Backdoor.ircbot.abfr
Hi there,
I have come here because I was unable to get live assistance today.
I really am concerned about this infection in my PC and need help to get the thing off/out.
I am unable to get bitdefender internety security V2008 to take any action.
I also have been at this for a while now with various issues, system sometimes crashes, some times to click with my mouse is not working on this forum as well.
I have a tecket number also : Re: [Ticket ID:200709211004889]
I have system restore off, previously deleted the infected zip file, and still its showing up on bitdefender scans...I am uptight LOL and need help asap??
Thank you in advance... waiting for reply
Comments
-
Hi there,
I have come here because I was unable to get live assistance today.
I really am concerned about this infection in my PC and need help to get the thing off/out.
I am unable to get bitdefender internety security V2008 to take any action.
I also have been at this for a while now with various issues, system sometimes crashes, some times to click with my mouse is not working on this forum as well.
I have a tecket number also : Re: [Ticket ID:200709211004889]
I have system restore off, previously deleted the infected zip file, and still its showing up on bitdefender scans...I am uptight LOL and need help asap??
Thank you in advance... waiting for reply
Hey guys, dont worry about this issue now...I managed to find and figure this out on my own
thanks0 -
Hello uptight1
Did you temporary disable BitDefender realtime protection? Because otherwise BitDefender blocks the infected system restore point. To that open BitDefender press on settings,go to antivirus,shield,uncheck enable realtime protection. Try again. Post also a scan log. To do so press on the history button. Double click on the scan finished entry (more info) and copy and paste the scan report in your next reply.
Best regards
Niels0 -
Hello uptight1
Did you temporary disable BitDefender realtime protection? Because otherwise BitDefender blocks the infected system restore point. To that open BitDefender press on settings,go to antivirus,shield,uncheck enable realtime protection. Try again. Post also a scan log. To do so press on the history button. Double click on the scan finished entry (more info) and copy and paste the scan report in your next reply.
Best regards
Niels
Hi there I dont know if i missed yr reply or if you posted it at the same time I posted that I figured it out?
but yes I did that, and then located the problem in my outlook express which must have been in my sent folder, and thats from emailing the zip infection to the labs yesterday so I disabled the real time protection and then deleted, and deleted from the delete folder also, and all is fixed which I am happy about. I was getting frustrated and concerned lol.
I am experiencing some system lagging, and occasional crashing, and also programs not responding error reports in windows, so dont know if u wana help here or not but I would be grateful if u can please. Just let me know what u need me to perform and I can do so and send in here for u.
thanks for the advice too btw.0 -
Hello uptight1
I was still making my post. I saw you reply only when I placed my post.
When does your system lag? If it's on boot I recommend that you go to start,run,type msconfig press enter go to the boot/start up tab and enter the item for start up/boot on this website. If you see an N or X or ? uncheck that/these items and press on apply and ok to confirm. Programs can crash. To see if you don't have corrupt windows system files put in your windows installation cd-rom go to start,run,type cmd press enter after that type
sfc /scannow and press enter.
Best regards
Niels0 -
Hello uptight1
I was still making my post. I saw you reply only when I placed my post.
When does your system lag? If it's on boot I recommend that you go to start,run,type msconfig press enter go to the boot/start up tab and enter the item for start up/boot on this website. If you see an N or X or ? uncheck that/these items and press on apply and ok to confirm. Programs can crash. To see if you don't have corrupt windows system files put in your windows installation cd-rom go to start,run,type cmd press enter after that type
sfc /scannow and press enter.
Best regards
Niels
Hi Neils,
on boot is not too bad but is slower then it used to be , so I will follow the instructions that you have included here in yr post reply.
Its also slower at shutting down [ logging off ] in comparison to how it usually was running.
Before this nasty was detected [which is now gone ] I first was having problems with IE 7, many times page can not be displayed etc.
I was unable to run the online bitdefender scan to completion as well, just to check [ at that time I had BDIS v10] so then I went to live chat at the BD site, and after some issues, was suggested I install the newer version 2008 IS, which is what I am now using.
I then still had problems , so I uninstalled IE7, and downloaded safari for windows : )
Then the BD 2008 was showing all wonky in the interface/skin, so after a few un installs with the tool provided by tech support, and re installs all was ok with this then.
I then also noticed I had a strange entry in my cmd, called a Tunnel adapter Teredo Tunneling Pseudo Interface [ found by typing ipconfig in the cmd ] I never had this before so mentioned it to my ISP, Windows & Tech support on bitdefender.
Just to note that I located that tunnel thing at the time I was having issues with IE7 and what ever else.
