Backdoor Trojan

I have followed all the steps in the suggested cleaning procedure, but Norton's is still finding 300 risks on my computer. The two spyware programs didn't find anything. Combofix and mgtools found some stuff, so I will attach those logs. Thanks for any help!

 

Hi lasoong,
Welcome to Major Geeks!

I'm looking at your logs. For some reason HijackThis is missing. While I'm looking at your logs, please do the following:

2) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

After you finish this, please let me know.
abri

 

Thank you. I have done as you instructed.

 

Hi lalsoong,

Your MG logs are not right. When you installed them, did you get any error message? Or when you ran them?

Also, please go to F:\WINDOWS\SYSTEM32\ and look for a folder with a name that begins with E177E0

It will be longer than that, but that should be the first part of it. Open it and see what's inside of it. You can open the folder, but don't click on any files.

Thanks.
abri

 

I located this folder. Inside were subfolders: continous storage, discrete storage, ec-license, license-dll, licenses, publisher runtime, runtime, temp, test storage. Inside these folders were long file names with letters and numbers.

Should I run the mgtools again?

Thanks!

 

Hi lalsoong,

I think the folder I asked you to look at is okay. Is the entire name of it the one in the box below? If so, it seems to accompany a valid piece of software and may have to do with digital rights protection.

Yes, please run the F:\MGTools\GetLogs.bat by double-clicking on it and see if you can see any error messages in the black screen while it's running. If you can right-click on the title bar when it finishs, but before you click any key to close the window, then have it mark all or select all and then copy and paste it into Notepad and attach it here. Attach the F:\MGlogs.zip as well.

Thanks.
abri

 

Ok. Attached is the copy of the getlogsbat and the mgtools log. It looks like it was having trouble finding some files.

Thanks!

 

Hi lalsoong,
Your MGlogs are missing the log for HijackThis which we have renamed to analyse.exe. This could be because you did not agree to accepting the license. Please go back to Using MGTools and reinstall them over the existing ones. If there's a request to accept the license for Trend Micro for HijackThis, please say yes. Then follow the instructions for running the tools again and upload a fresh MGlogs.zip which you'll find as a file directly under F:\ when you use the Manage Attachments button with your next post.

Thanks.
abri

 

I redownloaded and attempted to run the MGtools again. The first thing it says is that it cannot find the drive specified, then after a while I see the messages about not being able to find files. It never prompted me to accept anything.

I already had HijackThis installed on my machine. Could that be causing a conflict? I also created a separate log with HijackThis in case that might be helpful. I'll attach it.

Thanks!

 

Hi lalsoong,

When you finish the below, please attach a copy of what Norton is reporting as the 300 risks.

1) Please upload the following file(s) at either
jotti or VirusTotal and have it scanned. Attach the results of the scan. If nothing's found just report that with reference to the file name.

F:\Documents and Settings\Administrator\Plus51R2.exe


2) And now disable your guest account if this hasn't already been done.


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background


After you click fix, just close hijackthis.


5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with a copy of what Norton is identifying as the 300 risks.

Let me know how things are running now?

abri

 

Hello,

The file you asked me to scan I know is a legitimate program, because I use it regularly.

I removed the Windows Messenger and deleted the 3 files with MGtools.

Attached are the latest MGtools log and my Norton's log.

Thanks!

 

Sorry, I thought I had responded to your last message yesterday, but I don't see that it has posted. I ran the updated MGtools and it created a Hijackthis log Norton is still finding threats, tho. Thanks!

 

Thanks. I will rerun Norton's and create a new log file.

 

Here is the current log from Norton's. Thanks!

 

Hi lalsoong,

I think a couple of posts went missing yesterday.

In the log you attached, Norton found three tracking cookies and one trojan which is compressed and located in a rar file in your recycling bin around 300 times. These are the instructions you overlooked in the READ & RUN ME:

• Empty your Recycle Bin

• Empty Norton Nprotect folder - If you are a Symantec/Norton user make sure you empty their Norton Nprotect folder guarding the Recycle Bin.
  • See Emptying the Norton Protected Recycle Bin

Please do those and let me know how this went.
abri

 

Thanks! I think my problem is taken care of now

 

Hi lalsoong!

That's good news! I'm going to post you a set of instructions that will have you remove all our tools and the logs that were installed on your computer when you went through the READ & RUN ME and which will have you set a clean restore point so you have a place to come back to in the future. If you need any of these scans in the futhre, you can just come back here to find the most current ones and reinstall them.

abri