Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bkdr_ciadoor.ea


  • This topic is locked This topic is locked
15 replies to this topic

#1 paige3663

paige3663

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 21 November 2007 - 07:52 PM

Shoot sorry- this should have been called- BKDR_CIADOOR.EA
But I cant edit that

I'm 100% sure I have a virus
In the summer of 2006, my daughter downloaded a game and right away I knew something was wrong
My limewire kept re-starting on its own
Ran a scan and sure enough I had WORM_GAOBOT.DF (back in July 2006)
A tech site similar to this assisted me - it took a few days but we got rid of it- SO thankful

Last night I was downloading something and sure enough the same thing happened- limewire kept re-starting on its own
I uninstalled limewire and ran scans

Also Something kept popping up saying:

LimeWire version 4.14.10
Java version 1.5.0_07 from Sun Microsystems Inc.
Windows XP v. 5.1 on x86
Free/total memory: 31431720/33357824

com.limegroup.gnutella.gui.GUILoader$StartupFailedException: invalid xml.war
at com.limegroup.gnutella.gui.GUILoader.sanityCheck(GUILoader.java:292)
at com.limegroup.gnutella.gui.GUILoader.load(GUILoader.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.limegroup.gnutella.gui.Main.main(Main.java:45)

STARTUP ERROR!

FILES IN CURRENT DIRECTORY:
C:\Program Files\limewire\lib
LAST MODIFIED: 1195610518706
SIZE: 0

C:\Program Files\limewire\LimeWire.exe
LAST MODIFIED: 1190038754281
SIZE: 147456

I went looking for that >> C:\Program Files\limewire\LimeWire.exe
and despite uninstalling limewire, I found it & tried to delete it but i couldnt
In it it had a file called lib that was 20.4 mb and i couldnt delete it either

My ad-aware finished and it only had tracking cookies
Last night my Trend said I have:
BKDR_CIADOOR.EA
20490 Infections
GULP

I used the clean option and got it down to 2304 infections
I think this is a key logger?
I ran it again last night when i couldnt sleep- and got it down to less infected 1's but dont remember how many
I ran it again today before I left for work- when i got home it said just 1 infected file
I tried cleaning it but it was sitting like that too long I guess
I'm running another Trend scan right now and a Panda scan as well
I was able to delete that>> C:\Program Files\limewire\LimeWire.exe
and that thing isnt popping up anymore

I also ran HJT and have a log (if I did it correctly)
I can post that from last night before I started doing any cleaning, if you want to see it

So far Panda is saying:
Virus Detected 1 Disinfected 1
Spyware Detected 3 Disinfected 0
Hacking tools and rootkits Detected 2 Disinfected 0
Dialers Detected 1 Disinfected 0

Obviously I need to wait for it to finish to get a report, but Im rather frantic and need some advice

Thank you in advance

(I hope i did this all right- per rules etc)

{Mod Edit: made needed Topic Title change~boopme}

Edited by boopme, 21 November 2007 - 09:11 PM.

"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 AM

Posted 21 November 2007 - 09:23 PM

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

--------------------------------------------------------------------------------

Post a Hijack This Log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

When a malware is labeled "backdoor" it means you have to consider your computer is completely compromised.
Any financial info, passwords, etc. can be found obtained by the malware. Credit cards, paypal, banking, etc.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:13 AM

Posted 21 November 2007 - 09:23 PM

Hello paige3663 First welcome to the Forum
You have so many pices of malware i feel it would be best for you to follow the instructions here...
Preparation Guide for use before posting a HijackThis Log . Let the experts there guide you thru a proper clean up. Please be patient for them as they are a very busy bunch right now,but they are great.

Also that LIB file is where all the songs are stored

You will need to run some scan again in the instructions abve ,so don't worry about it. Let it finsh than follow the Prep guide.

Backdoor trojans will compromise youir PC security. Simply put they will look for Passwords,financial,Credicard info and send it off. All that type info that is on your PC is better considered compromised and should be changed.

Edited by boopme, 21 November 2007 - 09:27 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 21 November 2007 - 09:50 PM

Thanks guys
1st i'm going to post the report from my Panda Scan
then follow the instructions above


Incident Status Location

Virus:W32/P2PSimple.C.worm Disinfected Operating system
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Lynn\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Adware:adware/abox Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/ieplugin Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Lynn\Application Data\Mozilla\Firefox\Profiles\j13o3xm3.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@888[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@bluestreak[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@casalemedia[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@cassava[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@cgi-bin[5].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@ct.360i[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@i.screensavers[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@kmpads[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@revenue[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@server.iad.liveperson[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@target[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@web.tickle[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@winantivirus[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@www.burstbeacon[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@www.winantivirus[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Lynn\Cookies\lynn@xiti[1].txt
Virus:Trj/Banker.FTI Disinfected C:\Documents and Settings\Lynn\Desktop\Amy's stuff\games\super_gerball.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Hijack\backups\backup-20060714-205206-802-PowerReg Scheduler V3.exe
Virus:Trj/Downloader.MDW Disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#5 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 AM

