W32/Backdoor-CFB and W32/Sdbot.worm.gen.t <need help removing>

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Spoiler99, Dec 28, 2004.

  1. Spoiler99

    Spoiler99 Private E-2

    Hey guys. I need alot of help removing some viruses and spyware that has infested my computer and is refusing to be deleted. I was wondering what I can do to remove these.

    When I run Stinger, it tells me C:\WINDOWS\Explorer.EXE is infected with the W32/Backdoor-CFB virus, and also C:\WINDOWS\System32\Sysmrk.exe and \miratesp2.exe are both infexted with the W32/Sdbot.worm.gen.t virus.

    Nothing I have done is able to remove them and I believe they are what is making my computer slow, and allowing all of the spyware back into my computer. My system is running on average60+ proccesses after startup, and I have an unusual ammount of rundll32.exe running, and when deleted they just come back a few secounds later. Any help would be greatly appreciated.
     
    Spoiler99, Dec 28, 2004
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!


    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    bjgarrick, Dec 28, 2004
    #2
  3. Spoiler99

    Spoiler99 Private E-2

    I did all the scanning and ran HJT. Here is the log.
     

    Attached Files:

    Spoiler99, Dec 29, 2004
    #3
  4. PhilliePhan

    PhilliePhan Guest

    Hi Spoiler99,

    You have a bunch of nasty malware. I can get you started on the removal process:

    Please look in Add/Remove Programs and Uninstall these if found:

    SurfBuddy
    TSA
    TSM2
    Tibs3
    TIBS Web Specials
    WinAd
    Windows Control Ad
    Viewpoint
    Viewpoint Manager

    Also, note any other suspicious entries!

    NEXT:

    Run CWShredder, About:Buster, and HS Remove as prescribed in the Tutorial (Run them in Safe Mode)

    Then, reboot to normal Windows and attach a fresh HJT Log.

    Note that this is only a START. A lot of malware will remain and need to be weeded out manually. I am not around the forum that often these days, but will try to check back tonight. At any rate, somebody will be here to assist you - Please be patient! :)

    PP
     
    PhilliePhan, Dec 29, 2004
    #4
  5. Spoiler99

    Spoiler99 Private E-2

    Ok, I did all of the scanning in safe mode. I ran HJT again and got this file. And thanks for the help, btw.
     

    Attached Files:

    Spoiler99, Dec 30, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You must remember that ALL browsers must be shutdown before running HJT. You had IE running:
    C:\Program Files\Internet Explorer\iexplore.exe

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\System32\fbmdcaa.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
    C:\WINDOWS\System32\sysmrk.exe
    C:\WINDOWS\System32\miratesp2.exe
    WinCtlAd.exe
    kalvnzy32.exe
    tsm2.exe
    tsa.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jacen\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jacen\LOCALS~1\Temp\sp.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {15FDEA60-D346-4486-B6E0-82C315284172} - C:\WINDOWS\System32\fbmdcaa.dll
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
    O4 - HKLM\..\Run: [sys mrk32] sysmrk.exe
    O4 - HKLM\..\Run: [Mirate Sp 2 Information] miratesp2.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnzy32.exe
    O4 - HKLM\..\RunServices: [sys mrk32] sysmrk.exe
    O4 - HKLM\..\RunServices: [Mirate Sp 2 Information] miratesp2.exe
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - HKCU\..\Run: [sys mrk32] sysmrk.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0903d3b02614ec166c18/netzip/RdxIE601.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O18 - Filter: text/html - {51AB810B-CE74-4A51-ACC8-DA8DFB7516F4} - C:\WINDOWS\System32\fbmdcaa.dll
    O18 - Filter: text/plain - {51AB810B-CE74-4A51-ACC8-DA8DFB7516F4} - C:\WINDOWS\System32\fbmdcaa.dll
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\System32\sysmrk.exe
    C:\WINDOWS\System32\miratesp2.exe
    C:\WINDOWS\System32\tibs3.exe
    C:\WINDOWS\System32\fbmdcaa.dll
    C:\Program Files\Windows ControlAd <--- the whole folder
    C:\windows\system32\kalvnzy32.exe
    C:\WINDOWS\svchost.exe <--- not this is not the same as c:\windows\system32\svchost.exe
    C:\Program Files\Common Files\tsa <--- the whole folder

    Then empty your Recycle Bin, your c:\Windows\Prefetch folder and also delete all file in the below folder:
    C:\Documents and Settings\Jacen\Local Settings\Temp

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 30, 2004
    #6
  7. Spoiler99

    Spoiler99 Private E-2

    Ok. I did all of that. I was unable to find C:\WINDOWS\System32\fbmdcaa.dll or C:\WINDOWS\System32\tibs3.exe. I couldnt find C:\WINDOWS\svchost.exe until i ran a scan for it, and found 3 of them. One was the one in system32 folder. So I didnt delete any of them. I also couldnt find C:\Program Files\Common Files\tsa. But i ran a search for it and found it and deleted it. Was in Common~1 file. Other than that, everything went exactly was written. Here is my new HJT log.

    Also, I seem to be slow still when im loading windows. This is the period in between the black windows screen with the loading bar at the bottom and the blue screen where it says "windows is starting up" and loads login options.

    On the upside, things seem to be better. The processes seem to be faster, and everything just seems healthier.

    Let me know if there is anything else I can do.
     

    Attached Files:

    Spoiler99, Jan 3, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! One of those bad entries is still there. Download Pocket KillBox
    Run Killbox. Select the option to Replace on Reboot.


    1) Now, Copy and Paste C:\windows\system32\kalvnzy32.exe into the box
    2) Check the option to Use Dummy.
    3) Now, Click the Red X and Yes to the confirmation message.
    4) A message will ask if you want to reboot now – Click NO.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnzy32.exe

    After clicking Fix, exit HJT. And reboot your PC in normal mode.Post a new HJT log. Let me know if you run into any problems doing these steps.
     
    chaslang, Jan 3, 2005
    #8
  9. Spoiler99

    Spoiler99 Private E-2

    Lets see what happend. Did all of that, and heres my log.
     

    Attached Files:

    Spoiler99, Jan 3, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 3, 2005
    #10
  11. Spoiler99

    Spoiler99 Private E-2

    First off, I would like to thank you both for the help. Wouldnt have been able to do this on my own. Everything seems to be working normal so far.

    But I ran Stinger to see if it would find anything, and it still says it is finding the W32/Backdoor-CFB virus in C:\WINDOW\Explorer.exe and it is unable to repair it. Is this a mistake, or is this something I should be getting rid of.
     
    Spoiler99, Jan 4, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jan 4, 2005
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds