TechSpot

Norton & AVG detecting php/backdoor.c99shell, cannot quarantine

By jdriver
Sep 18, 2008
  1. Early yesterday Norton started giving me a lot of popup notifications about this "trojan php/backdoor.c99shell" on random files in my temporary internet history. As I manage to catch them I got some into quarantine and others would disappear before I could manage to catch them. It didn't seem like Norton was getting it, so I installed AVG, which did basically the same thing. It pops up a lot of warnings, and heals as many files as it can, but misses some, and others continue to pop up. Neither Norton or AVG seem to catch the problem, and i can't find much in the way of removal instructions online. Some programs appear to run very slowly, especially my browser. Video is hurting, and the speed of my box in general is down quite a bit.

    I'm on windows Vista. Have ran AVG an dnoton against it with no luck. The affected files that keep popping up are in the IE5 folder in my temporary internet files directory.

    Does anyone know how I can clear this so I can connect my new desktop back to the internet without worrying?
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  3. jdriver

    jdriver TS Rookie Topic Starter

    Alrght, I got going on the prelims, but I have a problem here, I can't check for updates with Malwarebytes or SuperAntiSpyware. Both of them tell me my firewall doesn't allow them, or that my connection isn't live. My connection is live, and I've allowed both of the programs in Windows Firewall, I even disabled windows firewall. Neither works. So I'm running the scans as is for now in hopes that it cleans thing sup a bit, but I'll run them again once I know what needs to be taken care of to get them accepting my connection again. i have no other firewall running. As a sidenote, MSN messenger refuses to connect to the net right now too. ICQ quit working a few days ago...
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Try this:

    How to use Reset Internet Explorer Settings (RIES)

    To use RIES in Internet Explorer 7, follow these steps:

    1. Click the Tools menu, and then click Internet Options.
    2. On the Advanced tab, click Reset.
    3. In the Reset Internet Explorer Settings dialog box, click Reset.
    4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
    5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

    Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.
    ---------------------------------------------------------

    And this one:

    http://www.techspot.com/vb/post662504-2.html

    --------------------------------------------------------

    Then Restart, and then see if you can update (which is of utmost importance)
     
  5. jdriver

    jdriver TS Rookie Topic Starter

    thnx kimsland i'll check those out now. one more thing to add, i have an out of date java install, so i went to update it and received this error popup which closes the installer. it mentions the c99shell and a couple other things, i looked at the site and it's all in russian so i dunno what the deal is. any ideas on this?

    hXXp://img111.imagevenue.com/img.php?image=22941_errors_122_819lo.jpg
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  7. jdriver

    jdriver TS Rookie Topic Starter

    tell me abut it. when i open IE the homepage loads as a big jumbled mess of code, starting with the same biz about some russian site, and somebroken forms and other commands. i run firefox as my main browser. but something is definitely amiss with IE right now...
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  9. jdriver

    jdriver TS Rookie Topic Starter

    i've removed everything mentioned still nothing is updating, when i open IE i get a very worrisome page. a huge mysql dump followed by a broken page with a lot of forms that appears to be a php application for mass defacing websites on a server. the footer is signed the captain crunch security team ccteam.ru. obviously some russian hacker group. i snapped some screenshots but can't get them uploaded to any free spots anywhere as they're quite large. and there's no way i'm opening a connection to my dedicated server from my desktop right now.

    I am running an instance of Microsoft SQL Server 2005 on my desktop and wonder if this is having any additional effect on the situation what with the SQL dump and the server backdoor problem I am having here. I'm going to uninstall it and see where things go from there.

    How can i can about terminating processes by their ID number? is that a possibility?
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  11. jdriver

    jdriver TS Rookie Topic Starter

    I am thinking of just doing a reformat. I'm desperately hoping this hasn't made the jump to my dedicated server from my local desktop. Have my host looking into it now...
     
  12. Kazi

    Kazi TS Enthusiast Posts: 121

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...