Trojan horse BackDoor under Vista

By LA_RuffRainer
Jun 11, 2007
Topic Status:
Not open for further replies.
  1. hi, today my AVG showed up a virus warning called:

    Trojan horse BackDoor.Generic2.SLC
    c:\windows\system32\ntswrl32.dll

    oh, i noticed that i also got the Small.52.al (ntcvx32.dll)

    avg could remove the virus, but with every system reboot the virus is back.

    so i searched the internet for a solution and found this forum... i tried this help topic: http://www.techspot.com/vb/topic58138.html
    but some of the progs to use are not for windows vista. so could anybody help me removing this trojan under vista. i already did some steps (till step 10)


    is there any easier method to remove this trojan.
    and another question... could this virus really damage my whole system? what are the problems i can get with this trojan?

    thx rainer
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly. Please note: Some of the programmes/tools may not be compatible with Vista. Don`t worry about this and skip to the next step and so on.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    thanks for your fast answer, but my problem is that some of the programs used for deleting / finding the virus are not for vista.

    so what should i do... and i'm also not really sure if could really perform all these steps under vista. and i'm not sure if it is a problem to skip some important steps... for example adaware chrashed when performing a deep scan.
  4. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    If you find a particular programme is not compatible with vista, skip it and move on to the next instruction and so on. Then post whatever logfiles you can from those that are requested.

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  5. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    ok, i will do what i can... i think i will post my log files tomorrow. today i have no more time to fight this trojan. thanks for your help, and it would be great if you could help after giving you the log files.

    rainer
  6. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I`ll try my best and look forward to seeing your logfiles tomorrow.

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    Hello Howard, sorry that i didn't have time to post my log files... it is quite bussy these days at work. i hope you will get my log files at the weekend. I hope this is ok for you and you still will try to help me.
    sorry for these circumstances.

    thanks, rainer
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No problem at all mate, I`ll still be here.

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    ok i did step11 and searched with the help of the "depth search" ... but avg found no rootkits or anything like that. so how should i go on?

    i did the next step (step12) but combofix didn't work under vista so i can only post the hjt log file. i will wait for further instructions.

    thx rainer
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    Are you still getting the virus alerts for:

    Trojan horse BackDoor.Generic2.SLC
    c:\windows\system32\ntswrl32.dll

    And

    Small.52.al (ntcvx32.dll)

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    i still get virus alerts for both virus... so how should we go on?
    when i start my pc avg detects both virus and then i can move them to virus vault, but after a restart the virus is back.
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

    Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

    Attached Files:

  13. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    hello howard, unfortunatley this avenger programm doesn't support vista. and i also couldn't found any "vista avenger" ... so what should we do know. is there any other programm which is similar like avenger?
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, try Killbox instead. Man I hate Vista, not much is compatible with it at the moment.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    c:\windows\system32\ntswrl32.dll
    c:\windows\system32\ntcvx32.dll

    Let me know the results.

    Regards Howard :)
  15. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    so, the next problem. i did the whole stuff your wrote and when i start in safe mode and want to run the killbox.exe windows says: "invalid picture" ... actually this means that i cant start the programm. i tested some other progs in safe mode... some of them worked others also had the same "warning" : " invalid picture" .... do you think that is is a problem that i strated the safe mode with my normal admin acount. i dont have any other accounts on my pc then my admin account.
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, in that case, run Killbox from normal mode.

    Regards Howard :)
  17. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    ok i did it in normal mode... but when i finished putting in the stuff in killbox and killbox wants to restart it says: pendingfilenameoperations registry data has been removed by external process. could it be that this is a problem because my avg runs in normal mode when i start up ??? or what should i do?
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That is absolutly nothing to worry about and does happen sometimes with killbox.

    Now, update your AVG virus definitions and run a scan, see if AVG still picks up the baddies.

    Regards Howard :)

    This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  19. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    i did the whole stuff in killbox and restarted after "pendingfilenameoperations registry data has been removed by external process" manually... but after the restart avg detects the the two virus files once again.
  20. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Turn off system restore.(XP/ME only) See how HERE.

    Run Killbox for those files again, then run AVG and delete what it finds and empty the virus vault.

    Reboot your system and turn system restore back on. Scan with AVG again and let me know if it still finds the baddies.

    Regards Howard :)
  21. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    ok i will do that, but what do you actually mean with: turn system restore back on

    to which point should i restore ?
  22. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Turning off system restore will delet your restore points and anything nasty that`s in them.

    Turning it back on again will create a new clean restore point. I don`t actually want to to try and restore the computer.

    Regards Howard :)
  23. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    i just dont get it... so you mean i have to do the stuf will killbox and avg emtpy vault... then restarting the system, restoring an old restore point (the internal windows restore programm) and then scan once again ?
  24. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    No, turn system restore off, then run killbox, then AVG and delete what it finds including anything in the virus vault, then turn system restore back on again.

    Taken from HERE.

    Regards Howard :)
  25. LA_RuffRainer

    LA_RuffRainer Newcomer, in training Topic Starter

    i did the stuff with system restore, killbox and avg (empty virus vault) .... but when i restart the pc the virus is still there. so what? any other suggestions?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.