So apart from all being fixed with the virus/trojan thing, I am still wondering what that tunnel thing is doing on my pc in the first place, and one of the techs gave me a link with info on it but I still am baffled as to how it managed to become a part of my PC in the beginning.
I may be incorrect, but I am thinking this may be part of these issues?
Anyway: I am off to do these instructions and will return when completed.
I just thought it would help you if I gave a good run down on whats been going on and when it all started to see if you are able to fit the pieces of the puzzles?
Cool...bye for now, and thanks again for your help.
[EDIT] I will give further details on that tunnel teredo pseudo thing when I come back with doing the other stuff .
cheers.0 -
Hi again Neils!
OK I did the msconfig, what showed up was Adobe gamma as start up. (I have photoshop) so this seems not to
be a problem indication on castlecops. and comes under the "U" = users choice.
I ran the windows CD and performaed the scannow as instructed- it just finished and then gave no results.
Is that usually the case? I left the cmd open and waited but all was just as it was with no indication if was or was not ok.
I am assuming - all is OK?
Hope so : )
Would that nasty -that was on my PC have been the cause of the slowing down and various other issues?
I did not seem to have any probs until a week ago.And then that showed up shortly after.
that trojan/virus was not in a zip origionally either-I zipped it because I was zipping all my files in case I had to reformat,
and would be able to move everything on to the other hard drive until re format.
So at some stage before zipping the jpeg,this nasty was on the PC some where I guess.(un detected)
Any way...
-------Below is this tunnel thing I am curious about-------
Ethernet adapter Local Area Connection:
C:]Documents and Settings\_\ipconfig
Windows IP Configuration
Connection-specific DNS suffix : sa.bigpond.net.au
IP Address (leaving this origional blank)
Subnet mask (leaving this origional blank)
IP Addresss (letters and numbers)
Default Gateway ( leaving this blank)
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connnection-specific DNS Suffix: (this is empty?)
IP Address...(fe80::ffff:_more letters and a d%
Default gateway (empty)
Tunnel adapter 6 to 4 Tunneling Pseudo-Interface:
Connction specific DNS Suffix: sa.bigpond.net.au
IP Address: this is different to the origional IP address[ has a 2002 in beginning]
Default Gateway: is a variant of the one in line above [has same 2002 beginning]
Tunnel adapter Automatic Tunneling Pseudo0Interface:
Connction-specific DNS Suffux: sa.bigpond.net.au
IP Address: (different to the origional also)
default Gateway: this is empty also
I have no virtual machine etc installed, so am unsure what all this is about.
I would like to find out how this suddenly came onto my PC if you are willing to help me find out?
Bigpond say not anything to do with them, and asked me to call microsoft to find out what it is.
I did this and they/customer service tech at micosoft- were no help, didnt even know what it was.
I have been searching around but can not find any definate answers that relate to my situation.
I am hoping this is not something from the backdoorIRCBot. I have no idea so please excuse my lack of knowledge.
[P.S] I almost forgot to mention that I have a rediculous number of '14' svhost showing listed in bitdefender processors too!!
This cant be normal. Can it?
Thanks in advance again.0 -
Hi I have been busy ......
I have done the following:
1. Cleared Browsers of history/cookies/temp etc.
2. Ran AFT Cleaner
3. Ran %temp% -this was empty.
4. Ran SuperAntiSpyware
5. BitDefender scan again.
6. HJT scan
All has come up clean which is great.
I have run a HJT scan, and saved the log just to have some one look over and see if there is anything which should not be here.
Let me know if there are any here that I need to check and fix please?
Just a note- I see that there is a DNS entry which is something associated with safari browser, so this may be that tunnel thing I was concerned over??
I can fix that by uninstalling and re installing with out the bonjour if this is the case : )
There seem to be a couple things here I am uncertain of so I will wait for a response from someone here later.
Thanks for the help.
HJT RESULTS BELOW:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:49 AM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\logon.scr
C:\Documents and Settings\J\Desktop\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://syncrinosity.spaces.live.com//Photo...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186346986913
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-b5d9821bed84d1ca.spaces.live.co...ad/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 5727 bytes
Thanks again!0 -
Hello uptight1
Sorry for the late response but I am also very busy.
If nothing is found you may type exit and press enter in the cmd windows or closing the window.
Didn't you set a start page? If not fix this entry:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank Select it and press on fix checked confirm the message.
For the rest the log is clean.
You can try this to solve the dns problem:
go to start,run,type cmd press enter type ipconfig /flushdns enter wait till it's executed. This will clear the cache.
now type ipconfig /registerdns press enter.
Check also the running services: go to start,run,type services.msc press enter and check if they are necessary to start up together with windows by visiting this website. To change the start up type you have to double click on each service there you can change it don't forget to press on apply to confirm.
Best regards
Niels0
