Backdoor.Trojan & Trojan.Bookmarker.Gen

Discussion in 'Trojan Defence Suite' started by Panagiota, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    My computer got infected with the following viruses:

    Backdoor.Trojan
    Trojan.Bookmarker.Gen

    I have the Norton Antivirus which is always alert and runing on the background. I did a full scan, the Antivirus software located the viruses but it is unable to quarantine or delete the files (it seems that there are system files: C:/windows/system32/winc.dll).

    What can I do? How can I clean the computer? How can I protect it for future problems?

    The prompt screen of Norton Antivirus is always on my desctop and even when I press the 'ok' button the window do not close. What should I do?
    Thank you
    Panagiota
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome to the forum.

    Since you posted in the TDS forum i can but give you a TDS answer.
    Make sure you have TDS running on your system:
    www.diamondcs.com.au to get TDS, close all scanners and their resident protection like your norton, install TDS, get back to the TDS site for the latest radius.td3 update which you drop in the TDS directory as it is, reboot if you hadn't done so after the install
    Now with all scanners still closed start TDS and let it do it's initial scans, when it is ready you go to TDS > System testing > Scan Control and check all scan options on both tabs,
    save scan configuration
    Make sure the other scanners are still closed, unnecessary applications too, the system folder options are set to show all hidden files and extensions,
    also close unnecessary browsers, press the Full System Scan and let TDS do it's scan while you go for a coffee.

    When TDS scanning is ready, you'll see some alerts in the bottom console. Rightclick on one of them and save to text, (scandump.txt in the TDS directory) which text you can paste in your next posting, so we can advise you what exactly to do next.

    Oh and before or after your scan once there at the DiamondCS site also get the AutoStartViewer from the free products page, unzip and run it with all scan options up and post that log too for review here.
     
    Last edited: Jul 19, 2004
  3. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    I am posting first the scandump.txt.
    See next post for the other log file you requested.
    Thank you a lot for your help.
    Panagiota
     

    Attached Files:

  4. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    ...second log file from AutoStartViewer.

    Thank you.
    Panagiota
     

    Attached Files:

  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    One by one..

    Positive identification: Adware.LOP
    File: c:\documents and settings\vaio\local settings\temp\rema.exe

    Delete.. probably already installed :(

    NTFS Alternate Data Stream: ADS Hidden Stream Detected: 88 bytes
    File: c:\program files\delete-con\csremnd1.exe:summaryinformation

    Ignore, 88 byte "tag"

    Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
    File: c:\windows\system32\obkjcb.dll

    CWS DLL.. another one. Try CWShredder and then update your antivirus and see if it can clean it. Adware programs wont remove it but NAV support should help you out. If you dont detect it with the latest update, send them the file

    CWShredder - http://www.spywareinfoforum.com/~merijn/downloads.html
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    As for the file that couldn't be cleaned, did you choose Quarantine ? that should have been an option in any recent version of NAV.

    You can try a full scan in Safe Mode also which is always a good thing to do, NAV should remove anything it can detect when you reboot into Safe Mode and scan. To do that, tap F8 as soon as the PC starts but before Windows starts to load
     
  7. Panagiota

    Panagiota Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    22
    Did it. It seems that it worked. (I keep my fingers crossed). The Antivirus program at the safe mode did not detected anything but when I started my computer again - the alert note was gone and the antivirus software do not detect anything right now.
    Also the spyware gone.
    Thank you guys a lot.

    Now what should I do to protect my computer? I do not want to spend days for fixing these problems in the future again.

    Please consider that it is a private computer but I rely a lot on it and I am in the internet for at least 12 hours per day.

    Also the Trojan protection software says it is going to expire in few days. What should I do?
    Please advice.

    Thank you a lot
    Panagiota
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Congratulations with the cleansing!
    TDS is a 30 days free trial? Update it every day from the website and play around with it, scanning etc.

    For a more permanent solution, generally spoken we believe in a layered protection, on XP systems for instance (and 2000/nt/2003) PorcessGuard to protect allprocesses from modifications, terminations, etc.
    a special AT (TDS for instance) with it's resident protection exec protect (in registered versions only) besides a special AV (like for instance NOD32) or AV/AT combination (KAV, Norton, etc)
    additionally WormGuard for protection against worms and scripts and everything else you put in it's list;
    Port Explorer to see every connection from and to your system with an almost realtime detection of possible trojan processes;
    anti spyware/adware like SpybotS&D / Ad-aware; and the JavaCool tools for extra protection in that field.
    Expecting you to have a firewall already of course.
     
  9. mHtt

    mHtt Guest

    Hi, I read through this thread, as I had the same problem as Panagiota. I did everything that you guys said, and I was wondering if you might be able to help me with my scandump.txt. I shall include it with this post. I will also include my asviewer.txt with it, ty for any help guys. :)


    Thank you. :)
     
  10. mHtt

    mHtt Guest

    Dangnabbit, I was about to register, but then I found out that you guys don't take unsolicited lists. ALthough it didn't say anything about the scandump list, it did say not to post hijackthis logs. Either way I'm sorry If I just broke a forum rule. I will now register so I can edit my last post. :)
     
  11. mHtt

    mHtt Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    Location:
    Canada
    ok, well now that I'm registered, I cannot edit the posts I made when I was a guest. Either way I apologize for posting an unsolicited list. Either way, I think I have enough expertise to be able to go through it on my own. I guess I'll just print out a copy, and delete the malicious files/entrys manually in safe mode. Either way if someone wants to help me I'd really appreciate it. Again, thanks for any time any one spends on this. :)
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, looking at your scandump:
    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\***\local settings\temp\bridge.exe
    Positive identification <Adv>: Possible WebDownloader
    File: c:\documents and settings\user\local settings\temp\bridge.exe
    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: c:\windows\unstsa2.exe
    Positive identification (embedded in file): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
    File: c:\windows\desktop\trainer\rct 2 trainer v3.0\rct2 trainer v3.0.exe

    please submit@diamondcs.com.au
    You might like to keep the file zipped or add .tmp behind the name so in case it is a nasty you can delete it, in case it's ok you can rename it back.

