Backdoor.Trojan & Trojan.Bookmarker.Gen

My computer got infected with the following viruses:

Backdoor.Trojan
Trojan.Bookmarker.Gen

I have the Norton Antivirus which is always alert and runing on the background. I did a full scan, the Antivirus software located the viruses but it is unable to quarantine or delete the files (it seems that there are system files: C:/windows/system32/winc.dll).

What can I do? How can I clean the computer? How can I protect it for future problems?

The prompt screen of Norton Antivirus is always on my desctop and even when I press the 'ok' button the window do not close. What should I do?
Thank you
Panagiota

 

Hi there and welcome to the forum.

Since you posted in the TDS forum i can but give you a TDS answer.
Make sure you have TDS running on your system:
www.diamondcs.com.au to get TDS, close all scanners and their resident protection like your norton, install TDS, get back to the TDS site for the latest radius.td3 update which you drop in the TDS directory as it is, reboot if you hadn't done so after the install
Now with all scanners still closed start TDS and let it do it's initial scans, when it is ready you go to TDS > System testing > Scan Control and check all scan options on both tabs,
save scan configuration
Make sure the other scanners are still closed, unnecessary applications too, the system folder options are set to show all hidden files and extensions,
also close unnecessary browsers, press the Full System Scan and let TDS do it's scan while you go for a coffee.

When TDS scanning is ready, you'll see some alerts in the bottom console. Rightclick on one of them and save to text, (scandump.txt in the TDS directory) which text you can paste in your next posting, so we can advise you what exactly to do next.

Oh and before or after your scan once there at the DiamondCS site also get the AutoStartViewer from the free products page, unzip and run it with all scan options up and post that log too for review here.

 

I am posting first the scandump.txt.
See next post for the other log file you requested.
Thank you a lot for your help.
Panagiota

 

...second log file from AutoStartViewer.

Thank you.
Panagiota

 

One by one..

Positive identification: Adware.LOP
File: c:\documents and settings\vaio\local settings\temp\rema.exe

Delete.. probably already installed

NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
File: c:\program files\delete-con\csremnd1.exe:summaryinformation

Ignore, 88 byte "tag"

Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
File: c:\windows\system32\obkjcb.dll

CWS DLL.. another one. Try CWShredder and then update your antivirus and see if it can clean it. Adware programs wont remove it but NAV support should help you out. If you dont detect it with the latest update, send them the file

CWShredder - http://www.spywareinfoforum.com/~merijn/downloads.html

 

As for the file that couldn't be cleaned, did you choose Quarantine ? that should have been an option in any recent version of NAV.

You can try a full scan in Safe Mode also which is always a good thing to do, NAV should remove anything it can detect when you reboot into Safe Mode and scan. To do that, tap F8 as soon as the PC starts but before Windows starts to load

 

Did it. It seems that it worked. (I keep my fingers crossed). The Antivirus program at the safe mode did not detected anything but when I started my computer again - the alert note was gone and the antivirus software do not detect anything right now.
Also the spyware gone.
Thank you guys a lot.

Now what should I do to protect my computer? I do not want to spend days for fixing these problems in the future again.

Please consider that it is a private computer but I rely a lot on it and I am in the internet for at least 12 hours per day.

Also the Trojan protection software says it is going to expire in few days. What should I do?
Please advice.

Thank you a lot
Panagiota

 

Congratulations with the cleansing!
TDS is a 30 days free trial? Update it every day from the website and play around with it, scanning etc.

For a more permanent solution, generally spoken we believe in a layered protection, on XP systems for instance (and 2000/nt/2003) PorcessGuard to protect allprocesses from modifications, terminations, etc.
a special AT (TDS for instance) with it's resident protection exec protect (in registered versions only) besides a special AV (like for instance NOD32) or AV/AT combination (KAV, Norton, etc)
additionally WormGuard for protection against worms and scripts and everything else you put in it's list;
Port Explorer to see every connection from and to your system with an almost realtime detection of possible trojan processes;
anti spyware/adware like SpybotS&D / Ad-aware; and the JavaCool tools for extra protection in that field.
Expecting you to have a firewall already of course.

 

Hi, I read through this thread, as I had the same problem as Panagiota. I did everything that you guys said, and I was wondering if you might be able to help me with my scandump.txt. I shall include it with this post. I will also include my asviewer.txt with it, ty for any help guys.

Thank you.

 

Dangnabbit, I was about to register, but then I found out that you guys don't take unsolicited lists. ALthough it didn't say anything about the scandump list, it did say not to post hijackthis logs. Either way I'm sorry If I just broke a forum rule. I will now register so I can edit my last post.

 

ok, well now that I'm registered, I cannot edit the posts I made when I was a guest. Either way I apologize for posting an unsolicited list. Either way, I think I have enough expertise to be able to go through it on my own. I guess I'll just print out a copy, and delete the malicious files/entrys manually in safe mode. Either way if someone wants to help me I'd really appreciate it. Again, thanks for any time any one spends on this.

