Removal of backdoor.trojan

I have a persistent problem that norton can not completely fix.  It seems that every 13 minutes a file called 1[1].exe is created in this location - C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Q01KLVNX or  ...\Content.IE5\YH9J2CDE.  There are other aliases but this one is the most common.  The auto detect  function catches it and cals it a Backdoor.Trojan but will not clean it.  I can delete it myself but 13 minutes later it pops up again. 

 

I have run through the process that is directed for this threat on your web site, which is:

 

  1. Disable System Restore 
  2. Update the virus definitions
  3. Run full scan
I also ran a scan in Safe Mode. 

 

I have also run Spy Bot S&D and Malwarebytes with the latest updates and they do not detect anything.  

 

Can someone please help me stop this loop?

Hi

 

Try

 

Download Hijackthis http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download and download the third in the list (Executable) and click "Scan with log"  open the log in Notepad, the paste me the results please in a Personal Message.  And give me time to look through.

 

If using Vista you may have to right click and choose "run as administrator" from the menu 

 

Quads 

Hi

 

Start Hijackthis again, and tick (check) these entries.

 

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet    (Not needed on startup)

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup      (Not needed on startup)

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start  (Not needed on startup)

O4 - HKLM\..\Run: [hgcheck] C:\WINDOWS\system32\hgcheck.exe      (bad)

O23 - Service: DgVip_Service - Unknown owner - C:\WINDOWS\D_Server.exe    (*_Server.exe,  *= Random Letter)

O23 - Service: disk manager service and creates macros (disk manager service) - Unknown owner - C:\WINDOWS\system\1sass.exe (file missing)

O23 - Service: jldk - Unknown owner - C:\WINDOWS\system32\jldk.exe     (Trojan base)

O23 - Service: Microsoft System regedtl - Unknown owner - C:\WINDOWS\system32\regedtl.exe

O23 - Service: pms (Portable Media Serial) - Unknown owner - C:\WINDOWS\UPsutup.exe (file missing)

O23 - Service: takod - Unknown owner - C:\WINDOWS\system32\takod.exe    (Infection of some sort)

O23 - Service: me helou (tima or srerer) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\timeresu.exe  (* See Below)

O23 - Service: winDuBa Driver (WinDuuBa) - Unknown owner - C:\WINDOWS\system32\IM.exe (file missing) 

 

Now click "Fix Checked"

 

* If the entry above belongs to Rising Antivirus, you can't have both Norton and Rising AV install as that will cause both to have conflicts and not work to their full ability. 

 

Now download SuperAntispyware Free http://www.superantispyware.com/download.html   Install, Update definitions and do a Full Scan. 

Thanks Quads

 

Its been a whole 30 minutes without a new virus being generated.  Good job!

Hi

 

Did SAS (SuperAntispyware) find anything??

 

Quads 

Yes, If I remember correctly it found 13 Ad trackers.  Nothing major though. 

Ok 

 

Then, although Hijackthis has disabled the bad files, that stopped the files running after the restart of the PC the files are still on the hard drive

 

These ones

 

C:\WINDOWS\system32\hgcheck.exe      (bad)

C:\WINDOWS\D_Server.exe  

C:\WINDOWS\system32\jldk.exe 

C:\WINDOWS\system32\regedtl.exe

C:\WINDOWS\system32\takod.exe  

C:\WINDOWS\timeresu.exe 

 

You could send the files to Symantec as samples,  https://submit.symantec.com/websubmit/retail.cgi  

Then you can post the Tracking number(s) here on your thread.

 

Then delete the files from the locations above

 

Interesting nothing detects the files, but disabling the files stopped your problem.

 

Quads 

  • Searched for and can’t find \hgcheck.exe, but I have a \hgset configuration settings file.  ???
  • Sent \D_Server.exe  -  Tracking number:   10302456
  • Sent \jldk.exe  -  Tracking number:  10302472
  • Sent \regedtl.exe  -  Tracking number:  10302480
  • Sent \takod.exe  -  Tracking number:  10302493
  • Sent \timeresu.exe – Tracking number:  10302503

 

I did get one hit today that was ‘cleaned by deletion’ by Norton autoscan of:

 

C:\System Volume Information\restore{CAFFC086-162A-4087-B021-6F8334ED42A1}\RP2\A0000196.exe

 

Have had 23 similar hits (different file names and ‘restore’ locations) in the past month or so detected bt Norton. 

 

Deleted the files I could find as suggested ….  Will reboot, manually update and rescan with everything used before…

Hi

 

Hmmmm "Searched for and can’t find \hgcheck.exe" hidden or gone,

 

The files Norton is now picking up on are in your System Restore

 

Quads 

Well Quads...

