Trojan horse BackDoor.Generic6.FYM

Discussion in 'Malware Help (A Specialist Will Reply)' started by Jander, Jun 28, 2007.

  1. Jander

    Jander Private E-2

    Hiya,

    My mother has some nasty stuff on her computer which is running Windows XP Home, 2.99Ghz, 512mb Service Pack 2. I already cleaned a bucnh of spyware, viruses, and trojans from her compurer. But there are still some hanging around.

    Whenever I try and run HijackThis I get some blue screen saying that a problem has been detected and needs to shut down to prevent damage to the computer. It does a memory dump and then reboots.

    AVG (which is updated) detects threats when I start the computer. One of them is C:\WINDOWS\system32\Drivers\ip6fw.sys I heal this everytime with AVG but it keeps coming back.

    I also get things like Threat Detected while opening file C:\DOCUME~1\Owner\LOCA:S~1\Temp\144109.exe Trojan horse BackDoor.Generic6.FYM

    C:\DOCUME~1\Owner\LOCA:S~1\Temp\35750.exe Trojan horse BackDoor.Generic6.FYM

    I have been getting this everytime I start the computer a RUNDLL windows pops up saying
    Error Loading C:\WINDOWS\ddbxur.dll The specified module could be found. This started after I ran Spybot, AVG, Asquared, Adaware and Crapcleaner.

    I've run CrapCleaner, AVG, Asquared, Spybot, Adaware. Even ran them in safe mode. I tried to run Housecall but the computer kept freezing.

    I've attached my AVG,Adaware and Bitdefender log files.

    Any help would be much appreciated. Thank you for your time and effort.
     

    Attached Files:

    Last edited: Jun 28, 2007
    Jander, Jun 28, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Notes:

    1. When you get to HJT in the below procedure, let us know if you still cannot run it; however also try to run it in safe boot mode if you cannot run it in normal boot mode. MAKE SURE you renamed it as requested.
    2. Since you already ran BitDefender online scan, you don't need to rerun it, but make sure you run ALL other steps including Panda online scan.
    3. Please do not attach XML logs. We will not look at them. Only text formatted logs (the only exception if the BitDefender HTML log)
    First run this WareOut Removal be sure to attach the log from FixWareOut at the end of the below process.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • FixWareOut
      • CounterSpy - only for Windows XP, 2K, & NT users
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Jun 28, 2007
    #2
  3. Jander

    Jander Private E-2

    Hiya,

    I did everything that I could. The Panda Scan wouldn't work for me. I keep getting that blue screen. I get it with hijackthis as well even after I renamed it.

    In the reports file that is attached is

    CounterSPy
    Newfiles
    Runkeys
    Fixwareout

    The only threat that avg keeps complaing about is this one
    C:\WINDOWS\system32\Drivers\ip6fw.sys well, so far anyways.
     

    Attached Files:

    Jander, Jun 28, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is probably nothing wrong with your ip6fw.sys file. The problem is really that your C:\WINDOWS\system32\winlogon.exe may be infected. We will deal with that after we get the other issues fixed. Fixing winlogon.exe problems can be rather tricky.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3
    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Continue by downloading a tool we will need

    - Process Explorer

    Extract it to its own folder somewhere that you will be able to locate it later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    dpsgmt.dll
    drvmgr.dll
    pmnnm.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    dpsgmt.dll
    drvmgr.dll
    pmnnm.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    dpsgmt.dll
    drvmgr.dll
    pmnnm.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)


    Now just exit Process Explorer.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 28, 2007
    #4
  5. Jander

    Jander Private E-2

    Hiya,

    Thank you for all the help.

    I followed what you posted. I didn't have any of those dll's when I ran Process Explorer. I still can't run HJT it causes that blue screen. System restore was already shut off, I shut it off long ago when I hooked up her computer.

    After I did the steps you posted and rebooted AVG didn't complain about anything. I ran AVG, AVG Anti-Spyware, Adaware, and they came up clean.

    I ran Spybot and it found some stuff. When I tried to copy them I got that blue screen. So I went back and scanned again here are the results from Spybot

    PWS.LDPinchlE
    HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Runtime
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Runtime

    Win32.Mulo.ff
    HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Network\runtime2.sys
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Network\runtime2.sys
    HKEY_LOCAL_MACHINE\System\ControlSet002\Control\SafeBoot\Minimal\runtime2.sys
    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\SafeBoot\Minimal\runtime2.sys
    HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Runtime2
    HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Runtime2

    Asquared came up with

    Trojan.Win32.Patched.m
    C:\WINDOWS\System32\winlogin.exe

    CounterSpy and the Bit Defender scan also came up with stuff. The attached file contains

    avenger
    bdscan
    counterspy
    newfiles
    runkeys

    Once again thank you for all of your help.
     

    Attached Files:

    Jander, Jun 29, 2007
    #5
  6. Jander

    Jander Private E-2

    Hiya,

    Well thanks for all the help. It's a shame though. When I got home from work I discovered that my mother took the computer to a local computer shop that one of her friends told her about. I called them and tried to catch them before they did anything to it, but it was to late. They already formatted it and are installing the extras right now. What a watse. She could have saved herself the $75.

    Anyways thanks again for all the help.
     
    Jander, Jun 29, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Too bad! Formatting was totally unnecessary. My next steps would have remove your remaining problems!
     
    chaslang, Jun 30, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds