I'm infected

[mootz]

Im pretty sure my computer is backdoored and I'm here to ask for help from some computer genius
the b-door was brought to my attention from a spyware doctor scan but even when removed it comes back after rebooting
my nod32 alerts me when I open the control panel btw

here's my hijackthis log...
could someone please specify what is safe to 'fix' out of all of these, and some further instructions as I do not have a clue :|

 

[xxdanielxx]

Well first you posted this in the wrong section you should of posted this in the security section.

Hi my name is xxdanielxx I will be helping you clean your computer I am looking at your log right now. Will post back with what to do

 

[mootz]

Well first you posted this in the wrong section you should of posted this in the security section.

Hi my name is xxdanielxx I will be helping you clean your computer I am looking at your log right now. Will post back with what to do

very sorry feel free to move this thread
and thx for your help

 

[xxdanielxx]

Well first thing is you have to firewall software NOD32 and zone alarm if I am wrong please say. You need to remove one of them if you paid for NOD32 then remove zone alarm.

Or do you have NOD32 as your antivirus and zone alarm as your firewall

 

[xxdanielxx]

do you know any of the IP's below

194.74.65.68
194.72.0.114

 

[mootz]

nod is my AV and ZA is my FW

those IPs don't ring any bells :suspiciou

 

[xxdanielxx]

Ok lets get to work

We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

@echo off
sc stop System Spooler Host
sc delete System Spooler Host
sc stop System TskHlp
sc delete System TskHlp
del service.cmd and exit

Save it to your desktop as File name: service.cmd
Save as type: All Files

Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.

-------------------------------------------

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Dit] Dit.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{B84E9584-09E9-4C89-AB21-557D7F13872C}: NameServer = 194.74.65.68,194.72.0.114
O23 - Service: System Spooler Host - Unknown owner - C:\WINDOWS\cursors\mstask\services.exe (file missing)
O23 - Service: Task Manager Help (TskHlp) - Unknown owner - C:\windows\cursors\mstask\taskmgr.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.

---------------------------------------------

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\Windows\System32\Dit.exe

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

------------------------------------------------

Please run an on-line virus scan at http://www.kaspersky.com/virusscannerKaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

 

[mootz]

thankyou, i'm glad this didn't go un-noticed
i'll bookmark this page and i'll return tomorrow to finish off, i'm tired atm and i'm sure i'll probably miss something. >_<

 

[mootz]

ok... i have ran the bat file, dleted those mentioned above from my hijackthis and i've used OT on dit.exe

here's what's inside the OT log:

File/Folder C:\Windows\System32\Dit.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08012008_085917


and i still get nod32 popping up when i use contral panel
(varient of bifrose) i guess someone is using bifrost rat on me

 

[xxdanielxx]

can you post a fresh hijackthis log

 

[mootz]

heres a new one, seems some of the old things have returned :|
trendmicro online scanner is scanning PC right now i'll leave that on overnight

 

[xxdanielxx]

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

=======================================

ComboFix

• Download ComboFix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[mootz]

malwarebytes report:

Malwarebytes' Anti-Malware 1.24
Database version: 1018
Windows 5.1.2600 Service Pack 2

16:03:57 03/08/2008
mbam-log-8-3-2008 (16-03-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 214321
Time elapsed: 2 hour(s), 57 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

doing combofix right now then ill post that and a fresh hijackthis

 

[mootz]

backdoor still comes when i open control panel

 

[xxdanielxx]

For now run the tool below I will check your logs and post back later today


Download & Install SDFix

• Download SDFix & save it to your Desktop.
• Double click SDFix.exe & it will extract the file to %systemdrive%
  (Drive that contains the Windows Directory, Typically C:\SDFix)

Boot into Safe Mode

• Restart your computer & start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, & then press Enter.

Run SDFix

• Open the extracted SDFix folder & double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on the screen & also save into the SDFix folder as Report.txt
• Attach Report.txt back here

 

[mootz]

[b]SDFix: Version 1.212 [/b]
Run by Matty on 03/08/2008 at 17:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

this is all i get :dead:

 

[xxdanielxx]

hmm you ran it in safe mode right then after the reboot you let it go to normal mode

 

[mootz]

yeah i ran in safe mode but after reboot it didnt run again
should i reboot after in safe mode again or should it have done it itself anyway?

 

[xxdanielxx]

Ok run it in safe mode then when it reboots let the computer start as normal it should popup and run also can you post a fresh hijackthis log

 

[mootz]

i feel so stupid...
i ran a scan with my nod32 just 5 minutes ago, guess what it found:
Time: 05/08/2008 Object name: C:\\WINDOWS\system32\gplunt.cpl Size: 87040 Reason: probably a variant of Win32/Bifrose trojan
strange that nothing else detected it, i wonder why my AV did not find it before it got to where it was.

 

[xxdanielxx]

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\gplunt.cpl

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

[mootz]

OT didn't find it and it doesn't show up when i open control panel any more
i think i've killed it...
thanks for all your help

 

[xxdanielxx]

there still one more thing to do

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

===================

Uninstall ComboFix

• Click Start then Run
• Now Type Combofix /u in the runbox
• Make sure there's a space between Combofix & /u
• Then hit Enter

The above procedure will Delete the following:

• ComboFix & it's associated files & folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide system/hidden files, if required.
• Set a new, clean Restore Point.

------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  (It will go thorugh the list & remove all of the tools it finds and then delete itself) Requiring a reboot

============================

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
6. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
   
7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

xxdanielxx