1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus and Backdoor Problem

Discussion in 'Virus & Other Malware Removal' started by moochtastic, Jul 15, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    Firstly I have posted this in a number of places and so far havent had advice that I could follow without losing my files, so please bear that in mind.

    I have had some strange things happening latley when I use internet explorer, my home page gets changed to a site that just shows advertising, (I keep setting it to http://www.bbc.co.uk but it wont stay that way). On top of that my PC (not the fastest at the best of times) is slowing to a crawl when I start it on, and sometimes doesnt even turn off. I have tried to use my installed norton anti virus, (which is up to date) to scan my computer but it doesnt seem to work. I have also tried to use one from Trend Micro that is online (http://www.housecall.trendmicro.com) and that doesnt work either.

    A Colleague told me that I may have a virus or a back door installed and said I should check what ports I have open.... Atfter some confusion I have checked at http://www.ictsc.com/portscanner.htm and it has told me that I have ports 25, 666, 1976 and 8080 open. for details see: http://www.ictsc.com/IP_Port25.htm, http://www.ictsc.com/IP_Port666.htm, http://www.ictsc.com/IP_Port1976.htm and http://www.ictsc.com/IP_Port8080.htm. I followed some of the links on the bottom of those pages but they were of no use. Im not sure what to do with this information.

    So, I think I have a virus or a back door, and I need to know how to get rid of it, I have lots of work stuff, photographs and some music stored on my computer and no easy way of taking them off, so deleting it and starting again isnt really an option. Also I need my computer for work, I do my banking and pay bills online, so I think I need to do something about this quick.

    Does anyone have any advice? I spoke to pcworld (http:/www.pcworld.co.uk) but they just seem to want me to buy a diferent antivirus or to send my computer in to them, and if it infected they say they have to delete all my programs and files and make a clean windows program.

    Can anyone Help?
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:55:54, on 15/07/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\logon.scr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\printer\Desktop\HiJackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    --
    End of file - 1346 bytes
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    That is not the full log

    Open the log in notepad

    EDIT - SELECT ALL
    EDIT - COPY

    Then come to this message, and in the quick reply box click in the white space and then EDIT - PASTE

    ===============
    do you have items white listed in hijack??

    You have no active AntiVirus!

    Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

    AVG 7.5 - http://free.grisoft.com/freeweb.php/doc/2/
    ====================

    Download Superantispyware (SAS) free home version

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This will take some time!!!!!!!!
     
  5. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    Erm, that is the full log, and I have norton antivirus installed and working, although not working sort of. When my colleague took a look at my computer he said that the hijack this thing was strange because it was not showing that word was running. Word wasnt running this time so I am not sure if that helps. Sorry I know so little about computers, I can just about point at the Monitor, Keyboard, Mouse and Harddrive, This problem is starting to really tax my understanding. I should also say that a friend of mine has left me with a laptop so the problem is less urgent now, although I would be relieved if there were a solution.
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Any reason why SP2 is not installed??

    Open hijackthis

    Open Misc tools

    Ignore list - clear all entries from there

    Post a new log
     
  7. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    Im not sure what SP2 is...?
    opened misc tools, and looked in the ignore list, there was nothing in there, pressed on delete all on the right hand side anyway.

    I have run it again...

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:55:54, on 15/07/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\logon.scr
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\printer\Desktop\HiJackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    --
    End of file - 1346 bytes

    Thats the logfile copied by highlighting all the text and pasting it into an email, sending the email to me on this laptop and then copying it into this window thing.
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    SP2 is the fixes from Microsoft - is this a valid copy of XP???

    Install AVG as I said as you have no AV running

    Run SAS as I posted earlier with AVG
     
  9. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    I have Norton Anti Virus installed, but when it scans it doesnt find anything, and never actually finishes scanning, (I left it for just over a week, but it gets expensive in terms of electricity to do that too often). The XP came on the computer and it has a sticker so I think its valid. Last time I put XP on the computer I had to get someone to install office for me again and my files had gone, so I dont really want to do that again.

    As far as installing more antivirus, whenever I have tried the installs dont seem to work, they dont finish or my computer turns off with a funny message. I really am not sure what to do. Another nice person helping me in a different forum with this problem has sugested that there may be no problem, is it possible that there is nothing wrong and that I am just over reacting?
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You DO NOT have an active ANtiVirus - you must have an active one - INSTALL AVG!

