet=&r=8035173&width=600&height=440&quality=high


    Close all Windows except Hijackthis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Uninstall the My Web Search option from Add/Remove Programs

    • 1) Click on Start, Settings, Control Panel
      2) Double click on Add/Remove Programs
      3) Find "My Web Search" in the list of installed programs and click on Change/Remove to uninstall it.
      4)You may also want to uninstall any of the following items associated with FunWebProducts.

      [*] My Web Search (Smiley Central or FWP product as applicable)
      [*] My Way Speedbar (Smiley Central or other FWP as applicable)
      [*] My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
      [*] My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
      [*] Search Assistant - My Way

      Include the following in the uninstalls:
      [*] ZoneAlarm Spy Blocker
      [*] Window Hide Tool


      5) Use Windows explorer to open My Computer> Drive C> and double-click on the Program Files folder:
      6) Right-click and delete the folders for:
      [*]FunWebProducts
      [*]MyWebSearch
      [*] ZoneAlarm SpyBlocker
      [*] Window Hide Tool

    Reboot into Normal Mode.
    Empty the Recycle Bin

    Rescan with HijackThis and paste new log in your next reply.

    Summary:
    Uninstall or disable BitTorrent.
    Remove Shockwave Updater entry and Uninstall the program- for now.
    Complete uninstall for AVG.
    Complete the uninstalls
    Completer the deleting of program folders.
    Rescan with HJT- paste new log.
     
  9. Luckymasu

    Luckymasu TS Rookie Topic Starter

    Okay, so I've looked at my Program Files and I couldn't find some of the programs you said to delete (although I did delete some of the other programs prior to rolling in Safe Mode). Should I re-install these programs and uninstall in Safe Mode, like you said with AVG? From what I see, I think this is probably the only way to get it to uninstall properly.

    Anyhow, on with the log.

    ----
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:05:27, on 02/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.eaxe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Google Update Service (gupdate1ca58b5b22b7dc0) (gupdate1ca58b5b22b7dc0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 2690 bytes
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- I forgot a step after you boot into Safe Mode: You will need to show the hidden files:

    Click on Tools (in Windows Explorer)> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide system and protected files'-Recommended> Apply> OK

    Now you should see them. and yes, you will need to remove AVG in Safe Mode

    When you have finished deleting the files and folders go back and hide them.
    Empty the Recycle Bin

    The HijackThis log you left is not the complete log- almost the entire middle section is missing. If you have trouble pasting it in, please attach it. There are numerous entry categories missing.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:18:16, on 02/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    End of file - 15749 bytes>>> Original log>> 15.38KB


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:05:27, on 02/01/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    End of file - 2690 bytes>>> Second log>>> 2.62KB
     
  11. Luckymasu

    Luckymasu TS Rookie Topic Starter

    Sorry it's been a little while, I've been too lazy. Damn.

    I've fixed all entries and have re-installed Shockwave and Flash.

    Take a look.

    EDIT: Also, should I keep Advanced System Care (IOBit) installed?
     

    Attached Files:

  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry, 'lazy' doesn't get you a pass here! This thread was started over a month ago. Your HijackThis log is not complete.

    Original log:
    Logfile of Trend Micro HijackThis v2.0.2>> End of file - 16754 bytes>>> 16.4KB
    Scan saved at 23:12:18, on 31/12/2009

    Second log:
    Logfile of Trend Micro HijackThis v2.0.2>> End of file - 15749 bytes>>> Original log>> 15.38KB
    Scan saved at 10:18:16, on 02/01/2010

    My comment in Post #10:
    Third log:
    Logfile of Trend Micro HijackThis v2.0.2>> End of file - 2690 bytes>>>Second log>>> 2.62KB
    Scan saved at 19:05:27, on 02/01/2010

    Current log:
    Logfile of Trend Micro HijackThis v2.0.2>> End of file - 2708 bytes>>> 2.6KB
    Scan saved at 20:51:37, on 07/02/2010

    Even if you cleaned up the system and stopped unnecessary startups, the log wouldn't shrink like this!
     
  13. Luckymasu

    Luckymasu TS Rookie Topic Starter

    Unless if I've missed something important and the 'Fix Checked' is also logged into the file, I'm not sure if I've missed a step. I'll just do my normal business on the computer and check after a few hours.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Something is depressing the HijackThis log entries. Even if you removed some of the programs, entire categories that you would need to run the system aren't listed. You're giving me another HJT log for a problem that you began posting about 6 weeks ago.

    Something is wrong. Since I did not give you all of the 'help', I don't know what else you might have done. However, if you do not want further help, the thread can be ended.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...