need help getting rid of a backdoor

[roland deschain]

i did a scan with NAV about 2 hours ago and i didnt detect anything
i left my pc on and went and watched some tv. my sister just got done giving me a new keyboard and a new headphone/mic i hooked them up and was about to put in the install disk for the keyboard and NAV came up and said virus detection the virus it detected is Backdoor.Lifefournow . It also listed the object name and that was C:\Documents and settings \c_2_0[1].txt it couldent be healed . another message came up and it said
Microsoft Visual C++ Runtime libary at the top and said Runtime error
Program:C:\Program Files\Internet Explorer\iexplore.exe
this application has requested the Runtime to terminateit in an unusual way. please contact the applications support team for more information i said
ok and it closed down internet explorer . i did a nav scan and a avg scan and they both didnt find anything and the message keeps coming up. if u have any ideas on what i can do please reply to this message i will be on for the rest of the nightso i will reply back if i get any feedback thankyou

[illukka]

hi

see this for info:
http://securityresponse.symantec.com...fefournow.html

reboot your computer into safe mode


do a full scan with norton
before scanning see how to configure NAV to scan all files
let it remove waht it finds
reboot

[ceemunster]

Backdoor.Lifefournow will exit immediately if it detects that it is running on a computer that only has a privately allocated IP address:


192.168.*
172.16.*
10.*


When Backdoor.Lifefournow is executed, it performs the following actions:

Creates a copy of itself as %System%\[Random file name].exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Adds the value:

"[Random file name]" = "%System%\[Random file name].exe "

to the registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.


Connects to one of the following domains and sends information about the configuration of the local network:

todayoct25.biz
life4now.biz
lifetoday0.biz


Listens for a connection on TCP port 36183. When a connection is made, a host and port number are given in the appropriate format.


Connects to that host and port and acts as an echo client.

TO FIX:



Disable System Restore (Windows Me/XP).

Update the virus definitions.

Run a full system scan and delete all the files detected as Backdoor.Lifefournow.

Delete the value that was added to the registry by using the following:

Click Start > Run.
Type regedit

Then click OK.


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value that refers to the file name NAV gave you (Backdoor.Lifefournow)


Exit the Registry Editor, reboot and restart your System Restore.

[roland deschain]

ok i did what illuka and ceemunster both said to do and i didnt find the
trojan what i was looking for but while i was in safe mode i used spysubtract
and found a little bit over 400 spyware and adware files in my registry. so i deleted them . i did this while avg and nav was runing .when avg was finished i didnt find the trojan i was looking for but i did find and quarintined
11 other malware.they are
Trojan horse Proxy.12.BM [the path] C:\windows\system32\evqkvvsn.exe
Trojan horse Proxy.12.BM C:\windows\system32\flvmghoi.exe
Trojan horse Proxy.12.BM C:\windows\system32\grhhbxxp.exe
Trojan horse Proxy.12.BM C:\windows\system32\jhcfjzwq.exe
Trojan horse Proxy.12.BM C:\windows\system32\jkmmodzq.exe
Trojan horse Proxy.12.BM C:\windows\system32\lgcwrjbs.exe
Trojan horse Proxy.12.BM C:\windows\system32\ndmohwbf.exe

Trojan horse Downloader.Braidupdate.D [the path] C:\windows\system32\e6f1873b.dll
Trojan horse Downloader.Braidupdate.E C:\windows\system32\stlb2.dll
Trojan horse Downloader.Braidupdate.D C:\system volume information \_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP100\A0022150.dll
Trojan horse Downloader.Braidupdate.E C:\system volume information \_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP100\A0022151.dll

Also my NAV detected about 10 ADWARE files and i couldnt delete them in safe mode.I know this is alot of info to handle at once but if u could help me i would really appreciate it . i really need some help and if u can help me please reply . i havent got any sleep yet been trying to fix this problem all night so i dont know if i will be up by the time anyone replys but if u do reply i will check it out as soon as i can please heeellllllllppppp!!!!!!!!!!!!!

