1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Back door trojan

Discussion in 'Virus & Other Malware Removal' started by berkeleychick, Jul 7, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. berkeleychick

    berkeleychick Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    24
    Hello this is my first post. I have a reoccuring backdoor trojan, according to Spy Sweeper and My SBC Yahoo anti virus infection alert keeps popping up with these viruses: Win32/Coversmer!generic and Win32/Pokier.Al , VERY ANNOYING. Also everytime i restart my computer i get a CPU overtemperature error that gets really annoying. It all started when i kept getting popups from outer info. But spy sweeper seemed to stop all the popups , so far. So here is my hijack this log THANK YOU IN ADVANCED!!!
    AND THE BACK DOOR TROJANS ARE CALLED : Trojan-Backdoor-msdcom32 , Trojan-Backdoor-Lev
    Logfile of HijackThis v1.99.1
    Scan saved at 9:14:52 AM, on 7/7/2007
    Platform: Windows XP SP1
    MSIE: Internet Explorer v6.00 SP1

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    C:\WINDOWS\System32\dljyeraa.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
    C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\KB_963491.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\WINDOWS\47681727.exe
    C:\WINDOWS\47681727.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Documents and Settings\jamal\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {829212EC-9862-0EB3-571F-6C62579FC8C0} - TemplateDongle.dll (file missing)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\msdun.exe
    O2 - BHO: (no name) - {20AD49A2-94F3-42bD-F434-2604812C897C} - (no file)
    O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\jkkhgfc.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963491.exe"
    O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [tlz] C:\WINDOWS\47681727.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
    O16 - DPF: Yahoo! Backgammon - http://download2.games.yahoo.com/games/clients/y/at1_x.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.berkeley.edu/webcams/camera.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
    O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F717F8F2-DABA-49CB-8781-09D40ABF93B6}: NameServer = 85.255.116.18,85.255.112.185
    O20 - Winlogon Notify: jkkhgfc - jkkhgfc.dll (file missing)
    O20 - Winlogon Notify: opnolig - opnolig.dll (file missing)
    O20 - Winlogon Notify: ssttt - C:\WINDOWS\System32\ssttt.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O20 - Winlogon Notify: yayvtur - yayvtur.dll (file missing)
    O20 - Winlogon Notify: __c0028C91 - C:\WINDOWS\System32\__c0028C91.dat
    O20 - Winlogon Notify: __c00D7B0 - C:\WINDOWS\System32\__c00D7B0.dat
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\dljyeraa.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    spysweeper.

    Before you proceed with the removal directions below you need to turn off
    SpySweeper's realtime protection as it will interfere with the changes we
    are trying to make.

    Open Spysweeper and click on Options > Program Options.
    Uncheck "load at windows startup".
    On the left click "shields" and then uncheck everything there.
    Uncheck "home page shield".
    Uncheck "automatically restore default without notification".
    Exit the program.
    Leave it disabled until we are finished here.


    Please download http://www.atribune.org/ccount/click.php?id=4 to your
    desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click
    YES
    · Once you click yes, your desktop will go blank as it starts removing
    Vundo.
    · When completed, it will prompt that it will shutdown your computer, click
    OK.
    · Turn your computer back on.


    Go here and downlaod the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then instlall the latest version you just downloaded!


    http://java.com/en/download/manual.jsp




    Download SDFix and save it to your Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    * Restart your computer
    * After hearing your computer beep once during startup, but before the
    Windows icon appears, tap the F8 key continually;
    * Instead of Windows loading as normal, the Advanced Options Menu should
    appear;
    * Select the first option, to run Windows in Safe Mode, then press
    Enter.
    * Choose your usual account.

    * Open the extracted SDFix folder and double click RunThis.bat to start
    the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds
    then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the
    removal process then display Finished, press any key to end the script and
    load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and
    also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on
    the forum).
    * Finally paste the contents of the Report.txt back on the forum with a
    new HijackThis log






    Please download FixWareout from one of these sites:


    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/file...Fixwareout.exe


    Save it to your desktop and run it. Click Next, then Install, then make sure
    "Run fixit" is checked and click Finish. The fix will begin; follow the
    prompts. You will be asked to reboot your computer; please do so. Your
    system may take longer than usual to load; this is normal.

    When your system reboots, follow the prompts. Afterwards, Hijack This will
    launch. Close Hijack This, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again.

    At the end of the fix, you may need to restart your computer again.

    Finally, please post the contents of the logfile C:\fixwareout\report.txt,
    along with a new Hijack This log.

    ==================================
    If you get an Autoexec nt error do the following

    XP Fix - http://www.visualtour.com/downloads/

    Scroll down to get XP Fix

    And run FixWareout again.



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F717F8F2-DABA-49CB-8781-09D40ABF93B6}: NameServer = 85.255.116.18,85.255.112.185


    * Go to Control Panel. - If you are using Windows XP's Category View, select
    the Network and Internet Connections category. If you are in Classic View,
    go to the next step .

    * Double-click the Network Connections icon
    * Right-click the Local Area Connection icon and select Properties.
    * Hilight Internet Protocol (TCP/IP) and click the Properties button.
    * Be sure Obtain DNS server address automatically is selected.
    * OK your way out.



    * Restart your computer.


    * Got to Start > Run and type in cmd.
    Click OK.
    Type this line in the command window:

    ipconfig /flushdns

    Hit Enter.







    Post a new hijack this, the Mwav scan log and the AVg antispware log!



    post a new hijack this log, the vundo, the sdfix and the fixwareout logs!
     
  3. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    IMPORTANT! Move Hijack this from the Temp, desktop or from the zip folder
    to it's own folder!


    Make a new folder in C:\ and call it Hijack this, and Save hijack this to
    this folder so that it runs properly and can make back ups. Click scan,
    then save the log and post it here so we can take a look at it for you.
     
  4. berkeleychick

    berkeleychick Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    24
    Thanks for the quick response I wanted to ask you a few questions before i start anything. First will i need to reboot windows in any form becuase i do not want to get stuck in having windows messed up accedentally becasue i would have no way in fixing it. also are the programs that you suggested private or are the 'open' as in will my information be spread. Should i have some thin else to worry about??
    Thank you so much!
     
  5. berkeleychick

    berkeleychick Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    24
    I am askin because i am really wary about safe mode and how it works...
     
  6. berkeleychick

    berkeleychick Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    24
    I have gotten up to the part of Safe mode... When i keep pressing the F8 key after the beeping noise this screen comes up asking me to choose 3 drives? i think they are drives the !st one says 1st floppy deive.... do i choose that one?
     
  7. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    no, you should use the up and down arrow keys and choose safe mode, read the instructions again carefully!
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    You shouldn't be asked about drives to boot to safe mode, you simply choose safe mode from the 4 selections! if you are then choose C:\
     
  9. berkeleychick

    berkeleychick Thread Starter

    Joined:
    Jul 7, 2007
    Messages:
    24
    This is not working and making me frusterated because there is no c:/ option.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592851

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice