NAV '09 can't remove Backdoor.Trojan

I've searched the forums, I've ran the scan in Safe Mode, I've disabled System Restore and all that and I still can't get rid of this virus. When I run a full system scan it doesn't find it.

 

Thanks, Monk3y

 

 

Scan Stats:
Scan Time: 164 seconds
Scan Options:
Scan Targets: C:\, D:\
Counts:
Total items scanned: 8,100
- Files & Directories: 3,598
- Registry Entries: 547
- Processes & Start-up Items: 2,442
- Network & Browser Items: 1,505
- Other: 5
- Trusted Files: 0
- Skipped Files: 0

Total security risks detected: 2
Total items resolved: 1
Total items that require attention: 1

Resolved Threats:
Tracking Cookie
Type: Anomaly
Risk: Low (Low Stealth, Low Removal, Low Performance, Low Privacy)
Categories: Cookie
Status: Fully Resolved
-----------
3 Tracking Cookies
Cookie:aaron@atdmt.com/ - Deleted
Cookie:aaron@ads.pointroll.com/ - Deleted
Cookie:Orphan Cleanup - Deleted




Unresolved Threats:
Backdoor.Trojan
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Remove Failed
-----------
4 Files
globalroot\systemroot\system32\gxvxctqsltyklmwpuxbqjiwwfftllrvupyidu.dll - Failed
globalroot\systemroot\system32\gxvxctqsltyklmwpuxbqjiwwfftllrvupyidu.dll - No action taken
globalroot\systemroot\system32\gxvxctqsltyklmwpuxbqjiwwfftllrvupyidu.dll - No action taken
globalroot\systemroot\system32\gxvxctqsltyklmwpuxbqjiwwfftllrvupyidu.dll - No action taken
1 Browser Cache

 


 

Greetings Monk3y,

Did you only run a quick scan. I noticed that the scan time is short. Perhaps you can try running a full system scan in safe mode when plugged out from the internet.

You can also try using Malwarebytes Anti-Malware's free version.

Download it from here : www.malwarebytes.org

After you downloaded it, update it and run a full system scan in safe mode.

Sincerely,
Pikachu

Message Edited by Pikachu on 06-27-2009 09:30 AM

yea that was a full system scan, I tried the link you gave me and it didn’t work. I tried to look it up on google and go there, and it didn’t do anything, just said Done in the bottom lefthand corner.

Monk3y:

 

We do have a guru who performs magic with rootkit infections, which is what you apparently have.  It's the gxvxc variant.  The removal is time consuming, and requires that you follow instructions very carefully.

 

We require a GMER scan, scan ONLY, do not attempt to fix, so that we can identify all of the files in your system that need to be removed. Post the log using the attachments link below the post button.

 

GMER is here.  http://www.gmer.net/

 

If the malware won't let it run, you will be able to do so in safe mode.

 

Please provide details on your operating system and service packs, and what version of Norton are you using.  Antivirus or Internet Security, and the version number under Help & Support, about.

I run Windows XP Home SP3 and Norton Anti-Virus 2009 Version 16.5.0.134

Message Edited by Monk3y on 06-27-2009 02:34 PM

Monk3y:

 

There is almost nothing of the GMER log available.  Were all of the sections of the scan checked.  We need all of it, not just the part that says "rootkit"

Also, what are you using as a Firewall, along-with Norton AntiVirus 2009?

 

The only thing I have is the Microsoft Firewall and it’s been doing fine for the past year, going on two just fine.

The Log is cut short

 

Quads 

What? I was running it and it just stopped. Let me run it again and I’ll repost the log.

You can run it in safe mode if necessary, Monk3y.

It ran fine, just took forever. This is the full log.

monk3y,

 

you still have the gxvxc rootkit - just wait for Quads to see your latest GMER log!!

 

Matt

Mattsegers:

 

He still has the rootkit because we haven't done anything to remove it yet.  The identification of the files and entries are important.

 

 

 

Monk3y:

 

Thanks very much for the log.  Quads will work on it today and provide the documentation and the tools to remove it.  Please do not do anything else with it for the time being.

 

 

Delphinium:

 

Sorry about that, I confused this this thread with another and thought that Monk3y had already run GMER :-) Sorry about that ;-)

 

Monk3y:

 

Sorry if I gave you a fright there or sounded a bit short, as I said above, I confused your thread with another 8-) oops! Anyway, thanks for posting the GMER log; Quads is the community Rootkit-remover - nad he's really good at it!! When he gets around to your problem, he'll have your pc looking (well, working) as if it were spankin' new!!

 

Again, sorry about that :-)

 

Matt

It’s no problem, thank you all for the help.

Hi Monk3y:

 

Thanks for the log.  It will likely get worked on today.  Quads will provide info and tools.

I also recently have had a problem where I’d be searching for something on Yahoo or Google and when I click on the link it takes me to some other website that resimbles another search engine. I t just recently started happening, any idea what it could be?

It’s likely a DNSchanger loaded by the rootkit.  Rootkit first, everything else will come out afterward.

I love it when people actually help, not like other people that put you on hold forever.