need help getting rid of a backdoor

Discussion in 'malware problems & news' started by roland deschain, Jan 14, 2005.

Thread Status:
Not open for further replies.
  1. roland deschain

    roland deschain Registered Member

    Joined:
    Dec 22, 2004
    Posts:
    21
    i did a scan with NAV about 2 hours ago and i didnt detect anything
    i left my pc on and went and watched some tv. my sister just got done giving me a new keyboard and a new headphone/mic i hooked them up and was about to put in the install disk for the keyboard and NAV came up and said virus detection the virus it detected is Backdoor.Lifefournow . It also listed the object name and that was C:\Documents and settings \c_2_0[1].txt it couldent be healed . another message came up and it said
    Microsoft Visual C++ Runtime libary at the top and said Runtime error
    Program:C:\Program Files\Internet Explorer\iexplore.exe
    this application has requested the Runtime to terminateit in an unusual way. please contact the applications support team for more information i said
    ok and it closed down internet explorer . i did a nav scan and a avg scan and they both didnt find anything and the message keeps coming up. if u have any ideas on what i can do please reply to this message i will be on for the rest of the nightso i will reply back if i get any feedback thankyou
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
  3. ceemunster

    ceemunster Registered Member

    Joined:
    Jan 14, 2005
    Posts:
    2
    Backdoor.Lifefournow will exit immediately if it detects that it is running on a computer that only has a privately allocated IP address:


    192.168.*
    172.16.*
    10.*


    When Backdoor.Lifefournow is executed, it performs the following actions:

    Creates a copy of itself as %System%\[Random file name].exe.

    Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


    Adds the value:

    "[Random file name]" = "%System%\[Random file name].exe "

    to the registry entry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that it is executed every time Windows starts.


    Connects to one of the following domains and sends information about the configuration of the local network:

    todayoct25.biz
    life4now.biz
    lifetoday0.biz


    Listens for a connection on TCP port 36183. When a connection is made, a host and port number are given in the appropriate format.


    Connects to that host and port and acts as an echo client.

    TO FIX:



    Disable System Restore (Windows Me/XP).

    Update the virus definitions.

    Run a full system scan and delete all the files detected as Backdoor.Lifefournow.

    Delete the value that was added to the registry by using the following:

    Click Start > Run.
    Type regedit

    Then click OK.


    Navigate to the key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    In the right pane, delete the value that refers to the file name NAV gave you (Backdoor.Lifefournow)


    Exit the Registry Editor, reboot and restart your System Restore.
     
  4. roland deschain

    roland deschain Registered Member

    Joined:
    Dec 22, 2004
    Posts:
    21
    ok i did what illuka and ceemunster both said to do and i didnt find the
    trojan what i was looking for but while i was in safe mode i used spysubtract
    and found a little bit over 400 spyware and adware files in my registry. so i deleted them . i did this while avg and nav was runing .when avg was finished i didnt find the trojan i was looking for but i did find and quarintined
    11 other malware.they are
    Trojan horse Proxy.12.BM [the path] C:\windows\system32\evqkvvsn.exe
    Trojan horse Proxy.12.BM C:\windows\system32\flvmghoi.exe
    Trojan horse Proxy.12.BM C:\windows\system32\grhhbxxp.exe
    Trojan horse Proxy.12.BM C:\windows\system32\jhcfjzwq.exe
    Trojan horse Proxy.12.BM C:\windows\system32\jkmmodzq.exe
    Trojan horse Proxy.12.BM C:\windows\system32\lgcwrjbs.exe
    Trojan horse Proxy.12.BM C:\windows\system32\ndmohwbf.exe

    Trojan horse Downloader.Braidupdate.D [the path] C:\windows\system32\e6f1873b.dll
    Trojan horse Downloader.Braidupdate.E C:\windows\system32\stlb2.dll
    Trojan horse Downloader.Braidupdate.D C:\system volume information \_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP100\A0022150.dll
    Trojan horse Downloader.Braidupdate.E C:\system volume information \_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP100\A0022151.dll

    Also my NAV detected about 10 ADWARE files and i couldnt delete them in safe mode.I know this is alot of info to handle at once but if u could help me i would really appreciate it . i really need some help and if u can help me please reply . i havent got any sleep yet been trying to fix this problem all night so i dont know if i will be up by the time anyone replys but if u do reply i will check it out as soon as i can please heeellllllllppppp!!!!!!!!!!!!! :eek:
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi if you download HiJackthis HERE
    you can get an online automated log file scan HERE .
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Roland, please do not use HijackThis to fix things on the basis of the automated result scan given above - it is useful for guidance only and is wildly innaccurate at times!

    You would need to take your HJT log to a Forum that deals with such matters, but in the meantime have a look at these tutorials:
    http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
    http://www.tomcoyote.com/hjt/
    http://www.spywareinfoforum.com/~merijn/htlogtutorial.html

    By the way I do hope you are not running NAV and AVG simultaneously realtime!
     
    Last edited: Jan 14, 2005
  7. roland deschain

    roland deschain Registered Member

    Joined:
    Dec 22, 2004
    Posts:
    21
    ok i downloaded the hijackthis and i went t the other site but i dont really know what to do when i get thereo_O i would also like to say i forgot to say in my post before this one that the problem i was having in my first post is not happening any more so i geuss i fixed it when i used spysubtract. So
    Swetie(*)(*) if i am not to much of a bother ;) could u maybe explain to me a little bit on how to do this, thankyou roland deschain
     
  8. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    hi, sure no problem, when u start HJT do the scan and save log file, when u are at the auto scan site browse for your file, tick the box for improved and press scan, then scroll down, it has the scan results and offers advice on actions.