 

I'm not out of the woods yet.  I updated the definition file following my submital to Norton and scaned.  Went well for most of the day but the computer went crazy this evening with attack after attack.

 

The 1[1].exe file from before is back.  I get a "static" hit from Auto-protect and it recreates the directory and file over and over. I have tried to submit this file to Symantec as before but I cant browse to it in the form.  I get to the \Temporary Internet Files\ level and I cant go any deeper.  I also cant get any deeper in safe mode.  Like it is being shielded.  

 

SuperAS has found and cleaned Adware Vundo/variant-ms fake  and Trojan.downloader-gem

 

Any suggestions?

Hi

 

Do you have any of these 2 files on your PC

 

c:\program files\internet explorer\plugins\SysWin7s.Jmp

c:\program files\internet explorer\plugins\WinSys8v.Sys

 

You could try SDfix

 

Instructions etc here http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740

 

Ignore the bit about the "Non Plug n Play" section.

 

Quads 

Mongoooos, 

 

Detections are in as follows: 

 

\hgcheck.exe  =  Trojan.Horse (no guarantee this is the same file without a tracking number or MD5, but it probably is)
\D_Server.exe  -  Tracking number:   10302456  -->  Backdoor.Graybird
\jldk.exe  -  Tracking number:  10302472  -->  Backdoor.Trojan
\regedtl.exe  -  Tracking number:  10302480  -->  Backdoor.Graybird
\takod.exe  -  Tracking number:  10302493  -->  Backdoor.Trojan
\timeresu.exe – Tracking number:  10302503  -->  Backdoor.Trojan

 

If you manage to find any more files you think are related, submit them and post the tracking numbers here. If you are still seeing a file or files continually respawning it most likely means there is still an undetected nasty on your system doing this.

 

Quads, thanks for your help getting these files to us.

 

JohnM

Hi JohnM

 

No Problem

 

It could be that, although  "Mongoooos" could not find  "hgcheck.exe" on his system the file could be well hidden and some how it could be possible that this file has activated/ running again.

 

Quads 

Well, it looks like I have a host of nasties running around.  Just to name a few ... madibwe.exe, roytctu.exe, tdydowkc.exe and several others that are all related.  Yesterday I did run SDfix and then updated Norton with the definitions from the above virus fixes it even found and removed .  I also updated and ran Spybot SD and SuperASwhere they each found several things to clean.   Every everything seemed to be relatively clean.  Then today out of the blue sound streams of ads and wrestling ?? started comming out intermitantly.  Firefox wasn't even running. 

 

I've attempted to stop the services by turning their load status from automatic to disable by running 'services.msc' but it continually switches back to automatic and refuses to allow me to stop the service manually.  

 

I did get some access errors early in running SDFix.  Something like 'Unable to create folder'

 

I also sent in some other files, some of which the automated process wasn't able to ID and was forwarded to a Human.  Like a file called 7.exe in the c:\ directory.  

 

It is obvious that I'm missing something. 

Hi
 
1. what is the services that won't move ??  Names that is given to the sevice(s).
 
2. The files you have stated above  " madibwe.exe, roytctu.exe, tdydowkc.exe" all belong to a "Rootkit Trojan" any more??
 
3. Could be that System Restore has copies of the files. Turn off System Restore.
 
Quads 

Hi again

 

I see by your new Hijackthis log 2 of the original files are still there or back, one being the one you couldn't find.

 

Am I right in thinking that say  the file " madibwe.exe" would have a service in "services.msc" as  "madibwe"??  Same for the others.

 

Could you please update Malwarebytes again and run a Full Scan then Malwarebytes will create a log and send that to  me like you do with Hijackthis log.

To see if the Registry entries match with the corrosponding files.

 

While I am thinking.

 

Quads 

I sent you a new HijackThis Log.  

 

Mabidwe, Roytctm, soxpeca, tdydowkc, wsldoekd are the ones I cant interupt manually.  HijackThis wont fix them either. I cant remember the name of the root kit cleaner (its at the house) but following its execution SuperAS was able to ID these files.  

 

I have re-run HijackThis and checked any processes that you ID'd before.  Hgcheck went off the list.  I sent it to norton.  

 

I have periodicaly shut down system restore when told to in the instructions.  

I do have an idea, I just have to think and see if the Malwarebytes log, corrosponds.

 

Quads 


Mongoooos wrote:

I sent you a new HijackThis Log.  

 

Mabidwe, Roytctm, soxpeca, tdydowkc, wsldoekd are the ones I cant interupt manually.  HijackThis wont fix them either. I cant remember the name of the root kit cleaner (its at the house) but following its execution SuperAS was able to ID these files.  

 

I have re-run HijackThis and checked any processes that you ID'd before.  Hgcheck went off the list.  I sent it to norton.  

 

I have periodicaly shut down system restore when told to in the instructions.  


 
The files like "Mabidwe.exe" Rootkit.Trojan was detected by Malwarebytes and even corected the bad registry data, Did Norton not pickup on this major Malware??
Malwarebytes detections 
Memory Processes Infected:

C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Unloaded process successfully.

 

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\1188.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\3548.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hguest.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgcheck.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\afisicx.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\noytcyr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soxpeca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

 

Malwarebytes also remove the file "hgcheck.exe"

 

I noticed the first Hijackthis log of the day this entry

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ODBCJET.exe,

 

Is th file "C:\WINDOWS\system32\ODBCJET.exe" still on your hard drive??

 

Now you Questions with Hijackthis log #2 of the day

 

The File "downer.exe" is a Backdoor.Trojan of some sort Find the file"C:\WINDOWS\TEMP\IXP000.TMP\downer.exe" and do the same as earlier in this thread and submit it to Symatec and post the Tracking Number for JohnM, like earlier on.

 

The File(s) "Perfs.exe" is a Rootkit/downloader that attempts to download more Malware.  Location "C:\WINDOWS\system32\perfs.exe" Also submit to Symantec

 

The Service "O23 - Service: KingDuBa Driver (KingDuuBa) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\system32\DuBa.exe" is probably similar to the one earlier that Symantec has added to their defs ("\timeresu.exe – Tracking number:  10302503  -->  Backdoor.Trojan") , So submit that file to "C:\WINDOWS\system32\DuBa.exe" 

 

Now With Hijackthis you can tick (check) these entries.

 

O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\TEMP\IXP000.TMP\"

O23 - Service: disk manager service and creates macros (disk manager service) - Unknown owner - C:\WINDOWS\system\1sass.exe

O23 - Service: KingDuBa Driver (KingDuuBa) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\system32\DuBa.exe

O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: pms (Portable Media Serial) - Unknown owner - C:\WINDOWS\UPsutup.exe (file missing)

O23 - Service: me helou (tima or srerer) - Beijing Rising Information Technology Co., Ltd. - C:\WINDOWS\timeresu.exe

O23 - Service: winDuBa Driver (WinDuuBa) - Unknown owner - C:\WINDOWS\system32\IM.exe (file missing)

 

Now Click "Fix Checked"

 

Next by your SAS (SuperAntispyware) log, it detected the "perfs.exe" and "1sass.exe"  Did SAS delete them??

 

SAS entries

 

Trojan.Downloader-Gen
    C:\WINDOWS\SYSTEM32\PERFS.EXE
    C:\WINDOWS\SYSTEM32\PERFS.EXE
    C:\WINDOWS\Prefetch\PERFS.EXE-394EC78D.pf

Trojan.1SASS
    HKLM\System\ControlSet001\Services\disk manager service
    C:\WINDOWS\SYSTEM\1SASS.EXE
    HKLM\System\ControlSet001\Enum\Root\LEGACY_disk manager service
    HKLM\System\ControlSet002\Services\disk manager service
    HKLM\System\ControlSet002\Enum\Root\LEGACY_disk manager service
    HKLM\System\CurrentControlSet\Services\disk manager service
    HKLM\System\CurrentControlSet\Enum\Root\LEGACY_disk manager service

    C:\WINDOWS\Prefetch\1SASS.EXE-393C6FA6.pf

 

You may have to manually delete "DuBa.exe" after submiting and "timeresu.exe", already submitted.

 

One other thing for JohnM or someone, this looks a bit odd as a running process, the "1.exe" on the end of 

 

"C:\Program Files\Symantec AntiVirus\1.exe" 

 

Is it legit?? part of Norton??

 

OH your hijackthis log shows you have Norton Antivirus installed, what Firewall are you using?? 

 

Quads 

 

  

 

Message Edited by Quads on 02-10-2009 08:52 PM

Just a brief note as I don't have much time. I found your hgcheck submission which unfortunately wasn't caught by the detections added yesterday. It has been def'ed along with the file it drops. I will look deeper into this tomorrrow and see what else might be missing from defs.

 

Don't read this as an excuse for Norton missing files it should detect, but the bad guys don't write their malware to avoid malwarebytes - they write it to avoid the biggest AV installation base. I think they call that being cursed by your own success...

 

JohnM