    Positive identification: TrojanDownloader.Win32.Swizzor.e
    File: c:\documents and settings\***\application data\awekfssd.exe

    Positive identification: TrojanDownloader.Win32.Swizzor.e
    File: c:\documents and settings\***\application data\fspklfoq.exe

    Positive identification: TrojanDownloader.Win32.Swizzor.e
    File: c:\documents and settings\***\application data\kqsliwfn.exe

    Positive identification: TrojanDownloader.Win32.Swizzor.e
    File: c:\documents and settings\***\application data\uzajrwkt.exe

    Looks like you can delete all those

    Suspicious Filename: Dual extensions
    File: c:\documents and settings\***\desktop\ut2004\ut2004_demo_[2004-02-10_03.01].exe
    Do you know this file? did you check it extra, maybe also via www.kaspersky.com/remoteviruschk.html ?
    If you're not sure submit it too.

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: c:\documents and settings\***\local settings\temp\installer2.exe

    Positive identification: Adware.Blazefind Dropper
    File: c:\documents and settings\***\local settings\temp\installer2.exe

    Positive identification (DLL): Adware.180Solutions.g (dll)
    File: c:\documents and settings\***\local settings\temp\ncmyb.dll

    Positive identification: Adware.BiSpy.f
    File: c:\documents and settings\***\local settings\temp\thi46fc.tmp\preinstt.exe

    Positive identification (DLL): Adware.BiSpy.c (dll)
    File: c:\documents and settings\***\local settings\temp\thi46fc.tmp\twaintec.dll

    Positive identification: TrojanDownloader.Win32.Alchemic
    File: c:\documents and settings\user\local settings\temp\alchem.exe

    Positive identification: TrojanDownloader.Win32.Dyfuca.ak
    File: c:\documents and settings\user\local settings\temp\optimize.exe

    Positive identification: TrojanDownloader.Win32.Swizzor.aq
    File: c:\program files\coal download\26585.exe

    Positive identification: TrojanDropper.Win32.StartPage.ix
    File: c:\program files\windows media player\wmplayer.exe.tmp

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: c:\windows\key2.txt

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: c:\windows\unstsa2.exe
    Positive identification (DLL): Trojan.Win32.StartPage.ix1 (dll)
    File: c:\windows\system32\dca.dll

    Positive identification: TrojanDropper.Win32.StartPage.ix
    File: c:\windows\system32\notepad.exe.bak <== (huho_O)


    Is there any reason why those files could be OK and not infected? If you have any doubt, submit the file zipped for Gavin's advice.

    Suspicious Filename: Dual extensions
    File: d:\games\rollercoaster tycoon 2, no setup.bat.exe
    Sounds suspicious!

    The dual extensions at first sight look ok.


    I'm not sure about the AutoStartViewer, my unexperienced eyes don't see nothing suspicious, but thagt might change when an expert tells us differently.
    Before you delete those files, they might be part of a specific infection which would whow up in a HJT log.
    I remember the HJT experts are not happy in general if specific files / keys on which they recognise specific infections were deleted, so yuou might like to post your HJT log too.
    Only i promise you i am no expert myself by no means so i would not take responsibility myself in advising about fixes. But together we might have an idea.
     
  13. mHtt

    mHtt Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    Location:
    Canada
    Hi, ok, well my browser seems to be factory new, thank you very much. I followed each of your steps and seem to be rid of most of my problems. I did encounted:

    Code:
    Could not delete dca.dll Please be sure disk is not full, and not write proteced, and the file is not in use
    I tried deleting it in safe mode, in command prompt, also tried modifying it with note pad, but to no avail. It doesn't seem to be affecting my system right now, but i'd still like to be rid of it any suggesitons.

    Ps. What can I do to avoid getting these things in the first place. I have a router, and run Zone Alarm pro, so I know few people are getting in, I'd still like to be able to prevent browser hijacks though, which can be reall annoying. An ounce of prevention is worth a pound of cure I suppose. :)

    TY again.
     
  14. mHtt

    mHtt Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    Location:
    Canada
    BTW, here is my post TDS, HJT log. TY again.

    :)
     

    Attached Files:

  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    You can delete all those positive alarms, pretty much everything except the dual extensions alarms ! (wow lots of adware junk)

    Your hijackthis log looks clean at a glance, is the about:blank intentional is the PROXY intentional ?

    You can fix these however they are no big deal obviously ;)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - Default URLSearchHook is missing
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You can avoid these by following the post "How did I get infected in the first place" in the adware forum here at Wilders ! :)

    Most important are either disable scripting/activex in IE, or stop using IE :) A good quick fix if you MUST use IE is IESpyAd though
     
  17. mHtt

    mHtt Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    4
    Location:
    Canada
    WIll do, and thanks alot. :)
     
Thread Status:
Not open for further replies.