Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with Win32.Backdoor.DNM Pop-Ups, Can't Use Web Browser

  • This topic is locked This topic is locked
2 replies to this topic

#1 J_PAY


  • Members
  • 8 posts
  • Local time:09:41 PM

Posted 01 March 2009 - 11:20 AM

Here's what's happening:
1. A Windows Security pop-up keeps showing up, it refers to win32.backdoor.dnm
2. When I open FF or IE, the first page says I need to download Windows Defender 2009 (I haven't)
3. My browser session crashes within 30 seconds, sometimes immediately.

I ran the malware app and it removed some malicious files, but three issues listed above did not go away.

DDS text file copied here, and DDS Attach is attached. Thanks for the help, I have used bleepingcomputer before for this type of issue, and really appreciated the service.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Jason at 7:55:42.93 on Sun 03/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.166 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel GuideMenu\GuideMenu.exe
C:\Documents and Settings\Jason\Application Data\Google\wcwdu16814728.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
uDefault_Page_URL = hxxp://www.dell.ca/myway
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell.ca/myway
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: {98663E21-9CCE-4CF6-863C-911A9523A66F} - No File
BHO: {ca5ca04d-a757-407a-9c7d-a55a7001c0e7} - No File
BHO: {F5467C4D-1CC4-4A8D-ABA4-457EB98CD735} - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: {2555DD4A-9592-4912-B3F4-D98D45A305BA} - No File
BHO: {29328502-10B3-4F38-A2C8-0FAEDEC772F5} - No File
BHO: {30E9981B-C6DB-4EB2-9812-5DD4ED088645} - No File
BHO: {313ABE6D-0559-422A-B9B7-EDDBB4A0C53E} - No File
BHO: {48619C55-E8B9-4021-9894-86A5ACCD72A3} - No File
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - No File
BHO: {652CA2FC-BB06-4B81-A767-173278182438} - No File
BHO: {6A402D60-0E0A-44C7-834B-852EB704E1E0} - No File
BHO: {6e9b5918-6f5c-4fa8-b872-b3f3c3b1bb2b} - No File
BHO: {74B21D9E-A119-4523-93D3-7F4FC2192B46} - No File
BHO: {752743CD-1DBF-4C12-8959-F150E0410D84} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {84298C20-2BD1-4BAC-8B10-0A33145698C5} - No File
BHO: {8CFDFB12-837A-41BB-993C-0FA5707C773D} - No File
BHO: {926F9303-8FF2-4844-B165-A299EE8F29D7} - No File
BHO: {93702802-578C-4DE2-8A7E-51A86223B880} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: {B1C468DB-99CE-4191-A8FF-89D9715C0715} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E0DD9011-6410-4C6B-8CD3-B903D6C8E799} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
mRun: [D-Link AirPlus XtremeG] "c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GuideMenu] "c:\program files\corel\corel guidemenu\GuideMenu.exe" -hide
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [AppleSyncNotifier] "c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe"
mRun: [MSKDetectorExe] "c:\program files\mcafee\spamkiller\MSKDetct.exe" /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [realtecks] "c:\documents and settings\jason\application data\google\wcwdu16814728.exe" 2
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://www.epost.ca/printing/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152311626188
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://pix.futureshop.ca/en/ImageUploader4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} - hxxp://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jason\applic~1\mozilla\firefox\profiles\vsua4e4f.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-7-28 29808]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-7-28 3577192]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2004-10-6 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2004-10-4 43392]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-2-2 40488]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-02-28 21:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-28 21:48 <DIR> --d----- c:\docume~1\jason\applic~1\Malwarebytes
2009-02-10 22:39 <DIR> --d----- c:\program files\iPod

==================== Find3M ====================

2009-02-14 21:13 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2009-01-13 18:37 61,224 a------- c:\documents and settings\jason\GoToAssistDownloadHelper.exe
2008-12-19 01:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 01:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-18 21:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-18 21:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2007-04-25 00:49 328 -------- c:\program files\GuideMenuSetup.iss
2007-04-05 19:28 1,237 -------- c:\program files\WinDVDSetup.iss
2008-08-17 21:04 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081720080818\index.dat

============= FINISH: 8:03:12.73 ===============

Attached Files

BC AdBot (Login to Remove)


#2 J_PAY

  • Topic Starter

  • Members
  • 8 posts
  • Local time:09:41 PM

Posted 07 March 2009 - 07:27 PM

You can close this topic, I was able to remove this virus on my own, I found some easy to follow directions:

- boot to safe mode

- run msconfig and look for anything in the startup tab that looks like “wcwdu16814728.exe” and disable it from startup (write this down so you remember it - the name may be slightly different depending on the version you’re infected by)

- now go to the C:Document and SettingsusernameApplication DataGoogle and delete that wcwdu16814728.exe (or whatever similar name you found in the previous step) (You will need to be able to access "hidden files" for this step)

- open regedit (click start, then run, and type “regedit”)

-remember to backup your registry before changing ANYTHING. Click on “file” on the upper left, click on “export registry file”, save it under something you recognize, Save- for a location I just put it on my desktop

- start at the top of the tree (make sure you highlight at the very top on “my computer”). goto edit/find and do a search through the entire registry for whatever the name of your wcwdu….exe file was. I searched for “wcwdu16814728″. It will come up usually at least 2 times in the registry. When it finds something with the exact name, delete it and then go to search->find next, and repeat for all occurrences
(I myself deleted win32.backdoor-DNM and wcwdu16814728.exe which seemed to work)

- close registry

- now do a windows search for that file wcwdu16814728 (click start->search). It will show up in the c:windowsprefetch folder or something close to that. Delete the file from there

- empty your trash

- reboot machine

- enjoy your computer
Yahoo answers and google search

#3 KoanYorel


    Bleepin' Conundrum

  • Members
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:41 AM

Posted 07 March 2009 - 07:31 PM

Thanks for informing us. Good Luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users