[Sweetie(*)(*)]

Hi if you download HiJackthis HERE
you can get an online automated log file scan HERE .

[TopperID]

Roland, please do not use HijackThis to fix things on the basis of the automated result scan given above - it is useful for guidance only and is wildly innaccurate at times!

You would need to take your HJT log to a Forum that deals with such matters, but in the meantime have a look at these tutorials:
http://www.bleepingcomputer.com/foru...howtutorial=42
http://www.tomcoyote.com/hjt/
http://www.spywareinfo.com/~merijn/htlogtutorial.html

By the way I do hope you are not running NAV and AVG simultaneously realtime!

[roland deschain]

Quote:

Originally Posted by Sweetie(*)(*)

Hi if you download HiJackthis HERE
you can get an online automated log file scan HERE .

ok i downloaded the hijackthis and i went t the other site but i dont really know what to do when i get there i would also like to say i forgot to say in my post before this one that the problem i was having in my first post is not happening any more so i geuss i fixed it when i used spysubtract. So
Swetie(*)(*) if i am not to much of a bother could u maybe explain to me a little bit on how to do this, thankyou roland deschain

[Sweetie(*)(*)]

hi, sure no problem, when u start HJT do the scan and save log file, when u are at the auto scan site browse for your file, tick the box for improved and press scan, then scroll down, it has the scan results and offers advice on actions.

The entries that come up in red usually need 2 be delt with.
If you find anything that needs to be removed, go back to HJT and match the entries up from the scan, then remove.

[roland deschain]

ok i went through and deleted or fixed all of the unessesaryand nasty files that it told me of. What do i do now?? and what happens if i did use nav and avg at the same time?? what do i need to do with the viruses in the virus vault?? if u can answer please reply thankyou

[TopperID]

I sincerely hope you kept back-ups of those things you fixed or you could be in trouble. HJT should have been located in its own folder, where it keeps back-ups.
Generally it is extremely bad advice indeed to get an inexperienced person to use HJT to fix things they do not understand. The automated scan you were directed to is notoriously inaccurate in the results it gives. You cannot possibly do these things for youself. You should go to HJT Forum, though they may refuse to assist you if you have been interfering with things without expert advice.

You should never use more than one AV active at the same time 'cos they can fight each other and leave you open to infection, quite apart from damage it could do to your system.

[Sweetie(*)(*)]

Quote:

Originally Posted by TopperID

Generally it is extremely bad advice indeed to get an inexperienced person to use HJT to fix things they do not understand. The automated scan you were directed to is notoriously inaccurate in the results it gives. You cannot possibly do these things for youself..

How is it notoriously inaccurate?

Have you ever been to this site and looked for yourself?

The automated scan offers detailed advice on each entry, promts you to make a back up of anything you delete, you CANNOT delete anything using the web page, you must return to HJT in windows.

As far as beinging inaccurate i suggest you talk to the authors of HJT, as its their site, maintained by them and their support forums.

The site was introduced to create a benchmark in HJT log analisys, as far too many people have been given bad advice by forum cowboys.
The definitions are as up to date as possible.

I suggest you do a bit of reaserch before making bold posts,if Wilders had a page like this you would not like it if similar remarks were made.

[puff-m-d]

Hi Sweetie,

Quote:

Originally Posted by Sweetie(*)(*)

How is it notoriously inaccurate?

Have you ever been to this site and looked for yourself?

Yes, I have been to the site. I just had someone today that had that site say their start pages had been infected. The site called it a "Nasty" and said it needed to be removed. But guess what? That site was Wilders and that automated HJT log scanning site calls us here a "Nasty".

Quote:

The automated scan offers detailed advice on each entry, promts you to make a back up of anything you delete, you CANNOT delete anything using the web page, you must return to HJT in windows.

See above. This person could have deleted something wrong. The problem is that most people that use these sites do not have the knowledge or experience to analyze the results properly. Just because you can use the site with no problems, does not mean that the average home user can without serious problems.

