Backdoor.litmus.gen virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alex_holker

Thread Starter
Joined
Sep 28, 2003
Messages
1,908
Hello everyone, I have the above virus on my computer. It has been identified as being in c:/windows/litmus/windows.exe and I have three questions.

1. Is a firewall blocking the windows.exe file from access to the internet sufficient to stop the virus doing anything?

2. Is it possible to remove this virus without it returning?

3. Are there any other problems obvious from the HijackThis log that I am unaware of?

Logfile of HijackThis v1.97.2
Scan saved at 9:10:37 PM, on 29/09/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LITMUS\WINDOWS.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ALEX\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {AA150A4F-7188-4AA2-99BD-21B9ECFE7EEB} - C:\WINDOWS\SYSTEM\EWNJIRQ.DLL
O2 - BHO: (no name) - {7A797FEF-B5D5-4540-9899-1A0D98D1283B} - C:\WINDOWS\SYSTEM\MOB030612.DLL
O3 - Toolbar: &Kangaroo - {663C7429-E454-11D3-B9AE-0000B4C32B4D} - C:\IDC\WEBKA.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O7 "EPUSB1:" /M "Stylus C41"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\SYSTEM\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\SYSTEM\reminder.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\windows.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Kangaroo (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - http://80.96.118.2/sec/webcam.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {29CAC0B6-D6C2-4395-8289-BF3FBF27AD5F} - http://209.47.15.72/inst/activeinstaller.dll
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.1246180556

Thanks in advance, Alex
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Check and have Hijack This fix the following:

O2 - BHO: (no name) - {AA150A4F-7188-4AA2-99BD-21B9ECFE7EEB} - C:\WINDOWS\SYSTEM\EWNJIRQ.DLL
O2 - BHO: (no name) - {7A797FEF-B5D5-4540-9899-1A0D98D1283B} - C:\WINDOWS\SYSTEM\MOB030612.DLL

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\windows.exe

O16 - DPF: {50A28604-52F2-11D6-8F0F-5254AB11D5C2} - http://80.96.118.2/sec/webcam.exe
O16 - DPF: {29CAC0B6-D6C2-4395-8289-BF3FBF27AD5F} - http://209.47.15.72/inst/activeinstaller.dll


Now restart your computer, and delete the C:\WINDOWS\litmus folder.

That ought to be the end of it.
Now Run an online virus scan at Trend Micro HouseCall or Panda Active Scan

And install an antivirus. You need one!
 
Joined
Mar 9, 2003
Messages
4,699
Add this one to your list, it contains LOP

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

Then delete
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
 

alex_holker

Thread Starter
Joined
Sep 28, 2003
Messages
1,908
According to Norton Antivirus, my computer is now clean. Thankyou for your assistance.

Alex
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Originally posted by NiteHawk:
Add this one to your list, it contains LOP

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

Then delete
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
Not necessary: You can remove the LOP components, and the program will work normally.
And according to the log, no LOP components seem to be running/installed (any more)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top