    Run SuperAnti as I post and if it will not install give the EXACT error message not something like " a funny message"
     
  11. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    I am running Norton Anti Virus and it is on, I have the little yellow box at the bottom of my desktop on the go bar.

    I have installed SuperAntiSpyware just now with no problems, although AVG and some of the other ones still dont do the installing properly....
    I assume I did it right, I installed and followed the instructions,

    I said yes for it to get updated to retrieve the latest updates
    then gave it my email address
    then said yes to automatic update checking
    then sent diagnostic report to research center
    then entered http://www.bbc.co.uk as my home page to be protected and said yes to protect it.
    then I clicked on Scan your computer
    I checked c:\ and D:\ on the right, and complete scan on the left
    then I clicked on next
    It finished in 16:55, detected 0 memory items, 0 registry items, 7 file items.
    The detected Items were:
    Adware Tracking Cookie [ 7 items ]
    Files
    c:\Documents and Settings\mark\Cookies\[email protected][1].txt
    c:\Documents and Settings\mark\Cookies\[email protected][2].txt
    c:\Documents and Settings\mark\Cookies\[email protected][2].txt
    c:\Documents and Settings\mark\Cookies\[email protected][1].txt
    c:\Documents and Settings\mark\Cookies\[email protected][1].txt
    c:\Documents and Settings\mark\Cookies\[email protected][2].txt
    c:\Documents and Settings\mark\Cookies\[email protected][2].txt

    Then when I clicked on next my computer turned off, and when it turned back on my homepage was set to http://www.eternityrock.hut.ru

    Does this mean that I have 7 viruses on my computer? how do I remove them? if they are tracker things will they know my banking details?
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    No those are cookies

    You MUST follow my directions - I need the full log from SAS

    I doubt you scanned what you are supposed to

    You hijack log is NOT showing Norton - Either do as I posted or I will drop out of this thread!
     
  13. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    Look, Im sorry, I assume SUPERAntiSpyware is SAS, but a log didnt pop up, I just had another run at it, and I have found the button now. so here is the log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/15/2007 at 10:23 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3269
    Trace Rules Database Version: 1280

    Scan type : Complete Scan
    Total Scan Time : 00:16:57

    Memory items scanned : 279
    Memory threats detected : 0
    Registry items scanned : 3064
    Registry threats detected : 0
    File items scanned : 181682
    File threats detected : 7

    Adware.Tracking Cookie
    C:\Documents and Settings\printer\Cookies\[email protected][2].txt
    C:\Documents and Settings\printer\Cookies\[email protected][2].txt
    C:\Documents and Settings\printer\Cookies\[email protected][2].txt
    C:\Documents and Settings\printer\Cookies\[email protected][1].txt
    C:\Documents and Settings\printer\Cookies\[email protected][1].txt
    C:\Documents and Settings\printer\Cookies\[email protected][2].txt
    C:\Documents and Settings\printer\Cookies\[email protected][1].txt

    I dont know why my hijack log isnt showing norton, and I woldnt know how to make it do that, but norton is running in the bar thing, it isnt up to date because the updater doesnt work anymore.
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Just install AVG, run it and then post a log

    Right click hijackthis.exe and rename it TSG.exe

    Post a log

    Is there a reason why you do not want to do as I post?????
     
  15. moochtastic

    moochtastic Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    14
    OK renamed Hijackthis.exe to TSG.exe here is the log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:41:59, on 15/07/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\logon.scr
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Documents and Settings\printer\Desktop\TSG.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    --
    End of file - 1580 bytes

    I downloaded AVG, which was a program called avg75free_476a1048.exe
    I Tried to install AVG again but it fails towards the end:

    it shows an error messge with no option to ignore it, the message is:

    Local machine installation failed
    Error. Action failed for file avgamsvr.exe: creating file....
    No such file or directory

    That message stayed on the monitor for maybe 3 minutes (whilst I wrote it down) and then my computer came up with another message about warning that a system file had changed, and then my computer turned off again. (I didnt get a chance to take down the second message word for word)
    When I turned my computer back on it did its disk checking thing as well but found no problems...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/596160

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice