“BackDoor-CFB” virus, how do I get rid of it?

Discussion in 'malware problems & news' started by Matt_Smi, Jul 8, 2004.

Thread Status:
Not open for further replies.
  1. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    I updated McAfee virus scan to the latest DAT’s just now, and now I cannot open a program with out the “Access to file was denied” message from McAfee virus scan popping up. It says the virus name is BackDoor-CFB and it is located in C:\WINDOWS\System32\wdmh.dll I have no idea how I got it or how to go about getting rid of it. This is really terrible, my computer seems to be functioning ok and once I get into a program it works fine, but I don’t know if I should shut MacAfee’s scanning engine off so I do not get that annoying pop up or delete that file that it is “denying access to” in system 32. If anyone could give me some things to try that would be great. I am ordering an external hard drive in a few days and I am pretty much ready to just back everything up and re-install windows. Yes I would go that far to get rid of this crap, I have a feeling I am just going to mess up my computer trying anyway. Thanks to anyone who can help, I would really appreciate it.
     
    Last edited: Jul 8, 2004
  2. Traves

    Traves Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    6
    Location:
    U.S., Virginia
    Matt,

    Will not McAffee remove the trojan now that it has detected it? If not try booting into safe mode and rerunning McAffee virus scan. Failing that you could use DiamondCS's TDS-3 to remove it (again booting into safe mode before you scan).

    Hope this helps.
     
  3. nealgravatt

    nealgravatt Guest

    I have the same virus on my laptop. McAfee does not have a cure for it yet, so i have been trying to figure it out. I noticed that every progam i open tries to use the same .dll. You can see in the registry (hkey_local_machine\software\microsoft\windows NT\currentversions\windows) there is an entry for AppInit_Dlls, that points to the dll that is infected.

    On a clean machine, this registry entry has nothing in the 'value data' field, on mine, it has c:\windows\system32\d3dcabp.dll. I tried deleting the value, but it came back by the time i closed regedit and reopened it.

    Anybody have anymore info?

    xxx@yahoo.com
     
    Last edited by a moderator: Jul 9, 2004
  4. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Well it’s good to know that I am not the only one with the damn thing! Here is a basic description of it http://vil.nai.com/vil/content/v_126106.htm I guess it was discovered a few days ago which would explain why McAfee found the file right after I updated the DAT’s. It has probably been on my computer for a little while. For now I have instructed McAfee to “Deny Access to infected files and continue” this keeps that annoying pop up from coming up anytime I use a program. I guess I will just have to pretend its not there until I can find out how to remove it. “The DLL file is not malicious by itself but can be used by a malicious program to export system information from the victims machine.” That is from the McAfee site, I guess the virus itself is not bad but in conjunction with another virus it could be. For the hell of it I was going to try that DiamondCS's TDS-3 scanner to see if that worked, does anyone have a link to it, thanks.
     
  5. nealgravatt

    nealgravatt Guest

    ok, i think i may have made some progress. Like i said, the on access virus scan kept saying that that d3dcabp.dll was infected with the backdoor-cfb. I did a registry search and found this dll was referenced in the (hkey_local_machine\software\microsoft\windows NT\currentversions\windows)
    AppInit_Dlls key.

    So, i booted into safe mode, and change the entry from c:\windows\system32\d3dcabp.dll to c:\windows\system32\user32.dll. Then in regedit, i went to File --> permissions and removed any write permissions from the key, since the value kept changing back. I removed admin permissions, and the creatorowner permissions, so nothing could write to the entry.

    I booted back into normal windows mode, and now the On-access scan says that it has deleted the trojan. So i guess this method worked. You try it and see if it works for you.
     
  6. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Ok I just went into the registry and found an AppInit_Dlls key with the location of the virus c:\windows\system32\wdmh.dll So in safe mode I want to rename this to c:\windows\system32\user32.dll and remove all write permissions from it? Should I also remove system and user permissions from it or just admin and owner? I will go into safe mode and try, I hope this works, I will let you know.
     
  7. Atze

    Atze Guest

    I have the same ****er too on my laptop since tomorrow morning. I tried to kill him with McAfee in the safe mode, but nothing. This bastard is new. My systems guys will take care of it on monday. Currently I use another computer. I will show them this thread. I hope McAfee is quick and develops a countermeasure.
     
