Backdoor.ircbot.abfr

Hi there,

I have come here because I was unable to get live assistance today.

I really am concerned about this infection in my PC and need help to get the thing off/out.

I am unable to get bitdefender internety security V2008 to take any action.

I also have been at this for a while now with various issues, system sometimes crashes, some times to click with my mouse is not working on this forum as well.

I have a tecket number also : Re: [Ticket ID:200709211004889]

I have system restore off, previously deleted the infected zip file, and still its showing up on bitdefender scans...I am uptight LOL and need help asap??

Thank you in advance... waiting for reply

Find more posts tagged with

Comments

fedup

Hi there,

I have come here because I was unable to get live assistance today.

I really am concerned about this infection in my PC and need help to get the thing off/out.

I am unable to get bitdefender internety security V2008 to take any action.

I also have been at this for a while now with various issues, system sometimes crashes, some times to click with my mouse is not working on this forum as well.

I have a tecket number also : Re: [Ticket ID:200709211004889]

I have system restore off, previously deleted the infected zip file, and still its showing up on bitdefender scans...I am uptight LOL and need help asap??

Thank you in advance... waiting for reply

Hey guys, dont worry about this issue now...I managed to find and figure this out on my own

thanks

Niels

Hello uptight1

Did you temporary disable BitDefender realtime protection? Because otherwise BitDefender blocks the infected system restore point. To that open BitDefender press on settings,go to antivirus,shield,uncheck enable realtime protection. Try again. Post also a scan log. To do so press on the history button. Double click on the scan finished entry (more info) and copy and paste the scan report in your next reply.

Best regards

Niels

fedup

Hello uptight1

Did you temporary disable BitDefender realtime protection? Because otherwise BitDefender blocks the infected system restore point. To that open BitDefender press on settings,go to antivirus,shield,uncheck enable realtime protection. Try again. Post also a scan log. To do so press on the history button. Double click on the scan finished entry (more info) and copy and paste the scan report in your next reply.

Best regards

Niels

Hi there I dont know if i missed yr reply or if you posted it at the same time I posted that I figured it out?

but yes I did that, and then located the problem in my outlook express which must have been in my sent folder, and thats from emailing the zip infection to the labs yesterday so I disabled the real time protection and then deleted, and deleted from the delete folder also, and all is fixed which I am happy about. I was getting frustrated and concerned lol.

I am experiencing some system lagging, and occasional crashing, and also programs not responding error reports in windows, so dont know if u wana help here or not but I would be grateful if u can please. Just let me know what u need me to perform and I can do so and send in here for u.

thanks for the advice too btw.

Niels

Hello uptight1

I was still making my post. I saw you reply only when I placed my post.

When does your system lag? If it's on boot I recommend that you go to start,run,type msconfig press enter go to the boot/start up tab and enter the item for start up/boot on this website. If you see an N or X or ? uncheck that/these items and press on apply and ok to confirm. Programs can crash. To see if you don't have corrupt windows system files put in your windows installation cd-rom go to start,run,type cmd press enter after that type

sfc /scannow and press enter.

Best regards

Niels

fedup

Hello uptight1

I was still making my post. I saw you reply only when I placed my post.

When does your system lag? If it's on boot I recommend that you go to start,run,type msconfig press enter go to the boot/start up tab and enter the item for start up/boot on this website. If you see an N or X or ? uncheck that/these items and press on apply and ok to confirm. Programs can crash. To see if you don't have corrupt windows system files put in your windows installation cd-rom go to start,run,type cmd press enter after that type

sfc /scannow and press enter.

Best regards

Niels

Hi Neils,

on boot is not too bad but is slower then it used to be , so I will follow the instructions that you have included here in yr post reply.

Its also slower at shutting down [ logging off ] in comparison to how it usually was running.

Before this nasty was detected [which is now gone ] I first was having problems with IE 7, many times page can not be displayed etc.

I was unable to run the online bitdefender scan to completion as well, just to check [ at that time I had BDIS v10] so then I went to live chat at the BD site, and after some issues, was suggested I install the newer version 2008 IS, which is what I am now using.

I then still had problems , so I uninstalled IE7, and downloaded safari for windows : )

Then the BD 2008 was showing all wonky in the interface/skin, so after a few un installs with the tool provided by tech support, and re installs all was ok with this then.

I then also noticed I had a strange entry in my cmd, called a Tunnel adapter Teredo Tunneling Pseudo Interface [ found by typing ipconfig in the cmd ] I never had this before so mentioned it to my ISP, Windows & Tech support on bitdefender.

Just to note that I located that tunnel thing at the time I was having issues with IE7 and what ever else.

So apart from all being fixed with the virus/trojan thing, I am still wondering what that tunnel thing is doing on my pc in the first place, and one of the techs gave me a link with info on it but I still am baffled as to how it managed to become a part of my PC in the beginning.

