TechSpot

win32.backdoor.ciadoor trojan is messing up my life

By Mike B
Aug 27, 2006
  1. Howdy,

    I recently contracted a trojan called win32.backdoor.ciadoor. Changes I've noticed to my computer are:

    1. Locked out of Task Manager
    2. My Windows Firewall is disabled and I cannot turn it on
    3. My connection to the wireless internet is extremely inconsistent
    4. The McCafee icon in the running tasks tray is black instead of red and disappears when i pass my mouse over it.
    5. Recycle bin automatically loads at startup.

    I installed Ad-Aware SE and ran it, and it found the win32.backdoor.ciadoor. I removed it and then had access to task manager but the windows firewall still will not start. When I try to start it, I get the following message:

    "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) Device."

    After scanning with Ad-Aware, I reset my computer and the trojan came back. In fact, it comes back every time I restart my computer. I was reading posts on another forum while trying to fix the problems with my internet connection, and one direction was to enable "show hidden files and folders" in folder options. When I did that and opened up "My Network Places" I noticed two additional network places that I've never seen before. In addition to my connection, there was one called "Back to Bedlam on Jergens" and "Michael Buble on Jergens." When I clicked in the folder it froze and a message box appeared that said "Access to these network places is restricted." It also said some other stuff but I failed to write it down. The new icons then disappeared and they no longer show up.

    I need assistance in getting rid of that trojan and I'm wondering if those other network places may be someone that has gained access to my computer. Any help or knowledge would be greatly appreciated.

    Thanks!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Let`s see if we can get your system clean and running smoothly again.

    Go HERE and follow the instructions exactly.

    Post a fresh HJT log as an attachment into this thread, only after doing the above.

    Regards Howard :wave: :wave:

    This thread is for the use of Mike B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. werty316

    werty316 TS Rookie Posts: 185

    As a last resort do a HD format. That always solves a virus problem.
     
  4. Mike B

    Mike B TS Rookie Topic Starter

    Having Difficulties

    Okay, I'm having a few problems.

    First of all, I cannot disable system restore. There is no system restore tab in the System file. It only displays the following tabs:

    General, Automatic Updates, Remote, Computer Name, Hardware, Advanced

    I am running Service Pack 2.


    Second, I cannot run all of the required scans. My computer will not stay connected to the internet long enough to first run the online scans. I am also not able to run SmitFraudFix because when it attempts to start a message comes up that states "Command prompt disabled by the Administrator."

    I ran all other scans and deleted a bunch of stuff that showed up. I then restarted in safe mode and scanned with HJT. When I attempted to bring up the Task Manager by pressing Control + Alt + Delete nothing happened. I pressed the combination several times and it appeared to be disabled. At this point it was 12:30 PM and I had to get up for an 8 o'clock class the next morning so I gave up for the night. I will attempt to re-do the process again tonight, if you have any ideas that might help please share.

    The main problem is the Win32.Backdoor.CiaDoor that continually shows up each time I run a new scan. Other Spyware and problem files no longer appear during the scans.
     
  5. Mike B

    Mike B TS Rookie Topic Starter

    Okay, I tried everything again tonight. This time I got everything to work. I rebooted my comp and my internet connection appears to be consistent now. I removed several items from the HJT. I ran Ad-Aware when I booted up and it did not locate Win32.backdoor.ciadoor for the first time in several days. My task manager now also appears to be working. The only problem i'm encountering are two messages that pop up when Windows starts.

    The first reads:

    Windows cannot find C:\Windows\system32\svchost.exe. Make sure you typed the name correctly then try again. To search for a file, click the Start button, then click Search.

    The second reads:

    Could not load or run C:\windows\system32\svchost.exe specified in the registry. Make sure the file exists on your computer or remove the reference to it in your registry.

    Did I make a mistake on HJT? I've attached my log, thanks for your help!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re not running any antivirus or firewall software.

    Download and install the free AVG antivirus programme and either the free Zonealarm or Kerio firewall programmes. You can get them HERE, HERE and HERE.

    Install whichever firewall you chose, followed by AVG and reboot your system the required number of times. Run the AVG updates.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with AVG and delete whatever it finds.

    Reboot into normal mode and turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log, only after doing the above.

    Let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Mike B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Mike B

    Mike B TS Rookie Topic Starter

    Okay, I ran AVG and found the Java/byteverify virus. I deleted the java cache and ran a program called CCleaner which apparently is supposed to take care of that. Here is the latest HJT log.

    I am still having the following two messages appear at startup:

    The first reads:

    Windows cannot find C:\Windows\system32\svchost.exe. Make sure you typed the name correctly then try again. To search for a file, click the Start button, then click Search.

    The second reads:

    Could not load or run C:\windows\system32\svchost.exe specified in the registry. Make sure the file exists on your computer or remove the reference to it in your registry.

    I am connected to a WAN with 4 other computers. My connection is very unstable. It was never excellent because i'm the farthest away from the router. However, it has gotten worse since all this began. I am thinking about purchasing a Range Expander. My concern however, is that the poor connection has something to do with settings on my comp or one of these viruses is interfering with my connection. Any ideas?

    Thanks again
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AWS\weatherbug


    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess)

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    scvhost.exe <Not to be confused with svchose.exe which is legit.
    Weather.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe

    F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe

    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html

    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll

    O9 - Extra button: Support - {09D8B46D-D9D8-4C7F-A57A-D4EA9BA672E5} - http://www.comcastsupport.com (file missing) (HKCU)

    O9 - Extra button: ComcastHSI - {3F8E8250-5D91-4127-938A-F97CB65BF060} - http://www.comcast.net (file missing) (HKCU)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

    O9 - Extra button: Help - {FB625942-82BA-411D-8518-D090866F6A2B} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

    O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\PROGRA~1\AWS
    C:\WINDOWS\system32\scvhost.exe Not to be confused with svchost.exe which is legit.


    Reboot into normal mode, turn system restore back on and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of Mike B only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...