Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

backdoor.generic.m

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

backdoor.generic.m

Unread postby soldaan » January 3rd, 2006, 5:35 pm

Hey there, my virusscanner gives a torjan named: backdoor.generic.m

I give you my hijack log file.



Logfile of HijackThis v1.99.1
Scan saved at 22:29:57, on 3-1-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Media\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Webflits
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {4837E864-EDC0-291E-5055-E497996B9DFB} - xsetup.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xxtoolbar] newbreed.exe
O4 - HKLM\..\Run: [Preliminary] ftbar.exe
O4 - HKLM\..\Run: [dmfwr.exe] C:\WINDOWS\system32\dmfwr.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [zxc] runload32.exe
O4 - HKCU\..\Run: [Brong32] lpt.exe
O4 - HKCU\..\Run: [TorontoMail] SysEntry.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {F01B7AD7-3269-42C4-823D-7C1D4780F49D} (GLoad Class) - http://gameloader.spelpunt.nl/gloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD67BFF0-BAFF-4736-B11A-564880FC80C8}: NameServer = 85.255.113.197,85.255.112.179
O20 - Winlogon Notify: tcpQ32 - C:\WINDOWS\SYSTEM32\tcpQ32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Hopefully I hear from you.

Thanks in advance!
soldaan
Active Member
 
Posts: 3
Joined: January 3rd, 2006, 5:31 pm
Advertisement
Register to Remove

Unread postby soldaan » January 3rd, 2006, 5:36 pm

It's not my computer so I don't exactly know what programs are installed and stuff.
soldaan
Active Member
 
Posts: 3
Joined: January 3rd, 2006, 5:31 pm

Unread postby soldaan » January 3rd, 2006, 5:49 pm

It;s probably one of these files:

O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [xxtoolbar] newbreed.exe

O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"


O4 - HKLM\..\Run: [Preliminary] ftbar.exe


Sometimes I just love my Apple :D
soldaan
Active Member
 
Posts: 3
Joined: January 3rd, 2006, 5:31 pm

Unread postby jwbirdsong » January 5th, 2006, 10:40 pm

First of all, you will need to print out this post and/or save a copy as a text file in Notepad so that you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

You are running HijackThis from a temp location; please unzip a copy to it's own presonal folder.
Help with unzipping files is HERE

Also; before we begin this fix

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

Code: Select all
C:\WINDOWS\SYSTEM32\tcpQ32.dll 


Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to me at:

jwbsubmit AT aim DOT com

Please include a link to this log. Thank you

Please download FixWareout from one of the following sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it on your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish. After the fix begins just follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

After your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please run it by clicking Scan Only,
and check the following items:

  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  • R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
  • R3 - URLSearchHook: (no name) - {4837E864-EDC0-291E-5055-E497996B9DFB} - xsetup.dll (file missing)
  • O4 - HKLM\..\Run: [xxtoolbar] newbreed.exe
  • O4 - HKLM\..\Run: [Preliminary] ftbar.exe
  • O4 - HKLM\..\Run: [dmfwr.exe] C:\WINDOWS\system32\dmfwr.exe
  • O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
  • O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
  • O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
  • O4 - HKCU\..\Run: [zxc] runload32.exe
  • O4 - HKCU\..\Run: [Brong32] lpt.exe
    O4 - HKCU\..\Run: [TorontoMail] SysEntry.exe
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{DD67BFF0-BAFF-4736-B11A-564880FC80C8}: NameServer = 85.255.113.197,85.255.112.179
  • O20 - Winlogon Notify: tcpQ32 - C:\WINDOWS\SYSTEM32\tcpQ32.dll

Click Fix Checked. Close HijackThis, and click OK to proceed.

Download and run F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Run the program, accept statement>next>click> scan>next.
If any items are detected have blacklite rename them except for "wbemtest.exe".
Do not rename "wbemtest.exe" its a windows file.
If there are any other files you THINK may be valid don't rename them. Help is available HERE

The tool will ask if you want to reboot (restart) choose yes.

Finally, please post
  • the contents of report.txt (it should open; If it does not open or you close it..find a copy in c:\fixwareout folder.)
  • a new HijackThis log
  • log from blacklight; log will be named fsbl-<date/time>.log eg. fsbl-20060101134642.log.


Note: IF you are having connection problems follow the directions below
(These instruction's are basically for home users.)
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available one some systems
User avatar
jwbirdsong
Regular Member
 
Posts: 138
Joined: October 14th, 2005, 3:44 am

Unread postby NonSuch » January 18th, 2006, 3:32 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27302
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware