Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor Trojans


  • Please log in to reply
4 replies to this topic

#1 Iceland

Iceland

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 03 October 2009 - 06:57 PM

Hi.
I performed a scan with Kaspersky Virus Removal tool and it located 4 Backdoor Trojans.
I have removed them but still my Computer(Windows XP) is behawing strange,I cant connect to anti virus uppdate servers.If i can download the files are incomplete.Impossible to open.Scrolling up or down in a page is stopping.The computer Freezes more than normal.Booting up is slow.I have done Full Antivirus Scans wit PC tools anti virus and also Ardware/malware scans but that ended up with nothing.Clean computer it say :ranting. So now i'm getting a bit Frustrated :flowers:
i need some help on this one.Is there somebody out there that knows something about this??? :thumbsup:

Thanks:clapping:

Kjell

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:21 AM

Posted 03 October 2009 - 08:42 PM

I am moving this from XP to the Am I Infected forum as you are.

Lets see if these will run.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
I need you to do this so we can tell exactly what you have here.
Please search your drive for ctfmon.exe
Next upload the file(s) to Virus Total
Post their reply here,thanks.

Edited by boopme, 03 October 2009 - 08:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Iceland

Iceland
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 04 October 2009 - 02:42 PM

Hi again.
Here is the report from Virus total.
1:
File CTFMON.EXE-0E17969B.pf received on 2009.10.04 19:31:24 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/41 (0%)
Loading server information...
Your file is queued in position: 7.
Estimated start time is between 100 and 142 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.10.04 -
AhnLab-V3 5.0.0.2 2009.10.03 -
AntiVir 7.9.1.27 2009.10.02 -
Antiy-AVL 2.0.3.7 2009.10.04 -
Authentium 5.1.2.4 2009.10.04 -
Avast 4.8.1351.0 2009.10.04 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.04 -
CAT-QuickHeal 10.00 2009.10.03 -
ClamAV 0.94.1 2009.10.03 -
Comodo 2513 2009.10.04 -
DrWeb 5.0.0.12182 2009.10.04 -
eSafe 7.0.17.0 2009.10.04 -
eTrust-Vet 31.6.6774 2009.10.02 -
F-Prot 4.5.1.85 2009.10.04 -
F-Secure 8.0.14470.0 2009.10.03 -
Fortinet 3.120.0.0 2009.10.04 -
GData 19 2009.10.04 -
Ikarus T3.1.1.72.0 2009.10.04 -
Jiangmin 11.0.800 2009.10.04 -
K7AntiVirus 7.10.861 2009.10.03 -
Kaspersky 7.0.0.125 2009.10.04 -
McAfee 5761 2009.10.04 -
McAfee+Artemis 5761 2009.10.04 -
McAfee-GW-Edition 6.8.5 2009.10.04 -
Microsoft 1.5101 2009.10.04 -
NOD32 4479 2009.10.04 -
Norman 6.01.09 2009.10.04 -
nProtect 2009.1.8.0 2009.10.04 -
Panda 10.0.2.2 2009.10.04 -
PCTools 4.4.2.0 2009.10.04 -
Prevx 3.0 2009.10.04 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.04 -
Sunbelt 3.2.1858.2 2009.10.04 -
Symantec 1.4.4.12 2009.10.04 -
TheHacker 6.5.0.2.028 2009.10.03 -
TrendMicro 8.950.0.1094 2009.10.04 -
VBA32 3.12.10.11 2009.10.03 -
ViRobot 2009.10.2.1968 2009.10.02 -
VirusBuster 4.6.5.0 2009.10.04 -
Additional information
File size: 48334 bytes
MD5...: c16d2fdea63423338e03626af03724a0
SHA1..: 67c6ff6cdf79e39b0f415786045e5c521695503b
SHA256: 47fd4dcfe8eb377908304d2d721ad5f406d161783088ad68815f33c34c593f67
ssdeep: 768:6Tv6ok6T296p4RsC64VfPmUztybhplo1hr:6Tv6oT+6pk5V2UJCoT
PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
trid..: Microsoft Windows XP Prefetch file (98.9%)
LTAC compressed audio (v1.71) (1.0%)
pdfid.: -

