|
|
 |
|
|
Pages: 1
backdoor worm
(Click here to view the original thread with full colors/images)
Posted by: Liviu
Hi guys,
Well, I got a backdoor worm (Afcore.ae). I removed it but, my PC still has problems after this operation. This worm has its own uninstall but, as I didn't know, I removed it with some workarounds. If you have any idea, please give me a helpful hand. I have a Pentium 4 with Windows XP Pro.
First behavior of the worm:
- It doesn't allow proper installation of some programs.
- At first PC startup after infection, chkdsk check all the disks. After this operation it's impossible to log on - necessary files not found.
I did manage to log on in safe mode and then I restored Windows from the previous day Restore Point. By doing this, at new startup, chkdsk still starts but now it's possible to log on in the normal mode as well.
At log on, F-PROT antivirus detects the worm and remove it. Actually this worm it's generated itself by a DLL code at each startup. So, removing the virus does not solve the problem.
To avoid the worm is backed-up at each turn down the system, I turned off temporarly the Windows restoring option. By doing this, at the next start-up, F-PROT was able to identify the DLL code and removed it. This was actualy a mistake because this is not a proper uninstall of the worm.
So, now I have no more worm but the damage is left there by the worm, especially in the registry. The problem I still have now is that chkdsk starts at each startup. Trying to fix this, I deleted by hand the worm startup entry in the registry, in:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run/
This, I suppose it was the second error I made. In any case chkdsk still runs at each startup.
The chkdsk running at statrup is not big a problem.
It is more a anowing problem. However, this point me out that there is still some damage in my system, especially in the registry, and don't know how this will afect the installation of new software. I told you, when it was active, the worm already didn't allow me to install some programs: PCBooster and Security Booster.
At this point I have no idea how to solve this problem. I am afraid to use a software to repair the registry - such operation may do things worst if is not properly handled. As my case is somehow special, I don't know if a software can handle it properly. More, the worm may have left damage somewhere else not only in the registry. I hope to get some more knoldge before any action.
I realy need you guys. Any word from you is greatefully apreciated.
Thank you very much,
Liviu
Posted by: redwench
run a good registry cleaner. do NOT allow it to repair things automatically. go through its suggestions before continuing.
Posted by: Liviu
Hi guys,
I just run Hijackthis and here is the log. May someone tell me if something is wrong, please?
The only thing that remains from the worm now is a file without extension, which has the worm name, in the folder:
C:\Documents and Settings\Liviu\Local Settings\Temp
From what I understood this is a communication program of the the worm, using the port 80. I don't know if I have to simply remove it.
However, from this log, it doesn't seems to be running.
Liviu
-----------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 5:34:34 PM, on 4/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\PROGRA~1\Accelrys\MATERI~1\Gateway\apache\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ZipToA.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\Accelrys\MATERI~1\Gateway\apache\Apache.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\WINDOWS\Explorer.EXE
D:\Progs\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:80
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.sharempeg.com/find/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.sharempeg.com/find/
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINDOWS\jeired.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: UCmore - The Search Accelerator Toolbar - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\System32\mstask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UCmore XP - The Search Accelerator.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Options de démarrage Iomega.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {271A3CF5-5A54-447B-A08F-BE805F0DA60B} - https://www.reuschel.com/hbci/de/plugin/AXFOAM.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/we...g/ie/SecMgr.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01a1c30545aade...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7871.0921643519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
Posted by: redwench
good lord, youre computer is full of garbage, including that anti-virus. 13 running processes belong to your AV? thats ridiculous. and it didnt even prevent your worm from installing, and removed it improperly. get rid of it.
lose the toolbars as well, they never bode well. you certainly dont need realsched.exe running constantly either.
Posted by: Liviu
Thank you for the reply.
I choosed F-PROT because it was able to find me a lot of viruses in the Temp. Internet Files folder. My previous AV, PC-Cillin was not able to see none of them. The newest version of Norton, I know it has some problems.
On the other hand F-PROT has not email check and software fireall (I have a router insteed).
Do you know a any good AV?
BTW, in this list of processes, is there one of them who can make me problems when I want to delete a file? Sometimes it takes an eternity to delete a file, while sometimes it takes just 0.1 sec. (it doesn't matter the size of the file).
Many thanks,
Liviu
Posted by: Liviu
The solution was:
Make a new admin account and make all the other accounts limited.
This already fixed the chkdsk start at restart.
Run anti-adware in the admin account: PestPatrol and AdAware. Remove many dangerous stuff. In the admin account make Win Restore off. Restart and run antivirus (found one trojan). Run anti-adware in each accounts (found each time). Run registry cleaner (Registry mechanic) - automatic. Run another on-line antivirus - ok.
Everything looks ok now.
Liviu
Posted by: trekpsycho
Avast antivirus is a very good AV. Scans email too and its free for personal use.
|
|
|
|
|