I may be incorrect, but I am thinking this may be part of these issues?

Anyway: I am off to do these instructions and will return when completed.

I just thought it would help you if I gave a good run down on whats been going on and when it all started to see if you are able to fit the pieces of the puzzles?

Cool...bye for now, and thanks again for your help.

[EDIT] I will give further details on that tunnel teredo pseudo thing when I come back with doing the other stuff .

cheers.

fedup

Hi again Neils!

OK I did the msconfig, what showed up was Adobe gamma as start up. (I have photoshop) so this seems not to

be a problem indication on castlecops. and comes under the "U" = users choice.

I ran the windows CD and performaed the scannow as instructed- it just finished and then gave no results.

Is that usually the case? I left the cmd open and waited but all was just as it was with no indication if was or was not ok.

I am assuming - all is OK?

Hope so : )

Would that nasty -that was on my PC have been the cause of the slowing down and various other issues?

I did not seem to have any probs until a week ago.And then that showed up shortly after.

that trojan/virus was not in a zip origionally either-I zipped it because I was zipping all my files in case I had to reformat,

and would be able to move everything on to the other hard drive until re format.

So at some stage before zipping the jpeg,this nasty was on the PC some where I guess.(un detected)

Any way...

-------Below is this tunnel thing I am curious about-------

Ethernet adapter Local Area Connection:

C:]Documents and Settings\_\ipconfig

Windows IP Configuration

Connection-specific DNS suffix : sa.bigpond.net.au

IP Address (leaving this origional blank)

Subnet mask (leaving this origional blank)

IP Addresss (letters and numbers)

Default Gateway ( leaving this blank)

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connnection-specific DNS Suffix: (this is empty?)

IP Address...(fe80::ffff:_more letters and a d%

Default gateway (empty)

Tunnel adapter 6 to 4 Tunneling Pseudo-Interface:

Connction specific DNS Suffix: sa.bigpond.net.au

IP Address: this is different to the origional IP address[ has a 2002 in beginning]

Default Gateway: is a variant of the one in line above [has same 2002 beginning]

Tunnel adapter Automatic Tunneling Pseudo0Interface:

Connction-specific DNS Suffux: sa.bigpond.net.au

IP Address: (different to the origional also)

default Gateway: this is empty also

I have no virtual machine etc installed, so am unsure what all this is about.

I would like to find out how this suddenly came onto my PC if you are willing to help me find out?

Bigpond say not anything to do with them, and asked me to call microsoft to find out what it is.

I did this and they/customer service tech at micosoft- were no help, didnt even know what it was.

I have been searching around but can not find any definate answers that relate to my situation.

I am hoping this is not something from the backdoorIRCBot. I have no idea so please excuse my lack of knowledge.

[P.S] I almost forgot to mention that I have a rediculous number of '14' svhost showing listed in bitdefender processors too!!

This cant be normal. Can it?

Thanks in advance again.

fedup

Hi I have been busy ......

I have done the following:

1. Cleared Browsers of history/cookies/temp etc.

2. Ran AFT Cleaner

3. Ran %temp% -this was empty.

4. Ran SuperAntiSpyware

5. BitDefender scan again.

6. HJT scan

All has come up clean which is great.

I have run a HJT scan, and saved the log just to have some one look over and see if there is anything which should not be here.

Let me know if there are any here that I need to check and fix please?

Just a note- I see that there is a DNS entry which is something associated with safari browser, so this may be that tunnel thing I was concerned over??

I can fix that by uninstalling and re installing with out the bonjour if this is the case : )

There seem to be a couple things here I am uncertain of so I will wait for a response from someone here later.

Thanks for the help.

HJT RESULTS BELOW:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:10:49 AM, on 9/24/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Common Files\NMSAccessU.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\logon.scr

C:\Documents and Settings\J\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://syncrinosity.spaces.live.com//Photo...ad/MsnPUpld.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1186346986913

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-b5d9821bed84d1ca.spaces.live.co...ad/MsnPUpld.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\Common Files\NMSAccessU.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

End of file - 5727 bytes

Thanks again!

Niels

Hello uptight1

Sorry for the late response but I am also very busy.

If nothing is found you may type exit and press enter in the cmd windows or closing the window.

Didn't you set a start page? If not fix this entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank Select it and press on fix checked confirm the message.

For the rest the log is clean.

You can try this to solve the dns problem:

go to start,run,type cmd press enter type ipconfig /flushdns enter wait till it's executed. This will clear the cache.

now type ipconfig /registerdns press enter.

Check also the running services: go to start,run,type services.msc press enter and check if they are necessary to start up together with windows by visiting this website. To change the start up type you have to double click on each service there you can change it don't forget to press on apply to confirm.

Best regards

Niels