2:
File RootRepeal.txt received on 2009.10.04 19:22:52 (UTC)
Current status: finished
Result: 0/41 (0.00%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.10.04 -
AhnLab-V3 5.0.0.2 2009.10.03 -
AntiVir 7.9.1.27 2009.10.02 -
Antiy-AVL 2.0.3.7 2009.10.04 -
Authentium 5.1.2.4 2009.10.04 -
Avast 4.8.1351.0 2009.10.04 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.04 -
CAT-QuickHeal 10.00 2009.10.03 -
ClamAV 0.94.1 2009.10.03 -
Comodo 2513 2009.10.04 -
DrWeb 5.0.0.12182 2009.10.04 -
eSafe 7.0.17.0 2009.10.04 -
eTrust-Vet 31.6.6774 2009.10.02 -
F-Prot 4.5.1.85 2009.10.04 -
F-Secure 8.0.14470.0 2009.10.03 -
Fortinet 3.120.0.0 2009.10.04 -
GData 19 2009.10.04 -
Ikarus T3.1.1.72.0 2009.10.04 -
Jiangmin 11.0.800 2009.10.04 -
K7AntiVirus 7.10.861 2009.10.03 -
Kaspersky 7.0.0.125 2009.10.04 -
McAfee 5761 2009.10.04 -
McAfee+Artemis 5761 2009.10.04 -
McAfee-GW-Edition 6.8.5 2009.10.04 -
Microsoft 1.5101 2009.10.04 -
NOD32 4479 2009.10.04 -
Norman 6.01.09 2009.10.04 -
nProtect 2009.1.8.0 2009.10.04 -
Panda 10.0.2.2 2009.10.04 -
PCTools 4.4.2.0 2009.10.04 -
Prevx 3.0 2009.10.04 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.04 -
Sunbelt 3.2.1858.2 2009.10.04 -
Symantec 1.4.4.12 2009.10.04 -
TheHacker 6.5.0.2.028 2009.10.03 -
TrendMicro 8.950.0.1094 2009.10.04 -
VBA32 3.12.10.11 2009.10.03 -
ViRobot 2009.10.2.1968 2009.10.02 -
VirusBuster 4.6.5.0 2009.10.04 -
Additional information
File size: 20980 bytes
MD5 : 67bf1b4965ba46e4461d0fb6e6bf29e9
SHA1 : 04409f626e600814d3ece7f0ee93044e4a7c624a
SHA256: ac75915d56c4011fbf13288ad6a27ce627453d58fec8e00f9253aa80bffdb65b
TrID : File type identification
Text - UTF-16 (LE) encoded (64.4%)
MP3 audio (32.2%)
Lumena CEL bitmap (2.0%)
Corel Photo Paint (1.3%)
ssdeep: 384:zpAdapZal0a/8Fs/99G07rrRreyRO5SQLs3fnWwPUqPYUKW51VGPJUn5INFObn5z:4abxK2Jn+R
PEiD : -
packers (F-Prot): Unicode
RDS : NSRL Reference Data Set.

This is it.I guess i need some more help on this one because i do not know what to do now :flowers: .So the question now is what to do from here :thumbsup:

#4 Iceland

Iceland
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 04 October 2009 - 05:41 PM

Hi again.
I just want to mention that i am running a Virus Scan and it comes upp some Errors.
C:\WINDOWS\system32\ctfmon.exe - error opening
C:\hiberfil.sys - error opening
C:\pagefile.sys - error opening
C:\34548e7fca3a7fcd5f5d299118\mrt.exe - error opening
C:\34548e7fca3a7fcd5f5d299118\mrtstub.exe - error opening

Can that have someting to do with my Problem maybe???

Regards

Kjell

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:21 AM

Posted 05 October 2009 - 07:59 PM

Please rerun rootrepeal. Post the log from step 10 here.



Next run MBAM (MalwareBytes):


NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users