 

Hi there, looking at your scandump:
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\***\local settings\temp\bridge.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\user\local settings\temp\bridge.exe
Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\windows\unstsa2.exe
Positive identification (embedded in file): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\desktop\trainer\rct 2 trainer v3.0\rct2 trainer v3.0.exe

please submit@diamondcs.com.au
You might like to keep the file zipped or add .tmp behind the name so in case it is a nasty you can delete it, in case it's ok you can rename it back.

Positive identification: TrojanDownloader.Win32.Swizzor.e
File: c:\documents and settings\***\application data\awekfssd.exe

Positive identification: TrojanDownloader.Win32.Swizzor.e
File: c:\documents and settings\***\application data\fspklfoq.exe

Positive identification: TrojanDownloader.Win32.Swizzor.e
File: c:\documents and settings\***\application data\kqsliwfn.exe

Positive identification: TrojanDownloader.Win32.Swizzor.e
File: c:\documents and settings\***\application data\uzajrwkt.exe

Looks like you can delete all those

Suspicious Filename: Dual extensions
File: c:\documents and settings\***\desktop\ut2004\ut2004_demo_[2004-02-10_03.01].exe
Do you know this file? did you check it extra, maybe also via www.kaspersky.com/remoteviruschk.html ?
If you're not sure submit it too.

Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\documents and settings\***\local settings\temp\installer2.exe

Positive identification: Adware.Blazefind Dropper
File: c:\documents and settings\***\local settings\temp\installer2.exe

Positive identification (DLL): Adware.180Solutions.g (dll)
File: c:\documents and settings\***\local settings\temp\ncmyb.dll

Positive identification: Adware.BiSpy.f
File: c:\documents and settings\***\local settings\temp\thi46fc.tmp\preinstt.exe

Positive identification (DLL): Adware.BiSpy.c (dll)
File: c:\documents and settings\***\local settings\temp\thi46fc.tmp\twaintec.dll

Positive identification: TrojanDownloader.Win32.Alchemic
File: c:\documents and settings\user\local settings\temp\alchem.exe

Positive identification: TrojanDownloader.Win32.Dyfuca.ak
File: c:\documents and settings\user\local settings\temp\optimize.exe

Positive identification: TrojanDownloader.Win32.Swizzor.aq
File: c:\program files\coal download\26585.exe

Positive identification: TrojanDropper.Win32.StartPage.ix
File: c:\program files\windows media player\wmplayer.exe.tmp

Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\windows\key2.txt

Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
File: c:\windows\unstsa2.exe
Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
File: c:\windows\system32\dca.dll

Positive identification: TrojanDropper.Win32.StartPage.ix
File: c:\windows\system32\notepad.exe.bak <== (huh)


Is there any reason why those files could be OK and not infected? If you have any doubt, submit the file zipped for Gavin's advice.

Suspicious Filename: Dual extensions
File: d:\games\rollercoaster tycoon 2, no setup.bat.exe
Sounds suspicious!

The dual extensions at first sight look ok.


I'm not sure about the AutoStartViewer, my unexperienced eyes don't see nothing suspicious, but thagt might change when an expert tells us differently.
Before you delete those files, they might be part of a specific infection which would whow up in a HJT log.
I remember the HJT experts are not happy in general if specific files / keys on which they recognise specific infections were deleted, so yuou might like to post your HJT log too.
Only i promise you i am no expert myself by no means so i would not take responsibility myself in advising about fixes. But together we might have an idea.

 

Hi, ok, well my browser seems to be factory new, thank you very much. I followed each of your steps and seem to be rid of most of my problems. I did encounted:

Code:

Could not delete dca.dll Please be sure disk is not full, and not write proteced, and the file is not in use

I tried deleting it in safe mode, in command prompt, also tried modifying it with note pad, but to no avail. It doesn't seem to be affecting my system right now, but i'd still like to be rid of it any suggesitons.

Ps. What can I do to avoid getting these things in the first place. I have a router, and run Zone Alarm pro, so I know few people are getting in, I'd still like to be able to prevent browser hijacks though, which can be reall annoying. An ounce of prevention is worth a pound of cure I suppose.

TY again.

 

BTW, here is my post TDS, HJT log. TY again.

 

Hi,

You can delete all those positive alarms, pretty much everything except the dual extensions alarms ! (wow lots of adware junk)

Your hijackthis log looks clean at a glance, is the about:blank intentional is the PROXY intentional ?

You can fix these however they are no big deal obviously

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing

 

You can avoid these by following the post "How did I get infected in the first place" in the adware forum here at Wilders !

Most important are either disable scripting/activex in IE, or stop using IE A good quick fix if you MUST use IE is IESpyAd though

 

WIll do, and thanks alot.