Infected with W32/VB-Backdoor!

My virus scanner keeps finding and reporting that "C:\Program Files\WebPosition 3\FPDnsCli.exe" is infected. "Possibly a new variant of W32/VB-Backdoor-PClient-based! Maximus." The program is unable to fix this. I have run all your suggested programs and scans prior to this posting. I've attached txt and log files per instructions. I am unable to delete the infected program "WebPosition." I get a message saying the required uninstall .dll is missing. Every day I am receiving hundreds of returned, "undeliverable" email that I never sent. I feel this is related to the "backdoor" nature of my infection.
Short of re-formatting my hard drive, I do not know what I should do. Any and all suggestions would be greatly appreciated.

 

Here are the two other attachments you need.

Thanks,

 

Bitdefender detected a Mass Mailing worm that would probably be the cause of all the rejected emails. Bit defender appears to have delete it though.

It also detected files infected with 'zlob' so please run through everything in this thread SpywareQuake & SpyFalcon Removal Procedure

The zlob infected files appear to have been sent to you over MSN, unless you use recieved files for anything else.

 

Thanks for the followup and steps to follow. I followed them to a "T" and only found one listed file "cfgmngr32.dll" which I renamed "cfgmngr32.DDD"
Now, whenever I re-boot the computer I get messages saying "Adobe Gamma loader.exe, hpohmr08.exe and hpotdd01.exe cannot load because cfgmngr32.dll cannot be found." I have not deleted the .DDD file incase I need to rename it back to .dll.
My virus checker "Command Anti-Virus" still finds the infected file FPSnsCli.exe.
My IE start page was changed to MSN(not my doing) while I followed the steps you outlined.
I have attached smitfiles.txt
Your help, so far, is greatly appreciated however I am unsure where to go from here.

 

Ok rename the file back to get adobe and the 2 HP programs working again.

Can you post a command AV log so I can see the location of the file it is detecting. ALso can you rerun activscan and bitdefender to check it really deleted what it said it did.

Your HJT log shows no signs of malware.

Reboot into safe mode and delete everything in the following folders

C:\Documents and Settings\Armond\Local Settings\TEMP
c:\windows\temp

Post a new shownew log, and new logs from the scans if they find anything and the command AV log

 

Matt,
I have reinstalled cfgmngr32.dll and my programs start just fine now. Computer seems much more sluggish now (just an observation). I performed all the scans you requested (see attached) I'm still getting a lot of returned email that I didn't send so I suspect the mailer virus or worm is still working.

What thinks you?

 

Matt,
Here is the results of the Command AV scan

Thanks again,

Sincerely,
Armand

 

All the files (except the last 2) in your ActiveScan log are cookies and of no consequence. The last 2 are the smitrem removal too we just ran. you can remove the smitrem folder from your desktop now.

Open Outlook Express

Empty the deleted items folder by right clicking on it and selecting the relevant command.

Close Outlook Express

Reboot into Safe Mode and delete the folowing files:

Let me know if you have problems deleting any of these files.

Reboot into Normal Mode
I'd also like to check whether there are any other suspicious files in your my recieved files folder. Please download the zip file attatched to this post and extract it somewhere you will be able to locate. Run the mrfdump.bat file you have extracted and upload the log created in c: (c:\rfiles.txt).

Please also attach a new HJT log, Shownew and rerun your av scan and see if it finds anything. Also please rerun the bitdefender scan and let me know if it finds anything now.

 

Matt,
I have attached all the files from the new scans. Bitdefender did not find anything, nor did CommandAV however upon boot-up, Command pops up a window saying it found file "A0000996.exe" to be infected but it doesn't give me any more information and I cannot find that file using WindowsXP Search even looking in the hidden files.

Do you think I'm in the clear now?

 

Here's my last scan

Thanks again. You are the man!

 

OK you have a command dialog saying it has an infected file but the scan results are clean.. ?

The installed version of Java on this compter is out-dated.
Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
Uninstall all older versions of Java on your computer, before installing the latest version of Java.

DOes the command alert window give the full path of the file ?

 

Matt,
I thought I was in the clear so I downloaded WebPosition again (scanned it for viruses before installation) and after I installed it Command AV found the virus again in WebPosition. I deleted the Webposition folder in Safe Mode and started all over again.
I have attached all my logs as well as the scan text from Command's auto scans. Bitdefender, Windows Defender and Spybot all say I am clean.

 

Here are more attachments

 

One of the files command found is in the recycle bin. Empty It.

THe second is in an infected restore point. Please do not install things until we are sure your system is clean.

Please scan the location C:\Program Files\WebPosition 3\ with your AV and tell me if it comes up clean.

 

Hi,
My recycle bin is empty but I have a new folder called "RECYCLER" In it I have one file called "S-1-5-21-343818398-113007714-682003330-1004" I am not able to delete it because it is "in use" even in safe mode.
I changed its name and sent the newly named file to the recycle bin and a new file with the original name immediately popped up.
I have deleted the entire WebPosition folder so this won't be a concern. What software should I use to scan now?

Command AV Scan says "No infections found" however when it scans upon boot up it says it finds file "A0000996.exe" infected but doesn't give the path.

 

The RECYCLER folder IS your recycle bin, its where the files in the bin are stored, as long as you have emptied the recycle bin by right clicking on it and slecting empty then don't worry about it.

Please run a full scan with Command AV so I can see a full log and find the file it is reporting upon boot up.

 

Matt,
The full scan with Command AV shows NO INFECTIONS! It is only the boot up scan that shows A0000996.exe infected. I cannot locate that file anywhere and Command doesn't say where it is located on the boot up scan...only on the full scan (which again, finds nothing!)
I don't know what to do. Bitdefender finds nothing also! I do still receive returned email from messages I didn't send.

 

Run a search for the file: A0000996.exe. It must be there somewhere, unless commands boot configuration is configured to scan differently than windows (hidden files etc)

 

Matt,
I found the file. It is in a folder called "System Volume Information" on my C:\ drive. This file is a hidden file and is protected and won't let me access it. Command AV doesn't find it when I do a full system scan but it finds it on boot up.

Do you have any idea what I can do about this?

 

ok thats in an infected restore point.

Go back to step one in the Read and Run procedure and follow the steps on how to flush your system restore and create a new clean restore point.

 

Matt,
I followed the instructions for deleting restore points but I'm still infected...at the System Volume Information file.
I've turned off system restore on all drives, applied and then clicked OK then turned it back on. I've also turned it off, clicked OK and then rebooted and then turned it back on. Still I'm infected. Am I missing something?

 

Tell me the full path of the file it finds when you search for it.

Disable system restore, reboot, search for the file and manually delete it, (or run a full av scan and see if it finds it) then re-enable system restore and reboot.

 

I followed your last instructions but I could not find the files while system restore was disabled with an AV program or with the Windows Search tool (I can't find with a virus checker even when it's not disabled!) I rebooted again and the startup AV scan did not pop up with notification that the virus was detected. I DID IT! Or so I thought. Checking "System Volume Information" the file was empty. I tried running BitDefender once more to "double check." It got half-way through scanning my hard drive when Command AV popped up and said it found the file C:\System Volume Information\_Restore{8B77D690-9B10-4C8D-9733-3E8D9DA9EBAF}(2)\RP37\A0003325.exe was infected with W32/VB-Backdoor-PClient-based! Maximus. It also found the same infection in the file C:\System Volume Information\_Restore{8B77D690-9B10-4C8D-9733-3E8D9DA9EBAF}\RP27\A0000996.exe.
Can it be re-installing itself? I continue to receive bounced back emails that I did not send.
Now, whenever I turn the computer on, the startup AV scan finds from 2 to 9 instances of the infected file A0003325.exe and A0000996.exe
Short of wiping my hard drive clean and starting over, what do you suggest I try now?

 

Don't panic.

Its just a file thats locked in the system restore cache, Im not sure why is didn't remove it when we turned it off and on again, that should have flushed your system restore. The bitdefender scan must have caused the Command AV on Access Scanner to detect it.

Turn off system restore again, reboot into safe mode. Enable viewing of protected system files and files and folders (see below)

In Windows Explorer

Tools --> Folder Options

Click on the 'View' Tab

In the list of advanced settings:

'Ensure SHow Hidden file and folders' is CHECKED

'Hide protected operating system files' is UNCHECKED

'Hide extensions for known file types' is UNCHECKED

Click 'Apply' then click 'OK'

Redo whatever you did earlier so that Command AV can find the file if it exists, Now that system restore is off the files won't be locked and it should be able to deal with it.

Turning off system restore and turning it on again should have flushed this, so I am a liitle unsure why it is persisting.

 

I followed all the steps you suggested. In Safe mode with system restore off with all protected files visible, I ran Command AV and it found nothing. My computer is clean. I then ran CCleaner just to delete any temp files. I then tried to turn on system restore but was told I had to reboot in normal mode to turn it on. I rebooted my computer and upon startup, Command AV said it found "C:\SYSTEM VOLUME INFORMATION\_RESTORE{8B77D690-9B10-4C8D-9733-3E8D9DA9EBAF}(2)\RP37\A0003325.exe"
Infection: W32VB-Backdoor-PClient based!Maximus
Message: Error disinfecting file
Infection state: Can not disinfect
Application: dvprpt
Application version: 4.93.8.60804
Scan engine version: 4.93.137.35"

It found and reported this twice, one second apart.
I went to the System Volume Information folder and when I place my mouse cursor over it, it says that the folder is empty.

One other new behavior that my computer is doing:
When I shut down or reboot, before windows closed it tells me that "ctfmon.exe" is closing and asked me if I want to wait or close it now. Then "explorer.exe" is closing and do I want to wait or close it now.

These never popped up before.

You have been great but my patience with this computer is growing thin with each passing day.

What should I do now?

