Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor/trojan Infection (unknown Type)


  • This topic is locked This topic is locked
2 replies to this topic

#1 chuckfinf

chuckfinf

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:32 PM

Posted 31 August 2008 - 06:14 PM

Dear sir or madam,

First, thanks in advance to whomever takes the time to help me out. This is my first time posting, and I hope I am following the accepted protocols. I have been working on the "family" computer, a Gateway GT 5058 with 4 gig RAM and AMD Athlon 64 x2 3800+ cpu running XP Media Center Edition with SP2. The computer has current McAfee Security suite (VirusScan, Personal Firewall, Security Center, Site Advisor, Anti Spam, etc.) running. I think that my son or wife fell victim to some "human engineering" attack and clicked on or opened something they shouldn't. Anyway, a short while ago, the McAfee started alarming on suspicious activity (I did not actually read the messages, by family simply acknowledged them and kept doing what they were doing. :thumbsup: I finally started to try to eliminate the problem as follows: Scanned with McAfee VirusScan and found nothing. Tried to download the current version of AdAware, and was stopped by a warning message in a box that looked like the XP theme. At top, it says "Security Alert", and in the box it says "Your current security settings do not allow this file to be downloaded". The only control in the box is an "ok" button to acknowledge and close the box". Turns out that this message pops up almost every time I try to download any of a number of AV / spyware / malware tools. I am suspicious that this message is being created by the infection as a means to prevent removal.(I can download other files without any problem) I then went to a computer that I was sure was clean, and downloaded a basketful of tools such as Hijack this, AdAware, SuperAntiSpyware, Malwarebytes, Spybot Search and Destroy, CWShredder, CCleaner, and other tools. I put them on a flash drive and copied them to the infected machine. Anyway, I have been running the group of them for the past two days, and did indeed get rid of suspicious stuff that was running in the background: afisicx.exe, macidwe.exe, noxtcyr.exe, nvsvc32.exe, sobicyt.exe, sotpcea.exe, tdxdowke,exe, and a few others. I researched the filenames on this and other sites, and several of them were associated with some backdoor trojans, and some were unknown. (I suspect that they could be changing their names?) I could not run Spybot Search and Destroy. Every time I tried, the machine locked up. (I had run older versions of this program in the past) Also tried to run SDFIX in safe mode, and another disturbing thing happened. I can not boot into safe mode!! F8 gets me to the right screen, and when safe mode is selected, the process goes as far as displaying the windows splash screen and locks up. Tried many times. So to sum up, I got rid of some suspicious stuff, am blocked by something from downloading AV / malware / adware tools, can not boot into safe mode, and am starting to get suspicious this thing is really good at hiding. I have attached the two Hijack this files for your viewing pleasure.One is from very early in my work to clean this up, and one is from just a little while ago.

Attached Files



BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 PM

Posted 16 September 2008 - 12:34 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please see here for instructions
how to install HijackThis and make a logfile. Save it into convenient location and include it to your next reply, please.

Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with HijackThis log and Kaspersky report.

Regards
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 PM

Posted 23 September 2008 - 12:25 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users