Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor And Spybot


  • This topic is locked This topic is locked
2 replies to this topic

#1 jjgirl

jjgirl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:20 AM

Posted 22 May 2008 - 11:40 AM

Please read the content in this link for information regarding the nature of the infection and what has been found: http://www.bleepingcomputer.com/forums/t/148138/lcxazwdsexe-is-one-of-the-malwares-in-my-pc/ ~ OB
Hello again,

I am currently using apple mac since I unplugged my windows from the internet and use it now only for backing up my data before I clean it, reformat and reinstall. I have to do it all on my own and already read much useful info here, thank you for your work.

Here is my highjackthis log, if anyone can help me and give me directions as to how to get rid of the malware Id be very grateful.

And I have a question, if I have a bunch of malware applications, how do I do the clean up in safe mode, all at once or step by step ? I never had anything like that before, sorry for such dumb questions :thumbsup: But I read in one forum they recommend one programm for that application, for removing another application theres another programm...

---------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:58, on 21.05.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\inetsrv\inetinfo.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
G:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
G:\WINDOWS\System32\tcpsvcs.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\Tablet.exe
G:\WINDOWS\System32\wdfmgr.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\drivers\spools.exe
G:\Documents and Settings\All Users\Application Data\hupaxujy\lcxazwds.exe
G:\WINDOWS\htpatch.exe
G:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
G:\WINDOWS\System32\ctfmon.exe
G:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\AvpM.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\WINDOWS\system32\drivers\spools.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,G:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {D032570A-5F63-4812-A094-87D007C23012} - G:\WINDOWS\System32\IEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: dpevflbg - {5F428D7E-04FA-4864-845B-727460F79490} - G:\WINDOWS\dpevflbg.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] G:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] G:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] G:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ntuser] G:\WINDOWS\system32\drivers\spools.exe
O4 - HKLM\..\Run: [autoload] G:\Documents and Settings\Julia\cftmon.exe
O4 - HKLM\..\Run: [MSConfig] G:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ntuser] G:\WINDOWS\system32\drivers\spools.exe
O4 - HKCU\..\Run: [autoload] G:\Documents and Settings\Julia\cftmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [rnf9C2kEIq] G:\Documents and Settings\All Users\Application Data\hupaxujy\lcxazwds.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1060284298-1123561945-682003330-1003\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O16 - DPF: {35B9DBE4-5284-46B3-9E0F-919364B22F02} (Test Class) - http://adult.www.ifriendsgroups.com/atlweb1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133699995109
O16 - DPF: {6540685D-ABC2-4DFB-BC97-D71C5951B226} (RMXFVIEWCtlFmt Class) - http://195.19.144.8/rmxfvw4.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133699977640
O17 - HKLM\System\CCS\Services\Tcpip\..\{5556C38E-34D0-4CAA-9D9E-1110F1A3F57D}: NameServer = 194.25.2.129
O23 - Service: ICF - Unknown owner - G:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: KAV Monitor Service (KAVMonitorService) - Kaspersky Labs. - G:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - G:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: TabletService - Wacom Technology, Corp. - G:\WINDOWS\System32\Tablet.exe

--
End of file - 4710 bytes

-------

I know that there should have been updates and all and now it will be a good lesson:( for me and as soon as I clean and reinstall it all, I will take a better care of my computer and security.

Thank you guys for the forum and help.

Edited by Orange Blossom, 22 May 2008 - 09:40 PM.


BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 31 May 2008 - 04:06 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

You are very badly infected and you need this information:
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Let us know what you have decided to do in your next post.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:01:20 AM

Posted 08 June 2008 - 07:41 AM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users