IRC.Backdoor.Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by iaburto, May 4, 2006.

  1. iaburto

    iaburto Private E-2

    I keep getting this error message from Symantec every time I open IE.

    Scan type: Auto-Protect Scan
    Event: Threat Found!
    Threat: IRC.Backdoor.Trojan
    File: C:\DOCUME~1\iaburto\LOCALS~1\Temp\hbd.dll
    Location: C:\DOCUME~1\iaburto\LOCALS~1\Temp
    Computer: BEC-IA
    User: iaburto
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Date found: Thursday, May 04, 2006 4:04:10 PM

    I could not find any help on Symantecs website and I ran all the utilities suggested from this site.

    I have a Dell Demension 9100
    3 GHZ 1GIG of Ram
     
    iaburto, May 4, 2006
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Nortons has specific removal instructions:

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    Disable System Restore (Windows Me/XP).
    Update the virus definitions.
    Restart the computer in Safe mode or VGA mode.
    Run a full system scan and delete all the files detected as Backdoor.IRC.Aladinz.G, Backdoor.Trojan, Trojan Horse, Hacktool.DoS, Hacktool, IRC.Backdoor.Trojan, or Hacktool.HideWindow.

    http://www.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html


    If problems persist beyond this, please run our tutorial:

    http://forums.majorgeeks.com/showthread.php?t=35407

    And check back with us!
     
    Major Attitude, May 4, 2006
    #2
  3. iaburto

    iaburto Private E-2

    I followed the instructions on the Symantec website and I did not find the registry additions or program file directories listed. I booted into safe mode and did a deep virus scan and ran the utilities you showed me in your link. Still no luck.
     

    Attached Files:

    iaburto, May 4, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must run ALL steps in the link ( http://forums.majorgeeks.com/showthread.php?t=35407 ) Major Attitude gave to you. This includes running Windows Defender and also the two online scans given in step 6. Then you must attach the two logs from the online scans as requested.

    Yout alternative is to just try deleting all files in the below folder:
    C:\Documents and Settings\iaburto\Local Settings\Temp
     
    chaslang, May 5, 2006
    #4
  5. iaburto

    iaburto Private E-2

    I ran step 6 and posted the logs as well as a new Hijack this log. I also ran a full scan of Windows Defender. After a reboot I'm still having the same problem.
     

    Attached Files:

    iaburto, May 5, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You forgot to empty your Norton Quarantine folder as step 0 requests!

    Your quarantine is here:
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

    Did you delete all file in the below folder:
    C:\Documents and Settings\iaburto\Local Settings\Temp
     
    chaslang, May 5, 2006
    #6
  7. iaburto

    iaburto Private E-2

    Everytime I delete the quaratine file it gets repopulated soon and the trojan get's discovered. Same with the temp file.

    Also I googled the virus that bitdeffender found and I cannot find anything on it. Backdoor.Ircbot.OJ

    Any clues? Thanks,
     
    iaburto, May 5, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat my question. Did you delete ALL files in the Temp folder? Not just the problem DLL. Did you delete ALL files?

    Download & run Blacklight Beta
    • Hit I accept. It will take you to download page.
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the Blacklight log file here.
     
    chaslang, May 5, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There are plenty of hits on that out there, but you don't need to find any info on it anyway. Bitdefender deleted the file! But this is related to your DLL file too.

    Did you install this program? http://www.mybestsoft.com/iesec/index.html

    Or what about the below?
    O2 - BHO: MSNToolBandBHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\WINDOWS\system32\msntb.dll
     
    chaslang, May 5, 2006
    #9
  10. iaburto

    iaburto Private E-2

    Bingo ewido found and cleaned it.

    C:\WINDOWS\system32\msntb.dll -> Downloader.Agent.ajo : Cleaned without backup
     
    iaburto, May 5, 2006
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I thought it was the problem. The CLSID was for Internet Explorer Security Pro but then name was saying MSN. I wanted to be sure you had not installed them and then was going to have you fix that BHO.
     
    chaslang, May 5, 2006
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds