Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse Back Door Generic

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 7th, 2012, 5:33 pm

Hi Jeff,

jja1313 wrote:Here you go. I can't thank you enough for all your help.
No problem , glad I could help 8)

The logs showed just a few more files left. Once we get them all I will issue final instructions to cleanup quarantined items and tighten up the machines security.

Re-run Grantperms
  • Locate the Grantperms folder you extracted earlier (it should be on your desktop).
  • Enter the GrantPerms folder & double click GrantPerms.exe to run it.
  • Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
Code: Select all
c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp\rf.swf
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs\1116987081937.xml
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles\framePref.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesPrefs.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesState.dat
  • Now Click Unlock
  • When it's done, click "OK".
  • Now click List Permissions and post contents of the log file that opens (Perms.txt)
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Re-run Junction
  • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    (Do Not include Code:) Then click OK:
Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm
Advertisement
Register to Remove

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 8th, 2012, 12:43 am

GrantPerms by Farbar
Ran by HP_Owner (administrator) at 2012-01-07 21:57:54

===============================================
\\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp\rf.swf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
ARNDT\HP_Owner FULL ALLOW (I)
ARNDT\HP_Owner FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs\1116987081937.xml

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles\framePref.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesPrefs.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesState.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)




Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

...

...

...
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 8th, 2012, 2:39 pm

Hi Jeff,

Congratulations your PC is now feee from infection 8) Follow the below steps to remove quarantined items and tighten your systems security.


Step 1 - Clean up with OTL
  • Double-click OTL.exe
  • Click the CleanUp! button
  • Select Yes when the Begin cleanup Process? Prompt appears
  • If you are prompted to Reboot during the cleanup, select Yes
  • The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so.


Step 2 - Uninstall Combofix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the box and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

Step 3 - Anti Virus
Here are some programs I would reccomend instead of AVG. Install one of these and then uninstall AVG.


Step 4 - Security Check
  • Please download Security Check by screen317 from one of the links below:
  • Save it to your Desktop.
  • Double click SecurityCheck.exe, then follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document.


Additional Security Tips.
Update your Antivirus programs and other programs regularly.
Secunia Personal Software Inspector - Copyright © Secunia. This app will monitor programs on your computer for known vulnerabilities. You can set it to auto-update for you, or just prompt you if an update is available. I highly recommend it.
F-secure Health Check - Copyright © F-Secure Corporation. F-Secure Health Check is a free application that tells you if your computer is protected and helps you fix possible security issues.

Visit Microsoft often
Keep on top of critical updates, as well as other updates for your computer.
How to configure and use Automatic Updates in Windows XP
Using Windows Update for Windows XP
Microsoft Update Home

Read, stay informed.
To help minimize the chances of becoming re-infected, please read.
Computer Security - a short guide to staying safer online

Please let me know that you completed the cleanup steps, reviewed the rest of the post. Once I receive your reply, I will provide further instructions on the SecurityCheck scan if neeeded. The topic will then be closed as resolved.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 8th, 2012, 6:46 pm

THANK YOU


Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
AVG 2012
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 30
Adobe Flash Player ( 10.3.183.7) Flash Player Out of Date!
Adobe Reader X (10.1.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
WinPatrol winpatrol.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgnsx.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
BillP Studios WinPatrol winpatrol.exe
``````````End of Log````````````
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 9th, 2012, 2:36 pm

Hi Jeff,

I can see you have installed Avast Anti-Virus, good! You also still have AVG installed, this needs to be uninstalled. Your flash player is also out of date, leaving you vulnerable to re-infection.

multiple Anti Virus programs
AVG 2012
Avast Anti Virus

  • Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer.
  • Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
  • Please remove one of them.
    • Click on start
    • Then Run
    • In the open text entry box please copy/paste appwiz.cpl Then click enter.
    • Press the "Remove" or "Change/Remove"...button to uninstall one of the programs listed above.
    • Also please Uninstall Adobe Flash Player

You can get the latest version of Flash here http://get.adobe.com/flashplayer/

Please let me know you have completed these steps so this topic can be closed. Safe Surfing!

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 9th, 2012, 3:15 pm

Hello Diver79,

AVG has been completely uninstalled. A link checker was still hanging around. I have also installed the current version of Adobe Flash.

Thanks again for all your help. You are miracle workers. I looked at applying for the MW University, but didn't know if I had the time. We appreciate your dedication.

Thanks,
Jeff
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby deltalima » January 9th, 2012, 7:06 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware