Trojan horse BackDoor under Vista

[LA_RuffRainer]

hi, today my AVG showed up a virus warning called:

Trojan horse BackDoor.Generic2.SLC
c:\windows\system32\ntswrl32.dll

oh, i noticed that i also got the Small.52.al (ntcvx32.dll)

avg could remove the virus, but with every system reboot the virus is back.

so i searched the internet for a solution and found this forum... i tried this help topic: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
but some of the progs to use are not for windows vista. so could anybody help me removing this trojan under vista. i already did some steps (till step 10)


is there any easier method to remove this trojan.
and another question... could this virus really damage my whole system? what are the problems i can get with this trojan?

thx rainer

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly. Please note: Some of the programmes/tools may not be compatible with Vista. Don`t worry about this and skip to the next step and so on.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

thanks for your fast answer, but my problem is that some of the programs used for deleting / finding the virus are not for vista.

so what should i do... and i'm also not really sure if could really perform all these steps under vista. and i'm not sure if it is a problem to skip some important steps... for example adaware chrashed when performing a deep scan.

 

[howard_hopkinso]

If you find a particular programme is not compatible with vista, skip it and move on to the next instruction and so on. Then post whatever logfiles you can from those that are requested.

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

ok, i will do what i can... i think i will post my log files tomorrow. today i have no more time to fight this trojan. thanks for your help, and it would be great if you could help after giving you the log files.

rainer

 

[howard_hopkinso]

I`ll try my best and look forward to seeing your logfiles tomorrow.

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

Hello Howard, sorry that i didn't have time to post my log files... it is quite bussy these days at work. i hope you will get my log files at the weekend. I hope this is ok for you and you still will try to help me.
sorry for these circumstances.

thanks, rainer

 

[howard_hopkinso]

No problem at all mate, I`ll still be here.

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

ok i did step11 and searched with the help of the "depth search" ... but avg found no rootkits or anything like that. so how should i go on?

i did the next step (step12) but combofix didn't work under vista so i can only post the hjt log file. i will wait for further instructions.

thx rainer

 

[howard_hopkinso]

Your HJT log is clean.

Are you still getting the virus alerts for:

Trojan horse BackDoor.Generic2.SLC
c:\windows\system32\ntswrl32.dll

And

Small.52.al (ntcvx32.dll)

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

i still get virus alerts for both virus... so how should we go on?
when i start my pc avg detects both virus and then i can move them to virus vault, but after a restart the virus is back.

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Let me know if you`re still having problems.

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

hello howard, unfortunatley this avenger programm doesn't support vista. and i also couldn't found any "vista avenger" ... so what should we do know. is there any other programm which is similar like avenger?

 

[howard_hopkinso]

Ok, try Killbox instead. Man I hate Vista, not much is compatible with it at the moment.

Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

c:\windows\system32\ntswrl32.dll
c:\windows\system32\ntcvx32.dll

Let me know the results.

Regards Howard

 

[LA_RuffRainer]

so, the next problem. i did the whole stuff your wrote and when i start in safe mode and want to run the killbox.exe windows says: "invalid picture" ... actually this means that i cant start the programm. i tested some other progs in safe mode... some of them worked others also had the same "warning" : " invalid picture" .... do you think that is is a problem that i strated the safe mode with my normal admin acount. i dont have any other accounts on my pc then my admin account.

 

[howard_hopkinso]

Ok, in that case, run Killbox from normal mode.

Regards Howard

 

[LA_RuffRainer]

ok i did it in normal mode... but when i finished putting in the stuff in killbox and killbox wants to restart it says: pendingfilenameoperations registry data has been removed by external process. could it be that this is a problem because my avg runs in normal mode when i start up ??? or what should i do?

 

[howard_hopkinso]

That is absolutly nothing to worry about and does happen sometimes with killbox.

Now, update your AVG virus definitions and run a scan, see if AVG still picks up the baddies.

Regards Howard

This thread is for the use of LA_RuffRainer only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[LA_RuffRainer]

i did the whole stuff in killbox and restarted after "pendingfilenameoperations registry data has been removed by external process" manually... but after the restart avg detects the the two virus files once again.

 

[howard_hopkinso]

Turn off system restore.(XP/ME only) See how HERE.

Run Killbox for those files again, then run AVG and delete what it finds and empty the virus vault.

Reboot your system and turn system restore back on. Scan with AVG again and let me know if it still finds the baddies.

Regards Howard

 

[LA_RuffRainer]

ok i will do that, but what do you actually mean with: turn system restore back on

to which point should i restore ?

 

[howard_hopkinso]

Turning off system restore will delet your restore points and anything nasty that`s in them.

Turning it back on again will create a new clean restore point. I don`t actually want to to try and restore the computer.

Regards Howard

 

[LA_RuffRainer]

i just dont get it... so you mean i have to do the stuf will killbox and avg emtpy vault... then restarting the system, restoring an old restore point (the internal windows restore programm) and then scan once again ?

 

[howard_hopkinso]

No, turn system restore off, then run killbox, then AVG and delete what it finds including anything in the virus vault, then turn system restore back on again.

Taken from HERE.

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Regards Howard

 

[LA_RuffRainer]

i did the stuff with system restore, killbox and avg (empty virus vault) .... but when i restart the pc the virus is still there. so what? any other suggestions?