Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with BDS/Backdoor.Gen


  • This topic is locked This topic is locked
48 replies to this topic

#1 yozo67

yozo67

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 08 October 2013 - 12:05 AM

Today my friend was trying to speed up my computer, and we noticed that a lot of CPU was being eaten up that shouldn't be, but no programs in my Task Manager showed why. So we ran a virus scan in MalwareBytes and Avira Anti-Virus, and got a few hits, but we're mostly concerned about the things Avira found in it's scan.

 

The results found two BDS/Backdoor.Gen files, and we quickly Quarantined them, and my friend I mentioned earlier recommended I check with you all to make sure my PC was no longer infected.

 

Thanks.

 

EDIT: I uninstalled GIMP 2, and I installed Paint.NET.

Attached Files


Edited by yozo67, 08 October 2013 - 12:14 AM.


BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 08 October 2013 - 09:24 PM

Hi and Welcome!!   
 
My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

 
Having said that....   YBCQLm4.gif   Let's get going!!  
----------
 

weVCzW0.jpg Please download TDSSKiller

  • Double click TDSSKiller.exe
  • Press Start Scan but do nothing else as we are just looking for what is there.
  • If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

 
81mYIKe.jpgAdwCleaner
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 11 October 2013 - 06:26 AM

Still need help?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#4 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 11 October 2013 - 03:25 PM

Still need help?

Sorry, I usually don't pay attention the PC except for weekends :P

 

Anyway, I'm going to run through this now.



#5 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 11 October 2013 - 03:36 PM

Still need help?

After running the first program, no milacious programs were found.

 

Now, The newxt one found something. I hope you all have BB Code enabled, or else this will look stupid.

# AdwCleaner v3.007 - Report created 11/10/2013 at 16:31:52
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Gage - GAGE-PC
# Running from : C:\Users\Gage\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : Application Updater

***** [ Files / Folders ] *****

Folder Found C:\Program Files (x86)\Application Updater
Folder Found C:\Program Files (x86)\Common Files\spigot
Folder Found C:\Program Files (x86)\YTD Toolbar
Folder Found C:\Users\Gage\AppData\LocalLow\Search Settings
Folder Found C:\Users\Gage\AppData\Roaming\OpenCandy

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\Search Settings
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKCU\Software\Search Settings
Key Found : [x64] HKCU\Software\Search Settings
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Found : HKLM\Software\Search Settings
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Gage\AppData\Roaming\Mozilla\Firefox\Profiles\wqv996cv.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2112 octets] - [11/10/2013 16:31:52]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2172 octets] ##########

It found an Application Updater. I don't know if it's important, but I don't want to mess with it until you tell me what to do.

 

EDIT: I smarted up and realized there were tabs. More detections than I thought.

 

Screenshots:


Edited by yozo67, 11 October 2013 - 03:40 PM.


#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 11 October 2013 - 03:54 PM

81mYIKe.jpgAdwCleaner

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

------------


Edited by jeffce, 11 October 2013 - 03:54 PM.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 11 October 2013 - 04:12 PM

81mYIKe.jpgAdwCleaner

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • This time, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

------------

# AdwCleaner v3.007 - Report created 11/10/2013 at 17:07:45
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Gage - GAGE-PC
# Running from : C:\Users\Gage\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : Application Updater

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Application Updater
Folder Deleted : C:\Program Files (x86)\YTD Toolbar
Folder Deleted : C:\Program Files (x86)\Common Files\spigot
Folder Deleted : C:\Users\Gage\AppData\LocalLow\Search Settings
Folder Deleted : C:\Users\Gage\AppData\Roaming\OpenCandy

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F3FEE66E-E034-436A-86E4-9690573BEE8A}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{F3FEE66E-E034-436A-86E4-9690573BEE8A}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\Software\Application Updater
Key Deleted : HKLM\Software\Search Settings

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\Gage\AppData\Roaming\Mozilla\Firefox\Profiles\wqv996cv.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2260 octets] - [11/10/2013 16:31:52]
AdwCleaner[R1].txt - [2320 octets] - [11/10/2013 17:06:42]
AdwCleaner[S0].txt - [2240 octets] - [11/10/2013 17:07:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2300 octets] ##########

 

It seems my CPU is getting a well deserved break now. http://gyazo.com/a8c2a470add9769552a0c3a64f7d17f5



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 11 October 2013 - 04:24 PM

Good to hear!   :)
 
ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 11 October 2013 - 05:38 PM

 

Good to hear!   :)
 
ComboFix
 
Download Combofix from either of the links below, and save it to your desktop.  
Link 1
Link 2
 
**Note:  It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


 
--------------------------------------------------------------------
 
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
 
--------------------------------------------------------------------
 
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

 

I didnt get the file to attach, sorry :/

 

Anyway, I will however do this:

Spoiler

 

EDIT: Never mind, check below :I

 

EDIT 2: It seems Paint.NET Won't un-install or install, or launch correctly now. Not sure if it has anything to do with your programs, but I just thought I'd mention it.

Attached Files

  • Attached File  log.txt   26.81KB   4 downloads

Edited by yozo67, 12 October 2013 - 01:17 AM.


#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 12 October 2013 - 09:10 AM

 It seems Paint.NET Won't un-install or install, or launch correctly now. Not sure if it has anything to do with your programs, but I just thought I'd mention it.

 

Is it still showing up in Programs and Features though?  


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 12 October 2013 - 10:54 AM

 

 It seems Paint.NET Won't un-install or install, or launch correctly now. Not sure if it has anything to do with your programs, but I just thought I'd mention it.

 

Is it still showing up in Programs and Features though?  

 

I went through the creators recommended actions for un-installation (every time I launched it it gave me an error) and I got it un installed. It won't install now, and just gives me an error 1603 (Failed to install). I can't win for losing.



#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 12 October 2013 - 03:41 PM

LlJESjW.jpgMalwarebytes Anti-Rootkit
 
Please download Malwarebytes Anti-Rootkit and save it to your desktop.

  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Scan your system for malware
  • If malware is found, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.

If there is no malware found, please let me know as well.
----------


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 12 October 2013 - 04:07 PM

I guess none was found.

 

It says

 

"Congratulations, no Cleanup is required!".

 

I still can't use Paint.NET, I'm having to use it on a borrowed PC for now.



#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:46 PM

Posted 12 October 2013 - 05:12 PM

So is Paint.net still in Programs and Features?  How is your system behaving otherwise?


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 yozo67

yozo67
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville, KY
  • Local time:03:46 PM

Posted 12 October 2013 - 05:14 PM

So is Paint.net still in Programs and Features?  How is your system behaving otherwise?

My system is working fine.

 

I tried re-installing my Graphics Drivers (for my ATI Radeon 3450 HD) and it didn't fix it.

 

I managed to un-install it, but it still won't install.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users