    The entries that come up in red usually need 2 be delt with.
    If you find anything that needs to be removed, go back to HJT and match the entries up from the scan, then remove.
     
  9. roland deschain

    roland deschain Registered Member

    Joined:
    Dec 22, 2004
    Posts:
    21
    ok i went through and deleted or fixed all of the unessesaryand nasty files that it told me of. What do i do now?? and what happens if i did use nav and avg at the same time?? what do i need to do with the viruses in the virus vault?? if u can answer please reply thankyou
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I sincerely hope you kept back-ups of those things you fixed or you could be in trouble. HJT should have been located in its own folder, where it keeps back-ups.
    Generally it is extremely bad advice indeed to get an inexperienced person to use HJT to fix things they do not understand. The automated scan you were directed to is notoriously inaccurate in the results it gives. You cannot possibly do these things for youself. You should go to HJT Forum, though they may refuse to assist you if you have been interfering with things without expert advice.

    You should never use more than one AV active at the same time 'cos they can fight each other and leave you open to infection, quite apart from damage it could do to your system.
     
  11. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    How is it notoriously inaccurate?

    Have you ever been to this site and looked for yourself?

    The automated scan offers detailed advice on each entry, promts you to make a back up of anything you delete, you CANNOT delete anything using the web page, you must return to HJT in windows.

    As far as beinging inaccurate i suggest you talk to the authors of HJT, as its their site, maintained by them and their support forums.

    The site was introduced to create a benchmark in HJT log analisys, as far too many people have been given bad advice by forum cowboys.
    The definitions are as up to date as possible.

    I suggest you do a bit of reaserch before making bold posts,if Wilders had a page like this you would not like it if similar remarks were made.
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi Sweetie,

    Yes, I have been to the site. I just had someone today that had that site say their start pages had been infected. The site called it a "Nasty" and said it needed to be removed. But guess what? That site was Wilders and that automated HJT log scanning site calls us here a "Nasty".

    See above. This person could have deleted something wrong. The problem is that most people that use these sites do not have the knowledge or experience to analyze the results properly. Just because you can use the site with no problems, does not mean that the average home user can without serious problems.

    I have been involved with the author of HJT personally, and I can assure you that he has nothing to do with this site nor does he endorse it. Quite the contrary ;) ...

    Maybe so, but having an expert from an ASAP afilliated site (see my signatire) by no means can be considered help from a forum cowboy.

    You may want to do a bit of research also, especially before you start throwing out names of who is involved or endorses a particular site without knowing the facts.
     
    Last edited by a moderator: Jan 14, 2005
  13. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Ive just sent an email to the author of HJT asking him to post here, so we'll see.
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Sweetie
    I can confirm that Merijn the author of HJT is NOT connected with the automatic analysis site and does not approve of it.

    As an example I have just posted a log from my computer which I know is 100% clean

    It is telling me to fix a proxy server entry as that is bad

    My ISP uses proxy servers and it is the only way to connect. IF I remove that entry I cannot connect to the net

    It also tells me that the BHO for M$ Money Viewer is bad and should be fixed. OK money isn't important but it's not malicious and I do use it

    I don't even mention the amount of things it misses, but I would rather it missed than removed wanted and needed things


    And with the greatest of respect to the people giving advice on their support forum. So far I've only looked at 4 pages of "advice" & logs and have only seen 1 piece of advice I would agree with. All the rest won't fix the problems and is about as much use as a chocolate fireguard in my view and in some cases is downright dangerous
     
    Last edited: Jan 15, 2005
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Getting back to the original problem, the file names posted have some of the characteristics of the new VX2 hijack and that is very very difficult to remove and needs specialised handling

    I strongly advise posting on one of the specialised forums That deal with HJT logs
    a list can be found here http://a-sap.org/
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Sweetie, I do have personal experience of this site; it finds many things as problematic or bad that are harmless or irrelevant, and it misses unknown bad things simply because they are unknown. The trained human eye can spot the incongrenuity of wrong file names and file path that the auto scanner simply cannot find.

    HijackThis cannot find and fix every aspect of new spyware and trojan infections - they hide from it as best they can. HJT is used by the knowlegeable in conjunction with other tools.

    Respectable sites such as SpywareInfo DO NOT recommend inexperienced people to go off and fix things themselves using this automated scan. Indeed some sites can refuse to help anyone who has messed around with specialist tools without specific advice.
     
  17. Merijn

    Merijn Spyware Expert

    Joined:
    Mar 5, 2004
    Posts:
    6
    Location:
    NL
    The automated log parser at hijackthis.de was created without my knowledge or consent, and though I don't think it's a bad idea in the first place, you shouldn't rely solely on the automatic parser since it's pretty flawed. I've only used it a couple of times on infected logs and it shows both false positives as false negatives. You can use it for guidance, but the results should be taken with a grain of salt. Generally I feel that the only parser bound to be perfect is your own mind, together with the lists of Startups from Pacman, and the list of CLSIDs from TonyKlein.
     
  18. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Thank you for replying Merjin, im glad this matter has been resolved.
    It seems that i was misinformed as to the ownership and running of the site, as this is the case i withdraw my comments/posts on the issue, and apoligise accordingly.
     
  19. Senor Afro

    Senor Afro Guest

    hi, roland deschain
    i have the very same problem but i tried using spysubtract but that doesn't work do you anybody else know of any program which isn't overly large but can 100% get the job done. thanx for any help supplied
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP. The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Once your system is clean, you may want to take a look here for further discussion on security and how to make your system that much stronger and here for more.

    This is what works really well for me, very simple to use and maintain.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.