TechSpot

I'm infected

By mootz
Jul 31, 2008
  1. im pretty sure my computer is backdoored and i'm here to ask for help from some computer genius :p
    the b-door was brought to my attention from a spyware doctor scan but even when removed it comes back after rebooting :(
    my nod32 alerts me when i open the control panel btw

    here's my hijackthis log...
    could someone please specify what is safe to 'fix' out of all of these, and some further instructions as i do not have a clue :|
     

    Attached Files:

  2. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Well first you posted this in the wrong section you should of posted this in the security section.

    Hi my name is xxdanielxx I will be helping you clean your computer I am looking at your log right now. Will post back with what to do
     
  3. mootz

    mootz TS Rookie Topic Starter Posts: 31

    very sorry feel free to move this thread ;)
    and thx for your help :)
     
  4. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Well first thing is you have to firewall software NOD32 and zone alarm if I am wrong please say. You need to remove one of them if you paid for NOD32 then remove zone alarm.

    Or do you have NOD32 as your antivirus and zone alarm as your firewall
     
  5. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    do you know any of the IP's below

    194.74.65.68
    194.72.0.114
     
  6. mootz

    mootz TS Rookie Topic Starter Posts: 31

    nod is my AV and ZA is my FW

    those IPs don't ring any bells :suspiciou
     
  7. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Ok lets get to work

    We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    Code:
    @echo off
    sc stop System Spooler Host
    sc delete System Spooler Host
    sc stop System TskHlp
    sc delete System TskHlp
    del service.cmd and exit
    
    Save it to your desktop as File name: service.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

    -------------------------------------------

    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Dit] Dit.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B84E9584-09E9-4C89-AB21-557D7F13872C}: NameServer = 194.74.65.68,194.72.0.114
    O23 - Service: System Spooler Host - Unknown owner - C:\WINDOWS\cursors\mstask\services.exe (file missing)
    O23 - Service: Task Manager Help (TskHlp) - Unknown owner - C:\windows\cursors\mstask\taskmgr.exe (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.

    ---------------------------------------------

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Windows\System32\Dit.exe
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    ------------------------------------------------

    Please run an on-line virus scan at http://www.kaspersky.com/virusscanner[b][color=blue]Kaspersky OnLine Scan[/color][/b] or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
     
  8. mootz

    mootz TS Rookie Topic Starter Posts: 31

    thankyou, i'm glad this didn't go un-noticed :)
    i'll bookmark this page and i'll return tomorrow to finish off, i'm tired atm and i'm sure i'll probably miss something. >_<
     
  9. mootz

    mootz TS Rookie Topic Starter Posts: 31

    ok... i have ran the bat file, dleted those mentioned above from my hijackthis and i've used OT on dit.exe

    here's what's inside the OT log:

    File/Folder C:\Windows\System32\Dit.exe not found.

    OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_085917


    and i still get nod32 popping up when i use contral panel :(
    (varient of bifrose) i guess someone is using bifrost rat on me :(
     
  10. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    can you post a fresh hijackthis log
     
  11. mootz

    mootz TS Rookie Topic Starter Posts: 31

    heres a new one, seems some of the old things have returned :|
    trendmicro online scanner is scanning PC right now i'll leave that on overnight
     
  12. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please download Malwarebytes' Anti-Malware from Here or Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Full Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

    =======================================

    ComboFix

    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
     
  13. mootz

    mootz TS Rookie Topic Starter Posts: 31

    malwarebytes report:

    Code:
    Malwarebytes' Anti-Malware 1.24
    Database version: 1018
    Windows 5.1.2600 Service Pack 2
    
    16:03:57 03/08/2008
    mbam-log-8-3-2008 (16-03-57).txt
    
    Scan type: Full Scan (C:\|)
    Objects scanned: 214321
    Time elapsed: 2 hour(s), 57 minute(s), 7 second(s)
    
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    
    Memory Processes Infected:
    (No malicious items detected)
    
    Memory Modules Infected:
    (No malicious items detected)
    
    Registry Keys Infected:
    (No malicious items detected)
    
    Registry Values Infected:
    (No malicious items detected)
    
    Registry Data Items Infected:
    (No malicious items detected)
    
    Folders Infected:
    (No malicious items detected)
    
    Files Infected:
    (No malicious items detected)
    
    doing combofix right now then ill post that and a fresh hijackthis
     
  14. mootz

    mootz TS Rookie Topic Starter Posts: 31

    :mad: backdoor still comes when i open control panel
     
  15. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    For now run the tool below I will check your logs and post back later today


    Download & Install SDFix
    • Download SDFix & save it to your Desktop.
    • Double click SDFix.exe & it will extract the file to %systemdrive%
      (Drive that contains the Windows Directory, Typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer & start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, & then press Enter.

    Run SDFix
    • Open the extracted SDFix folder & double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on the screen & also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
     
  16. mootz

    mootz TS Rookie Topic Starter Posts: 31

    Code:
    [b]SDFix: Version 1.212 [/b]
    Run by Matty on 03/08/2008 at 17:29
    
    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix
    
    [b]Checking Services [/b]:
    
    
    Restoring Default Security Values
    Restoring Default Hosts File
    
    this is all i get :dead:
     
  17. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    hmm you ran it in safe mode right then after the reboot you let it go to normal mode
     
  18. mootz

    mootz TS Rookie Topic Starter Posts: 31

    yeah i ran in safe mode but after reboot it didnt run again
    should i reboot after in safe mode again or should it have done it itself anyway?
     
  19. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Ok run it in safe mode then when it reboots let the computer start as normal it should popup and run also can you post a fresh hijackthis log
     
  20. mootz

    mootz TS Rookie Topic Starter Posts: 31

    i feel so stupid...
    i ran a scan with my nod32 just 5 minutes ago, guess what it found:
    Time: 05/08/2008 Object name: C:\\WINDOWS\system32\gplunt.cpl Size: 87040 Reason: probably a variant of Win32/Bifrose trojan
    strange that nothing else detected it, i wonder why my AV did not find it before it got to where it was.
    [​IMG]
     
  21. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\WINDOWS\system32\gplunt.cpl
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  22. mootz

    mootz TS Rookie Topic Starter Posts: 31

    OT didn't find it and it doesn't show up when i open control panel any more :)
    i think i've killed it...
    thanks for all your help
     
  23. xxdanielxx

    xxdanielxx TS Rookie Posts: 1,069

    there still one more thing to do

    Now we need to create a new System Restore point.

    Click Start Menu > Run > type (or copy and paste)

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

    Next goto Start Menu > Run > type

    cleanmgr

    Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

    To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

    ===================

    Uninstall ComboFix

    • Click Start then Run
    • Now Type Combofix /u in the runbox
    • Make sure there's a space between Combofix & /u
    • Then hit Enter

    The above procedure will Delete the following:
    • ComboFix & it's associated files & folders.
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide system/hidden files, if required.
    • Set a new, clean Restore Point.

    ------------------------------------------------------------------

    OTCleanit! by Oldtimer

    • Download OTCleanIt
    • Click the CleanUp! button.
      (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot

    ============================

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
    5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    6. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    xxdanielxx
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...