Posted 21 November 2007 - 10:17 PM

After running the Super Antispyware in Safe Mode........
You can look for fun web and other fun web listings in your Add/ Remove program. See info in link below.
http://www.pchell.com/support/popularscreensavers.shtml

You block the cookies that advertisers install. They are called Third Party Cookies. Follow the simple directions for
blocking in IE.
http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/

Edited by buddy215, 21 November 2007 - 10:28 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:13 AM

Posted 21 November 2007 - 11:11 PM

Java version 1.5.0_07 from Sun Microsystems Inc.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE)6 Update 3...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 08:07 AM

Again thanks to everyone frop the help yopu are gioving me. I love my computer :thumbsup: & need to fix it

I am at work now
I am in the Atlantic time zone so often when i get replies from anyone, it is bed time lol
I'm at work changing all my passwords

I have a question tho before I start doing those things since some require restarting computer
My windows is password protected (I have a 12 yr old that I limit her computer usage)
At home I'm not entering any passwords so not checking mail at home or going on msn
If I disconnect my internet while I sign into Windows, is my password safe?

I'm planning on doing as much of the stuff suggested as soon as I get home from work which will be about 5:30
"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#8 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 AM

Posted 22 November 2007 - 09:05 AM

Probably not. The malware would report whatever it captured next time you went online.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 09:15 AM

Hmmm
What about removing my windows password then
Sounds like my only option
Mind you I would have to enter it to remove it
But that should work?

Edit to add- I have changed all my passwords (that I can recall) while at work
I also notified my bank (since i do online banking) that I have a virus, changed my password & will not be using my online banking at home until i am sure I'm safe to again
Also notified my contacts that I have a virus and won't be going on msn or sending emails until I am virus free and asked them to let me know if they get anything from me

Soooo now i just have to wait to be done work so that i can go home and get started on all the stuff i've been advised to do
(in about 3 1/2 hrs)

Edited by paige3663, 22 November 2007 - 01:05 PM.

"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#10 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 06:13 PM

I'm still running scans
Should have a HJT log soon
I'm sitting here thinking- MEAN PEOPLE SUCK
Why do people do this? make viruses that hurt people they don't even know :-(
"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#11 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 AM

Posted 22 November 2007 - 06:23 PM

Have you run the Super Antispyware scan in safe mode?
Did you check your add/Remove program for Fun Web and associated programs?
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 06:30 PM

I'm still running all the requested prerequisites for posting a HJT log
(only been home from work for 2 hrs)
My Trend scan is saying there is an hr and 1/4 left- edit now saying 44 mins

I did look for Fun Web & it wasnt there

Edited by paige3663, 22 November 2007 - 06:32 PM.

"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#13 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:13 AM

Posted 22 November 2007 - 07:17 PM

There was more than one listing mentioned in the link I gave.
* My Web Search (Smiley Central or FWP product as applicable)
* My Way Speedbar (Smiley Central or other FWP as applicable)
* My Way Speedbar (AOL and Yahoo Messengers) (beta users only)
* My Way Speedbar (Outlook, Outlook Express, and IncrediMail)
* Search Assistant - My Way
My Web Search Removal
Smiley Central Removal
Cursor Mania Removal
FunBuddyIcons Removal
My Mail Stationery Removal
My Mail Signature Removal
My Mail Stamps
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#14 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 07:40 PM

Yeah none of those are there
Thanks for all the assistance thou buddy


I finished my Trend scan and only had cookies
I'm sure that would change at reboot

so a couple more steps and i can get my HJT log


Edit: For McAfee AVERT Stinger.

RE: Be sure and put a check in the box by "Auto Clean" before you do the scan.

There was no "Auto Clean" option but since it had repair checked I assumed that was the same thing

Edited by paige3663, 22 November 2007 - 07:56 PM.

"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King

#15 paige3663

paige3663
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Nova Scotia
  • Local time:01:13 AM

Posted 22 November 2007 - 10:12 PM

I have posted my HJT log
I did all the prep work and updated Java

I'm having trouble figuring SpyBot thou
Keeps popping up & I dont know whether to say deny or allow (something like that) and I dont wanna mess anything up worse

Now it is past my bedtime and I get up at 6:30 for work

Thanks again all

and i'll be able to read this tomorrow

Edited by paige3663, 22 November 2007 - 10:13 PM.

"The true measure of a man is not how he behaves in time of comfort and convenience but how he stands at time of controversy and challenge" Martin Luther King




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users