Quote:

As far as beinging inaccurate i suggest you talk to the authors of HJT, as its their site, maintained by them and their support forums.

I have been involved with the author of HJT personally, and I can assure you that he has nothing to do with this site nor does he endorse it. Quite the contrary ...

Quote:

The site was introduced to create a benchmark in HJT log analisys, as far too many people have been given bad advice by forum cowboys.
The definitions are as up to date as possible.

Maybe so, but having an expert from an ASAP afilliated site (see my signatire) by no means can be considered help from a forum cowboy.

Quote:

I suggest you do a bit of reaserch before making bold posts,if Wilders had a page like this you would not like it if similar remarks were made.

You may want to do a bit of research also, especially before you start throwing out names of who is involved or endorses a particular site without knowing the facts.

[Sweetie(*)(*)]

Ive just sent an email to the author of HJT asking him to post here, so we'll see.

[dvk01]

Sweetie
I can confirm that Merijn the author of HJT is NOT connected with the automatic analysis site and does not approve of it.

As an example I have just posted a log from my computer which I know is 100% clean

It is telling me to fix a proxy server entry as that is bad

My ISP uses proxy servers and it is the only way to connect. IF I remove that entry I cannot connect to the net

It also tells me that the BHO for M$ Money Viewer is bad and should be fixed. OK money isn't important but it's not malicious and I do use it

I don't even mention the amount of things it misses, but I would rather it missed than removed wanted and needed things


And with the greatest of respect to the people giving advice on their support forum. So far I've only looked at 4 pages of "advice" & logs and have only seen 1 piece of advice I would agree with. All the rest won't fix the problems and is about as much use as a chocolate fireguard in my view and in some cases is downright dangerous

[dvk01]

Getting back to the original problem, the file names posted have some of the characteristics of the new VX2 hijack and that is very very difficult to remove and needs specialised handling

I strongly advise posting on one of the specialised forums That deal with HJT logs
a list can be found here http://a-sap.org/

[TopperID]

Quote:

Have you ever been to this site and looked for yourself?

Sweetie, I do have personal experience of this site; it finds many things as problematic or bad that are harmless or irrelevant, and it misses unknown bad things simply because they are unknown. The trained human eye can spot the incongrenuity of wrong file names and file path that the auto scanner simply cannot find.

HijackThis cannot find and fix every aspect of new spyware and trojan infections - they hide from it as best they can. HJT is used by the knowlegeable in conjunction with other tools.

Respectable sites such as SpywareInfo DO NOT recommend inexperienced people to go off and fix things themselves using this automated scan. Indeed some sites can refuse to help anyone who has messed around with specialist tools without specific advice.

[Merijn]

The automated log parser at hijackthis.de was created without my knowledge or consent, and though I don't think it's a bad idea in the first place, you shouldn't rely solely on the automatic parser since it's pretty flawed. I've only used it a couple of times on infected logs and it shows both false positives as false negatives. You can use it for guidance, but the results should be taken with a grain of salt. Generally I feel that the only parser bound to be perfect is your own mind, together with the lists of Startups from Pacman, and the list of CLSIDs from TonyKlein.

[Sweetie(*)(*)]

Thank you for replying Merjin, im glad this matter has been resolved.
It seems that i was misinformed as to the ownership and running of the site, as this is the case i withdraw my comments/posts on the issue, and apoligise accordingly.

hi, roland deschain
i have the very same problem but i tried using spysubtract but that doesn't work do you anybody else know of any program which isn't overly large but can 100% get the job done. thanx for any help supplied

[Blackspear]

Quote:

Originally Posted by Senor Afro

hi, roland deschain
i have the very same problem but i tried using spysubtract but that doesn't work do you anybody else know of any program which isn't overly large but can 100% get the job done. thanx for any help supplied

You will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

This is what works really well for me, very simple to use and maintain.

Hope this helps...

Let us know how you go.

Cheers