[Holly3278]

Hi everyone. I seem to have gotten an "Unknown Backdoor Trojan" on my computer detected by an online Pest Patrol scan at http://www.pestpatrol.com/. None of my spyware scanners have detected this but the online scan did. It says that it goes by these aliases:

Backdoor.Lixy.h [Kaspersky]
Trojan.BAT.DeltreeY.bs [Kaspersky]
Trojan.Win32.Fynben.b [Kaspersky]
Trojan.Win32.TalkStocks.a [Kaspersky]

I had detected this trojan on my computer yesterday after doing a scan and then had to format my computer and reinstall everything to get rid of it. I updated everything and installed two firewalls plus Windows firewall and two anti-viruses (Norton and AVG) and I still have the trojan! Last night I scanned with Pest Patrol after the format and it wasn't there. Then my computer started acting up this morning and I scanned again and the trojan was back. I have now idea how I am getting this trojan! I use Webroot Spysweeper, Spybot Search and Destroy, Adaware (Spybot and Adaware are not yet downloaded and installed again), and Spyware Blaster. How on earth am I getting this thing?! What can I do to prevent it from coming back? I have 1 year of computer networking training and as far as I know I am not doing anything risky that would make me get this. Please help!

Here's a link to the page that Pest Patrol gave me about all this:

http://pestpatrol.com/pestinfo/U/Unk...0and%20Removal

[dvk01]

It is some sort of spyware application that has piggybacked on a supposedly good one and you have obviously re-installed it along with something else

go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

[dvk01]

But Pest patrol is known for false positives and the online scanner is NOT the most reliable of scanners

[Holly3278]

Quote:

Originally Posted by dvk01

But Pest patrol is known for false positives and the online scanner is NOT the most reliable of scanners

I kind of thought that. But this still worries me. Is there any way to confirm whether or not I have a trojan?

[dvk01]

I just did the PP online scan to check my "CLEAN" system

it finds an unknown BHO that should be removed according to it

The unknown BHO is M$ money viewer which I use daily

Never do a format & install or delete anything on the advice of one online scanner always ask for advice first

I am 99% sure that it is one of the usual PP false positives

[dvk01]

Quote:

Originally Posted by Holly3278

I kind of thought that. But this still worries me. Is there any way to confirm whether or not I have a trojan?

Post your hijackthis log and we'll check

all the aliases you quoted are totally different beasts and there is no way that ONE suspct is known by all those names especially from one Antivirus company Kapersky

[Holly3278]

Logfile of HijackThis v1.98.2
Scan saved at 7:19:56 AM, on 11/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/z4/resetpassword_redirect.html
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Trillian.lnk = ?
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3913E765-0708-488D-A140-D18EA27A0EAC}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{3913E765-0708-488D-A140-D18EA27A0EAC}: NameServer = 64.136.20.121 64.136.28.121

[Holly3278]

Quote:

Originally Posted by dvk01

I just did the PP online scan to check my "CLEAN" system

it finds an unknown BHO that should be removed according to it

The unknown BHO is M$ money viewer which I use daily

Never do a format & install or delete anything on the advice of one online scanner always ask for advice first

I am 99% sure that it is one of the usual PP false positives

Oh well the format and reinstall was no big deal for me. I do one approximately every 3 months. Besides, my computer had a couple of issues that I wanted to fix and simply felt like formatting it instead of spending many more hours fixing. Basically it was some kind of problem with SP2 or Internet Explorer. I don't have much stuff to have to backup so it was no big deal. In fact, I didn't back up anything because it had only been about 2 weeks since my last format which was because of something else that skips my mind at this point.

[dvk01]

I can see absolutely nothing wrong there

I would assume that PP is giving a FP on the juno search entries which is quite a common occurrence with several so called malware removal programs

[Holly3278]

Quote:

Originally Posted by dvk01

I can see absolutely nothing wrong there

I would assume that PP is giving a FP on the juno search entries which is quite a common occurrence with several so called malware removal programs

Hmm, glad to hear that. Is there anything else I should do? Also, a trojan wouldn't cause my computer's system speaker or something to click when I type would it? My computer makes this clicking noise when I type and sometimes when I'm just at the computer. I think what's happening is the desk is moving a little or something and something is rattling. I am wondering if it might be my case fan cause it's pretty dirty. I took an air can to it a few weeks ago but it didn't help much. Thing is, the clicking just started this past weekend. Either that or I just started noticing it then. I hope this isn't a dumb question.

[dvk01]

have you got a microphone or headset laying on the desk that might be switched on

[Holly3278]

Quote:

Originally Posted by dvk01

have you got a microphone or headset laying on the desk that might be switched on

No, the only microphone I have is built into my webcam. However, I know that I only started noticing the problem after I installed new speakers for my computer. One of the old ones went dead.

[dvk01]

Quote:

Originally Posted by Holly3278

No, the only microphone I have is built into my webcam. However, I know that I only started noticing the problem after I installed new speakers for my computer. One of the old ones went dead.

Is that turned on ?

Possibly the new speakers are more sensitive than the old ones and picking up the webcam input at a lower volume

[Holly3278]

Quote:

Originally Posted by dvk01

Is that turned on ?

Possibly the new speakers are more sensitive than the old ones and picking up the webcam input at a lower volume

Hmmm, as far as I know it's not turned on. It's plugged into the USB port though. Let's see here. I unplugged the cam and it's still making that noise so I don't think it's the mic in the cam.

[dvk01]

Pass

I'll move this to hardware now where someone else might have a better idea