  8. Traves

    Traves Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    6
    Location:
    U.S., Virginia
    Matt,
    Although it looks as you may have a solution already, here is the link to the TDS-3:
    http://www.diamondcs.com.au
    Let us all know what you do and what works.
     
  9. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    I think it’s gone! I followed nealgravatt’s instructions exactly and when I rebooted to normal mode McAfee is no longer popping up saying that c:windows/system32/wdmh.dll is infected with backdoor-CFB! When I was in safe mode the Applnit_Dlls key did not have the wdmh.dll name under ‘value data’, it was blank, the wdmh.dll only showed in under ‘value data’ normal mode, but I renamed it to c:/windows/system32/user32.dll anyway. My computer also seems to be using less ram now, probably because it is not running the Trojan in the background all the time now. Nealgravatt a big thanks to you man! Now if I could just figure out how to get rid of the Startpage-DU virus!
     
  10. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Ok just after posting that I got rid of it, I right clicked on the desktop and went to properties and McAfee popped back up with the damn thing! It seemed to come back whenever I right clicked and went to properties on something. I booted back into safe mode and was able to find the wdmh.dll file in the system32 folder, I tried to delete it but could not so I renamed it to “infected”, and now McAfee is not popping up when right clicking and going to properties or when opening programs, I will only get it if I click on that file in system32. So while the virus is not off of my computer, I don’t think that there is anything bad it can do as it’s not always being accessed when ever I do something anymore, I guess you could say its been contained. I would still like to delete it totally from my computer, but I may have to wait for a McAfee update for that. I am just going to hope that the damn thing does not reappear again in a few days!
     
  11. nealgravatt

    nealgravatt Guest

    i chose c:\windows\system32\user32.dll randomly. This may have an adverse effect on the computer later on. On my uninfected computer, the registry key is blank. So, you may want to change it back to blank
     
  12. nealgravatt

    nealgravatt Guest

    matt,

    also, my virus scan indicated that it had deleted the trojan. As soon as i booted into normal windows mode, after making the registry change, the same message popped up saying 'detected backdoor-cfb at c:\windows\system32\d3dcabp.dll.' But this time it said the virus had been deleted.

    i would rescan your computer with mcafee and see if it can remove the virus. also, another way to delete files, get your windows xp cd (or whatever OS you have) and boot to it. Just like your reinstalling the OS, but when you get to the first menu screen, choose the repair option (or recovery console, depends on OS). You then choose the location of your windows files, and hit yes, then you must enter the administrator password. now you will have a dos prompt where you can access most files on your primary harddrive. use the dos command, del C:\windows\file.name to delete a file.

    good luck
     
  13. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Yes I am going to try McAfee in safe mode and see if it can delete it, and try a few other things when I get a chance, I am just glad that the file is not always being accessed now and that its pretty much contained the point where it cannot do anything. If I cannot remove it I guess I will just wait until McAfee has an update that can, I wonder why yours was able to remove it though? Also about the registry, that AppInit_Dlls key is no longer there, it is not present on my family’s computer (with windows ME) either. I hope re-naming it did not mess anything up, my computer seems fine though. I will have had my computer for a year at the end of this august and I feel that an OS re-install will be in order soon anyway, and it will be pretty painless since I have an external HD on the way.
     
  14. lord dubu

    lord dubu Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    2
    Nasty little bugger this one is. I've been battling it for the better part of a week now, but thanks to you blokes I've made headway.

    Though aside from the registry permissions and renaming the extension I can do little else to the file. I was able to move it to the temp folder and rename it to .infected. But any attempt to change the prefix (which was ctloh on my machine) fails...

    Anyone get this off the box completely yet?
     
  15. nealgravatt

    nealgravatt Guest

    lord dubu,

    read above, try booting in safe mode or using the OS intall cd to boot into the recovery mode, then you should be able to delete it.

    pretty sure this isnt a permanent fix, its just a work around. but maybe someone from McAfee will read this a find a cure for it.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, that was a dangerous cure, but seems it worked, i was holding my breath reading you telling about it.
    What i understand from those AppInit_dlls they load before the user32 is loaded, so really very deep into your system.
    I only have seen people working with a few tools from the DiamondCS site, like the APM for looking what you're dealing with and locating it and manipulating it so the trojan code might be stopped with that, and if termination or running processes was difficult the APT which is is fact to test termination seems to help people to close running processes too, and if more info is needed about full commandlines the processes use there is the cmdline
    All are free tools. You had the address already, www.diamondcs.com.au
    The other programs are available as free evaluation versions, TDS for instance,
    close all scanners including their resident protecting, install TDS, go back to that site for the radius update (or get todays at http://radius.turvamies.com/radius.td3 for this time and drop it in the TDS directory, reboot your system if you didn't do yet after the TDS install and start TDS and let it do a full system scan while in the scan control you checkmarked every scanoption. During that scan, and drinking your coffee , make sure all othjer scanners including their resident parts are completely closed to give TDS free access everywhere.
    Mind you: TDS does not delete the finds for you, you get a chance to look into everything, can submit files to submit@diamondcs.com.au delete files, with rightclicking on one of the files save all log to a textfile scandump.txt for further investigation.

    So with this you do have a good arsenal, where that APM could really deal already with that nasty AppInit_dlls.
    Please post back about your experiences, so we can try to help other people as well the best we can!
    For more questions about TDS itself is the dedicated forum here above.
     
    Last edited: Jul 10, 2004
  17. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359

    Yeah I hate messing around and making changes in the registry as you can really mess up your computer in there from what I understand, and since I am pretty much a newbie I could very easily screw something up. Do you think I did mess something up? Or since my computer has been running fine, should it be ok? O and when I get some time I will play around with DiamondCS.
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: “BackDoor-CFB” virus, how do I get rid of it?

    Mcafee dat 4374 should remove backdoor CFB. More info here
     
  19. nealgravatt

    nealgravatt Guest

    changing the registry can easily screw up your machine. while your computer may be working fine now, these registry changes could effect your computer later on.

    Once the virus has been removed, i would remove the data associated with the AppInit_Dlls key and change the read/write permissions back to their original state.

    Read this for more info on the AppInit_Dlls key.
    http://support.microsoft.com/defaul...port/kb/articles/Q197/5/71.asp&NoWebContent=1
     
  20. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Neal, I was a bit worried when going back into the registry because the AppInit_DLLs key was gone along with a few others that where there before, and all that was in there was (default) but then I remembered that I has denied permissions to the key and once I allowed them again all the keys where back. As was the AppInit_DLLs key, and under “data” it still said c:windows/system32/wdmh.dll. But I deleted that data field and set the permissions back the way they where. Everything seems to be running fine, McAfee is not popping up with any virus messages and when I go back into regedit the “data” field is still blank. So I think that renaming the virus from “wdmh.dll” to “infected” did some good, as maybe it can no longer load itself into the registry, now I need to try and delete it from my system completely. So since I removed that data on the AppInit_DLLs key and put the permissions back the way they where, my system should be fine right?
     
  21. nealgravatt

    nealgravatt Guest

    yeah, it should be fine now.
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You used the APM , didn't that have an option besides detecting and closing also removing the AppInit_dlls from your system?
     
  23. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Jooske,

    I am sorry but I am not quite sure what you mean, and I what is the APM? Does anyone know how I can get this file off of my computer? It is in my system32 folder, I can find it without a problem and when I go over it McAfee pops up with its message. But I cannot delete the file; it always says something like make sure the file is not write protected or that it is not currently in use. McAfee cannot clean it or delete it and does not find it in a normal scan. And I have tried deleting it in safe mode as well and I get the same thing. Even though this virus is contained and cannot do anything anymore I would like to get it off of my system. Does anyone have any ideas as to how I could get rid of it? Thanks.
     
  24. Edward Crain

    Edward Crain Guest

  25. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
    Thank you, but unfortunately that program did not find or fix it. However Fero and jknetzinger (from the post you linked) seem to have found another way to get rid of it though the command prompt. I have E-mailed Fero about it and hopefully he will be able to help me as I am not too good with the command prompt and am not too sure what some things they are talking about mean.
     
Loading...
Thread Status:
Not open for further replies.