Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Trojan Horse Backdoor.Generic6.EEU


  • Please log in to reply
17 replies to this topic

#1 Chrissytina

Chrissytina

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 03:34 PM

I made a vital mistake of opening a email that directed me to a message board on a classmates site for information on our next class reunion. It wanted to click on a PDF file to view the information on video about the reunion. This installed the Trojan horse to my system and was picked up by AVG. AVG says it healed it however I kept receiving a message that a threat was detected. I tried putting it in the virus vault and nothing changed. So, I started googling how to get rid of it. I found a forum that someone had posted this very problem in. The replier told her to use Combofix, so I downloaded combofix and ran it. I have a log file and am wondering what to do next.

(I originally posted this in another forum on this site and the person who replied told me ComboFix was to be used only under supervision of an expert. I understand that now, but didn't realize that when I ran it.)

I use a desktop replacement with OS Windows XP. Basically, what's happening is the Trojan is slowing my computer down, especially when I have AVG enabled (I have it disabled now so I could run ComboFix). It doesn't really appear to be causing any other problems at the moment, but as soon as I realized I had a Trojan on my computer, I basically stopped using it. I can use internet explorer fine, but programs such as iTunes and Word are having trouble starting up. It's more of an annoyance than anything else at this point, but I'd rather not wait until it turns into a big problem. Thanks for your help in advance!

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 January 2009 - 03:37 PM

Hello Chrissytina.

Let's see what we can find.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

With Regards,
The Panda

#3 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 04:00 PM

Okay, this sounds silly, but how do I include the logfile? I can't copy and paste it and I can't attach it to this post.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 January 2009 - 04:06 PM

Hello.

Click on the logs tabs. Double click the log and it should open in a notepad.

With Regards,
The Panda

#5 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 04:11 PM

Okay, sorry. Here you go.

Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3

2009-01-06 15:56:12
mbam-log-2009-01-06 (15-56-01).txt

Scan type: Quick Scan
Objects scanned: 54800
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 January 2009 - 04:29 PM

Hello Chrissytina.

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

With Regards,
The Panda

#7 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 04:44 PM

Malwarebytes' Anti-Malware 1.32
Database version: 1625
Windows 5.1.2600 Service Pack 3

2009-01-06 16:38:28
mbam-log-2009-01-06 (16-38-28).txt

Scan type: Quick Scan
Objects scanned: 54824
Time elapsed: 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 January 2009 - 05:23 PM

Hello Chrissytina.

Doesn't look like anything serious.

Could you please tell us what AVG flagged as the backdoor trojan?

With Regards,
The Panda

#9 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 05:55 PM

It found BackDoor.Generic6.EEU in C:\WINDOWS\new_drv.sys

Edited by Chrissytina, 06 January 2009 - 05:55 PM.


#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 06 January 2009 - 08:24 PM

Hello Chrissytina.

Not great news..

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.
-----------
If you would like to try to disinfect, we'll take it over to the Malware Removal Forum.

With Regards,
The Panda

#11 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 06 January 2009 - 09:52 PM

Luckily, I haven't used the infected computer for much of anything since I found out about it, and I never store online passwords using internet explorer. I changed passwords of the few things I used after it was infected on a clean PC. I was reading the reformat/re-install link you provided. I typically use my computer for school papers, research, email, web surfing, and playing games. Once every few days I also check my bank account online. My computer is connected to the internet wirelessly, but like I said, I haven't really done anything on it. Is that just what's considered opening a port and listening? I also have had AVG enabled except at the very start of this when I ran Combofix. After using the Malwarebytes program, I rescanned with AVG and it found nothing, nor did the "threat detected" message pop up at all. I also noticed that the file C:\WINDOWS\new_drv.sys is no longer there like it was before. I can also open and use the programs I couldn't before.

By trying to disinfect, do you mean completely wiping my hard drive clean and reinstalling a clean version of my OS?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 07 January 2009 - 08:16 AM

Hello.

By disinfect, we mean remove the infection.

From the current description, it looks like the infection was removed to me.

With Regards,
The Panda

#13 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 07 January 2009 - 11:01 AM

Sure, let's do that, but I agree with you.

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:39 AM

Posted 07 January 2009 - 11:44 AM

Hello.

ComboFix should have taken out the infection.

Let's just check for anything remaining.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
With Regards,
The Panda

#15 Chrissytina

Chrissytina
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:02:39 AM

Posted 07 January 2009 - 05:28 PM

Wow, that scan did take a while. Here's the report:

Scanning Report
Wednesday, January 07, 2009 12:06:00 - 17:23:00

Computer name: ACER-7A825642D0
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\
Result: 1 malware found
TrackingCookie.2o7 (spyware)

* System

Statistics
Scanned:

* Files: 35087
* System: 3533
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM

Options
Scanning engines:

* F-Secure USS: 2.40.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 2.8.8110, 2009-01-07
* F-Secure Pegasus: 1.20.0, 2008-11-17
* F-Secure AVP: 7.0.171, 2009-01-07

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users