 

Sorry for the delays in replying, lets try the below, I know it may seem like we've been through all this but these steps are set out in a certain order to try and eliminate this problem.

Let me know (in detail!) everything that happens or any problems you run into.

• Turn off System Restore and leave it off until told to turn it on again.
• Remain in Normal Boot mode.
• Clear all of your Temporary files using ccleaner in the same manner as the Read and Run Me
• Run full Anti Virus scan. If you AV software has an option to scan at ALL files, make sure that option is set rather than just the default files.
• If anything is found, save a log that shows full path and filenames and virus name.
• After scan, reboot back into normal mode.
• After reboot run another scan. Again save log if anything is found.
• If both logs were clean, enable System Restore but do not reboot.
• Run a third full file scan. Anything found?
  • If yes, attach a log.
  • If no, reboot and check a fourth time. Again save log if anything is found.

 

Command AV has five levels of Dynamic Virus Protection. I normally have it set to Level1 (Normal, fast/reliable). The other options are
Level2 ( Deep, slower/very reliable),
Level 3(Comprehensive, slow/extremely reliable),
Level 4 (Intensive, very slow - LAB use only) and
Level 5 (Maximum Depth, slowest/not recommended).

Per your instructions I turned off System Restore in Normal Boot mode and ran ccleaner. I then ran a full AV scan with CommandAV's Dynamic Virus Protection mode set at Level 4. (See firstscan.txt attachment)
Then, as instructed, I rebooted back into normal mode. At this point, Command AV popped up a scan report upon boot up. (See bootupscanreport.txt attachment).
I then ran another full scan at Level 4 (See secondscan.txt attachment).
I then went to enable System Restore and found that it automatically enabled itself when I rebooted the computer in normal mode. I decided not to scan a third or fourth time until I report this to you. Both first and second scans appear to be identical reports.
Now what?

 

Are beachbreeze and greenhave web design projects you are working one ?

How come you have the same files on c: and e: ?

The deep scans arn't finding them but only the bootupscan is still ?

 

OK something is not right here.

Are you using the administrative account ? I think the issue is that system restore isn't actually disabling.

If you have access to the administrator account please log into it now from normal mode.

Goto Start --> Settings --> Control panel

Double click on system

Click on the System Restore tab

UNTICK the box that has Turn off System Restore on all drive next to it

click apply

Click ok

Navigate to the same dialog again from control panel and confirm the box is still UNTICKED.

Reboot (normal mode)

Navigate to the same dialog and again confirm for me that the box is still UNTICKED

 

You are correct, Full scans are not finding it at all, only boot up scans and dynamic virus protection. The dynamic popups only occur when I have Outlook Express open. I suspect that the infection is sending out spam email using Outlook Express and that is when Command AV pops up and tells me, once again, that I am infected. I invariably get returned, undeliverable email soon afterwards that I never sent out. If I have Outlook Express closed, the AV popups do not occur. This thing must be hiding somewhere and only gets activated when Outlook Expess is open. (IMHO)

I followed your instructions and System Restore now stays off when I reboot until I turn it back on.

I have my C drive backed up to my external E drive and I thought I'd scan both of them with Command AV just to be sure.

beachbreeze and greenhaven are both web projects I am working on....yes.

 

Sorry, I have been MIA for a while, Are you still having the same issue ?

 

My problems have become worse. Because I had to work with it, I re-installed the WebPosition software and immediately, the BAckdoor virus infected it. I am also occasionally getting the blue screen of death with an error message that a device driver caused the problem. Of course I lose everything I'm working on when the computer automatically reboots. It is clear that Command AV doesn't find anything when I do a full system scan, neither does bitDefender, Spybot or Windows Defender. It only finds it during a dynamic scan and tells me it's in C:\SYSTEM VOLUME INFORMATION\_RESTORE
When I go to those directories, they appear empty even with "view hidden files" activated.
I was planning on calling our local "Computer Doctor" to wipe my hard drive clean and start from scratch but I really don't want to do that since I've done that twice already in the life of this computer. It's getting expensive and is a recurring problem...it seems. When will it end?
The returned email (undeliverable) is growing and growing.
I've attached the scan results 5 minutes after I installed Webposition. Before I installed the program, I did an AV scan of Webposition's install.exe file and it scanned clean.
Have I exhausted the resources at this location? Can anything be done?

 

I have seen a couple of other instances of the Axxxxx.exe file in the restore folder recently with some other people but disabling system restore has always fixed it.

Its often easier to sort these things out when you can actually see the computer.

WHat exactly is web position, it seems that your AV is actually reporting that webposition IS a virus, not actually infected with it.

 

I turned off system restore. I then rebooted the computer. I then ran Command AV to do a full scan of my hard drive. I've attached the scan report. No sign of the A0003325.exe infected file.

WebPosition is software to help websites' positioning in the search engines. It will go out and scan websites and then critique aspects. It also can upload files and submit to search engines. Marketed by WebTrends, you can find out more about it at http://www.webtrends.com/Products/OtherProducts/WebPosition.aspx