Solved

tool to clean backdoor.trojan

Posted on 2008-10-21
5
1,011 Views
Last Modified: 2009-12-16
Hi i just cannot seem to get rid of this Backdoor.Trojan, is there a tool i can download to clean this?
Thanks
0
Comment
Question by:gmollineau
5 Comments
 
LVL 23

Accepted Solution

by:
Admin3k earned 75 total points
ID: 22771623
One easy & effective  tool that can help you here is Malwarebytes Antimalware http://www.malwarebytes.org/mbam.php

download, install, update & run a full scan


if the infection persists, please download Hijack this , install , perform a scan and post the hijack this log here

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

hope this helps
0
 
LVL 3

Assisted Solution

by:plt63640
plt63640 earned 50 total points
ID: 22773222
If all else fails, and you gotta go into the registry:

1) Click on Start
2) Click on Find or Search (depending on Windows version)
3) Click on Files or Folders or All Files and Folders
4) Type in the name of the file such as I5Eexplore and search the hard drive for it
5) Delete the file
6) Now click on Start, Run, type in REGEDIT and click OK to open the Registry Editor
7) Delete the entry below in each of the following locations in the Registry (However, do this at your own risk - deleting the wrong keys and cause the computer to not boot correctly or operate correctly)

In the right pane, delete any value that refers to the file

"Config Loadatiorin"="<I5Eexplore.exe>"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

8) Exit the Registry Editor
9) Restart the computer and check the Registry again for the trojan
0
 

Author Comment

by:gmollineau
ID: 22799380
Hi i ran the malwarebytes antimalware tool but it did not pick up any thing. I am attaching the hijack log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:47 PM, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Documents and Settings\rwilson\Application Data\waultc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [DriverCD] D:\Run.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [waultc] C:\Documents and Settings\rwilson\Application Data\waultc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cansnack.com
O17 - HKLM\Software\..\Telephony: DomainName = cansnack.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cansnack.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cansnack.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 4422 bytes
0
 
LVL 23

Assisted Solution

by:Admin3k
Admin3k earned 75 total points
ID: 22799554
The log shows those malicious entries that should be fixed

C:\Documents and Settings\rwilson\Application Data\waultc.exe (running process) , terminate this using task manager>processes>end process tree

navigate to C:\Documents and Settings\rwilson\Application Data\ and delete this file (waultc.exe)

now for the cleanup
check those lines for fixing using Hijack this

O4 - HKCU\..\Run: [waultc] C:\Documents and Settings\rwilson\Application Data\waultc.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


reboot , if the problem persists you may need to get Combofix

 please ensure your antivirus is disabled while running Combofix and follow the instructions in the below link carefully.

Download combofix: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
tutorial on Combofix usage : http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Hope this helps.

0
 

Expert Comment

by:Minidave
ID: 24194128
You can also try using Spybot Search & Destroy. It is one of the best I've found to date and it's free.

Don't mistake this for an antivirus program, it is mainly for pesky spyware, browser hijackers and such but it does include a decent amount of known trojans that it can clean to include backdoor.trojan. The best part is that if you cannot get access to particular parts due to windows utilizing the registry portion it will give you the option to run on startup and will do a complete scan and fix prior to windows doing a full boot so that you do not have those issues.

You can download the program here:  http://www.safer-networking.org/index2.html
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now