Backdoor.Trojan

Norton Security | Norton Internet Security
21

Hi,

I have downloaded a virus somehow in the past few days. It is screwing up my pc. Won't let my change ANY system settings, cant rename CD-Drive letters and can't install SP1 (Vista). Norton Internet Security 09 keeps detecting it as a Backdoor Trojan and saying it is blocking it, but it is affecting my pc. This is a serious problem as I have been cut off from my network thus I have no internet on my pc... There appears to be no cure, I had a look on internet and it is telling me it is also known as Trojan Win32 Midgare.A but there seems to be no way to get this removed.

Anyone got any ideas to help me please! I have run Norton fulls scans numerous times but it can't pick it up, because this virus doesn't formally 'exist' on my pc until it attacks, when Norton pops up saying it is blocking it, but it is still having an effect on my pc.

After my exams this week I will have to restort to reinstalling Vista, but if I can avoid it would be much appreciated.

 

Thanks

 

22

KingColtzan:

 

On the pc where Malwarebytes will not run, the recommendation is to change the name of the .exe file in the download package to something else like king.exe.  That should allow it to install.  Once it has installed go into the file and change the name of the .exe file to the same name.  That should allow it to run.

23

you can also try online scan…they are free and causes less trouble…but for some reason you cannot do this…and than run rescue disk with latest definitions…Norton has definitions with this threat…and norton is able to remove traces complete that lefts after file removal…norton delete right from regisrty to everywhere infection was spread…so don’t think norton is incapable…just update it or just run rescue disk…that is your norton installer disc…

24

kingcoltzan -

 

First, try and clean some of the HiJackThis findings to see if you can get back on net.

 

Check mark the following and then click FIX CHECKED.

 

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKUS\S-1-5-19\..\RunOnce: []  (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: []  (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: []  (User 'Default user')
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B7F3C40-9DF1-49A7-A91A-2353DBA2B870}: NameServer = 192.168.2.1,217.169.20.20,217.169.20.21
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB372F98-0316-431F-A21A-2BCB32AECA0B}: NameServer = 217.169.20.20,217.169.20.21
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O17 - HKLM\System\CS13\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)

 

After this reset your winsock network stack by doing the following:

 

  1. type cmd in the Start Search box, right-click cmd.exe, click Run as administrator, and then press Continue.
  2. Type netsh winsock reset at the command prompt, and then press ENTER.

 

 

Let us see if you can get to the network after all of this, so reboot your machine and report the progress here.  Thank you.

25

Sorry, general misunderstanding, I have not been cut off from internet by Virus, but by my system admin so that the virus does not spread over our network :)

 

 

 

26

You will need to fix those entries anyway, and reset the Winsock. 

27

Ran the malware scan - picked up 7 Trojans and removed them. Restarted, but still slow and norton still picks them up.

 

Went to do the Hijackthis stuff, some entries which were on delphiniums list were gone, I think that they must have been removed from the malware scanner.

 

I am restarting now and will post results of Hijack this entrie.

 

EDIT : Hijack this says it cannot fix 010 Winsock LSP entries???? Says to use Spybot which I am doing now.

28

Can you give us the names of the Trojans that were found?

29

Sorry but I stupidly didnt write them down,

 

But they were about 4 Trojan Downloaders and 3 Trojan.DHS or something?

 

And I can't run spybot program because I have downloaded the exe file on one computer, but in order to install it needs to download more from the internet, which I cant do on my infected pc, any solutions?

 

The virus is definately still there

 

Thanks

 

30

Hi

 

1. Was it Malwarebytes that detected and removed the Trojans and Downloaders??  If so You can open Malwarebytes and  click the "Logs" tab to go and see the scan results.

 

NOTE

 

The entry "O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll"    Belongs to Windows Vista's Parental Controls!

 

 

Quads 

Message Edited by Quads on 06-02-2009 08:22 AM
Message Edited by Quads on 06-02-2009 08:22 AM
31

Will post log in one min, but parental controls?! There aren't any !

 

 

EDIT: The log says...

 

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 6.0.6000

01/06/2009 20:04:13
mbam-log-2009-06-01 (20-04-13).txt

Scan type: Full Scan (C:\|R:\|)
Objects scanned: 350727
Time elapsed: 1 hour(s), 38 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.21,85.255.112.89 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\RECYCLER\S-5-3-83-100009997-100019656-100000801-4262.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
r:\RECYCLER\S-5-3-83-100009997-100019656-100000801-4262.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Windows\System32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

Thanks

Message Edited by kingcoltzan on 06-01-2009 01:50 PM
32

Don’t worry about cleaning the LSP until the Virus are gone.  When they are, just run the netsh routine from the other post to clean the winsock stack.

Message Edited by dbrisendine on 06-01-2009 04:32 PM

33

Vista does have an LSP for Parental Controls, I have had this appear before

 

http://www.microsoft.com/protect/products/family/vista.mspx

 

Once turned on the LSP appears, even if turned off the LSP doesn't disappear.

 

Why remove a Windows LSP, its not Malware 

 

 

Quads 

Message Edited by Quads on 06-02-2009 08:47 AM
34

Have edited above post, contains log, please analyse for me :) I reset the winsock thing

 

Thanks

 

35

The ROOTKIT AGAIN

 

entries  

 

C:\autorun.inf (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\RECYCLER\S-5-3-83-100009997-100019656-100000801-4262.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
r:\RECYCLER\S-5-3-83-100009997-100019656-100000801-4262.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

C:\Windows\System32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.

 

 

Like Mochi, Matyellott and a few others,

 

Do the "Rootrepeal" intructions  http://community.norton.com/norton/board/message?board.id=Norton_360&message.id=13889#M13889

 

I have to go out, but hopefully the logs for it will be posted on my return so I can scripted the  hopeful .sys file etc.

 

by the way what is your R:\ drive (flash drive)??

 

Quads 

36

Sorry but no log yet, try opening it and all I get is Couldn't load driver (0xc0000035)!

 

any ideas?

 

Thanks

 

37

Hi

 

Try http://www.gmer.net/

 

"Download.exe"  the .exe will be just a alpha name, instead of like "gamer.exe" as some rootkits now block that name.

 

Run Gamer, then you may see a little list appear, Now click "Scan", once finished Click "Copy".   the Report gets copied to the clipboard which means that you can just paste the log here.

 

Quads 

38

http://cid-dbbcf93cdb0d3c6e.skydrive.live.com/self.aspx/.Public/Gmer%20Log.txt

 

Attatched are gmer results

 

The file gxcm blah blah cubsbooys is the virus norton is picking up :)

 

Thanks

 

39

Hi

 

Read careful

 

Uninstall Spybot S&D if you have it installed 

 

Now got to this post http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=53509#M53509 and download Avenger and follow this post, except for 3.  Your file has been added to the script below you are to use this one instead.

 

So for number 3.

 

 3. In the "Input script here:" copy and paste the script between the lines

 

 

Drivers to disable:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

gxvxcserv 

 

Drivers to delete:

UACd.sys

gxvxcserv.sys

gaopdxserv.sys

gxvxcserv 

 

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\WINDOWS\system32\gbnlwyeh.dll

C:\WINDOWS\system32\cpuesjq.dll

c:\WINDOWS\system32\mbjsgsl.dll 

C:\WINDOWS\system32\wJQs.exe

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\uacvymnbtboeayohhs.dll

C:\WINDOWS\system32\uacqciqunodfnlghrv.dll

C:\WINDOWS\system32\drivers\gxvxcserv.sys

C:\WINDOWS\system32\gxvxccounter

C:\WINDOWS\System32\drivers\gaopdxserv.sys

C:\WINDOWS\system32\gaopdxl.dll

C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys

C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll

C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys

C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys

C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll

C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll

C:\WINDOWS\System32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys 

 

Folders to delete:

C:\resycled

D:\resycled

E:\resycled

F:\resycled

G:\resycled

H:\resycled

 

 

Registry keys to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx

HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc

HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys      

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys    

 
and keep on following the other post from screenshot and below
 
Quads 

 

 

 

 

Message Edited by Quads on 06-06-2009 09:11 AM
40

Hi thanks for help, appears to have removed it, Norton didnt "Block" it when I loaded up and also I was able to change the CD Drive Letters, however please analyse the results as I think there are still some problems. Thanks

 

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath:  \systemroot\system32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys
Start Type:  4 (Disabled)

Rootkit scan completed.


Error:  could not open driver "UACd.sys"
Disablement of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver "gxvxcserv.sys" disabled successfully.

Error:  could not open driver "gaopdxserv.sys"
Disablement of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "gxvxcserv"
Disablement of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\UACd.sys" not found!
Deletion of driver "UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver "gxvxcserv.sys" deleted successfully.

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of driver "gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv" not found!
Deletion of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Autorun.inf" not found!
Deletion of file "C:\Autorun.inf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "D:\Autorun.inf" deleted successfully.

Error:  file "C:\WINDOWS\system32\gbnlwyeh.dll" not found!
Deletion of file "C:\WINDOWS\system32\gbnlwyeh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\cpuesjq.dll" not found!
Deletion of file "C:\WINDOWS\system32\cpuesjq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\WINDOWS\system32\mbjsgsl.dll" not found!
Deletion of file "c:\WINDOWS\system32\mbjsgsl.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\wJQs.exe" not found!
Deletion of file "C:\WINDOWS\system32\wJQs.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacinit.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacinit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacvymnbtboeayohhs.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" not found!
Deletion of file "C:\WINDOWS\system32\uacqciqunodfnlghrv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\gxvxccounter" deleted successfully.

Error:  file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" not found!
Deletion of file "C:\WINDOWS\System32\drivers\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gaopdxl.dll" not found!
Deletion of file "C:\WINDOWS\system32\gaopdxl.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcaithwuhtprrwopxgilalbaobwucrdslx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" not found!
Deletion of file "C:\WINDOWS\system32\gxvxcxkfpxfxurntewmrfttjyqtsmsenqwgiw.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gxvxcvxmuiisiusdatjuqfpdtmxbuqcecgbdn.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys" not found!
Deletion of file "C:\Windows\system32\drivers\gxvxcxiearhjspghonrxymbbiyubogpqitydm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll" not found!
Deletion of file "C:\WINDOWS\system32\gxvxcbinpbppwhtjxomtyumcthxvnfelpofrx.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll" not found!
Deletion of file "C:\WINDOWS\system32\gxvxctsossroyfpamddlctxslrvqwpvkiweqq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\System32\drivers\gxvxcwcorbswuncunpcjblpdonpfagxrpuqdp.sys" deleted successfully.

Error:  folder "C:\resycled" not found!
Deletion of folder "C:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "D:\resycled" not found!
Deletion of folder "D:\resycled" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open folder "E:\resycled"
Deletion of folder "E:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open folder "F:\resycled"
Deletion of folder "F:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open folder "G:\resycled"
Deletion of folder "G:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  could not open folder "H:\resycled"
Deletion of folder "H:\resycled" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
  --> bad path / the parent directory does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gxvxcserv.sys" deleted successfully.

Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\UAC" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gaopdx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.