Norton & AVG detecting php/backdoor.c99shell, cannot quarantine

[jdriver]

Early yesterday Norton started giving me a lot of popup notifications about this "trojan php/backdoor.c99shell" on random files in my temporary internet history. As I manage to catch them I got some into quarantine and others would disappear before I could manage to catch them. It didn't seem like Norton was getting it, so I installed AVG, which did basically the same thing. It pops up a lot of warnings, and heals as many files as it can, but misses some, and others continue to pop up. Neither Norton or AVG seem to catch the problem, and i can't find much in the way of removal instructions online. Some programs appear to run very slowly, especially my browser. Video is hurting, and the speed of my box in general is down quite a bit.

I'm on windows Vista. Have ran AVG an dnoton against it with no luck. The affected files that keep popping up are in the IE5 folder in my temporary internet files directory.

Does anyone know how I can clear this so I can connect my new desktop back to the internet without worrying?

 

[kimsland]

Yes make sure that you remove Norton fully first!

New Preliminary Removal Instructions

 

[jdriver]

Alrght, I got going on the prelims, but I have a problem here, I can't check for updates with Malwarebytes or SuperAntiSpyware. Both of them tell me my firewall doesn't allow them, or that my connection isn't live. My connection is live, and I've allowed both of the programs in Windows Firewall, I even disabled windows firewall. Neither works. So I'm running the scans as is for now in hopes that it cleans thing sup a bit, but I'll run them again once I know what needs to be taken care of to get them accepting my connection again. i have no other firewall running. As a sidenote, MSN messenger refuses to connect to the net right now too. ICQ quit working a few days ago...

 

[kimsland]

Try this:

How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Note for users who cannot start Internet Explorer 7 for some reason, use RIES from Internet Options in Control Panel.
---------------------------------------------------------

And this one:

https://www.techspot.com/vb/post662504-2.html

--------------------------------------------------------

Then Restart, and then see if you can update (which is of utmost importance)

 

[jdriver]

thnx kimsland i'll check those out now. one more thing to add, i have an out of date java install, so i went to update it and received this error popup which closes the installer. it mentions the c99shell and a couple other things, i looked at the site and it's all in russian so i dunno what the deal is. any ideas on this?

hXXp://img111.imagevenue.com/img.php?image=22941_errors_122_819lo.jpg

 

[kimsland]

That don't look good !

Your Java can be fully un-installed from Add/Remove Programs
And once all is resolved you can go here and update it (through the long slow process)
http://java.com/en/download/installed.jsp?detect=jre&try=1

Just continue above, with removing all this stuff

 

[jdriver]

That don't look good !

Your Java can be fully un-installed from Add/Remove Programs
And once all is resolved you can go here and update it (through the long slow process)

Just continue above, with removing all this stuff

tell me abut it. when i open IE the homepage loads as a big jumbled mess of code, starting with the same biz about some russian site, and somebroken forms and other commands. i run firefox as my main browser. but something is definitely amiss with IE right now...

 

[kimsland]

Is your system infected? Read this before Cleaning or Formatting

I wonder if this would be best for a backup and re-install of Windows issue
That Pic was disturbing !

 

[jdriver]

i've removed everything mentioned still nothing is updating, when i open IE i get a very worrisome page. a huge mysql dump followed by a broken page with a lot of forms that appears to be a php application for mass defacing websites on a server. the footer is signed the captain crunch security team ccteam.ru. obviously some russian hacker group. i snapped some screenshots but can't get them uploaded to any free spots anywhere as they're quite large. and there's no way i'm opening a connection to my dedicated server from my desktop right now.

I am running an instance of Microsoft SQL Server 2005 on my desktop and wonder if this is having any additional effect on the situation what with the SQL dump and the server backdoor problem I am having here. I'm going to uninstall it and see where things go from there.

How can i can about terminating processes by their ID number? is that a possibility?

 

[kimsland]

Yes
Have a look at Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

And I agree to remove SQL for the moment

 

[jdriver]

I am thinking of just doing a reformat. I'm desperately hoping this hasn't made the jump to my dedicated server from my local desktop. Have my host looking into it now...

 

[Kazi]

Please try atf-cleaner by atribune or ccleaner
ccleaner: http://www.ccleaner.com/download/downloading
atf-cleaner: http://www.atribune.org/ccount/click.php?id=1
With atf cleaner on ie do select all and empty
Ccleaner just click every setting and click analyze and delete

also post a hjt log

if you reformat good luck