Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojan (I think) [Moved]


  • Please log in to reply
4 replies to this topic

#1 krit86lr

krit86lr

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:54 PM

Posted 07 June 2009 - 01:40 PM

Hello,

I apologize, but the dds.scr program did not run on the infected PC so I cannot provide that as of yet. I hope that I am posting in the appropriate thread, please move if necessary. Sometimes pictures speak louder than words so here is a screen shot of the desktop.

Posted Image

I started getting the 'Access Denied' box which leads me to believe that the administrative rights have been corrupted. I have no access to User Accounts, System Restore, or the C Drive. Oh! And I cannot open task manager. I do have access to cmd.

I logged in as Administrator in Safe Mode, and the only task that I was able to complete was to disable some services.

I ran Dial-A-Fix from my thumb drive, and it could not repair the permissions.

Dial-a-fix also displayed 2 Restrictive policies which it could not delete:
1. HKEY_CURRENT_USER\Software\MS\Windows\Currentversion\Policies\System\NoDispBackgroundPage (value=1; Type=REG_DWORD)
2. HKEY_LOCAL_MACHINE\Software\MS\Windows\Currentversion\Policies\System\NoDispBackgroundPage (value=1; Type=REG_DWORD)

Comedian encounters an error then closes. TFC, and ATF Cleaner seemed to run okay but none of the others run at all.

Can I slave the hard drive of the infected PC to my laptop and run the malware removal programs that way, or will it just infect my laptop by doing that?

Hope that helps! Thanks again.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:54 PM

Posted 07 June 2009 - 01:48 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Question: Are you running 64 bit windows?
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 krit86lr

krit86lr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:54 PM

Posted 07 June 2009 - 04:24 PM

Thank you. The infected PC is running XP Home SP3. I can't run any Malware Cleaners, Scripts, or Programs that produce log files. However, I was able to look at the startup menu in msconfig (go figure), and found the following programs that seem suspicious.

lich.exe
AlfaCleaner.exe
WinBlueSoft
winstall.exe
spyware doctor

I hope this helps you help me. Thanks again.
K~

#4 krit86lr

krit86lr
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:54 PM

Posted 07 June 2009 - 05:03 PM

I just had a break through! I changed the HijackThis.exe file to HijackThis.scr and it ran and produced a logfile. I am working on the other program now.

The 'O20 - AppInit_DLLs: blocker.dll' seems to be a chunk of the problem.

"It is another part part of the malware recipe that WinBlueSoft uses called blocker.dll that makes this infection more devastating. Blocker.dll is a malware file that is loaded through the Windows AppInit_DLLs Registry value. When loaded, blocker.dll will make it so that you cannot launch any programs unless the program's filename is among the 53 filenames that it allows such as iexplore.exe, explorer.exe, sidebar.exe, and of course WinBlueSoft.exe. Essentially, the blocker.dll is acting as Ransomware requiring you to install and purchase WinBlueSoft, so that WinBlueSoft can then remove blocker.dll and allow you to launch your normal programs." (http://www.bleepingcomputer.com/virus-removal/remove-winbluesoft)

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:54 PM

Posted 08 June 2009 - 03:27 PM

Welcome to BC

I changed the HijackThis.exe file to HijackThis.scr and it ran and produced a logfile.


Since you now produced a HJT log, please start a new post in our HJT forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

They have a bit of a backlog so it will be awhile untill they get to you
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users