Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Get a GenericBackdoor.b virus popup then auto downloads start coming

Status
Not open for further replies.
nchrist

nchrist

MIS
Sep 17, 2002
22
US
I'm having trouble with one pc. I've run CWshredder, spybot, adaware, winsockfix, kill2me. i've also run the toolbarcop but, honestly, i don't know what is a good toolbar and what is not. Our av of choice is mcafee. mcafee is catching the generic backdoor.b virus but almost before we can move the file--it won't let us delete or clean--downloads start running. I'm including my HijackThis log could someone please look at it and see if there is anything i can delete that will help get rid of this thing. at this point i'm so far over my head you can barely see my fingers.

tks

Logfile of HijackThis v1.97.7
Scan saved at 6:58:12 PM, on 5/11/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\Simply\CBWHost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Simply\Cheymon.exe
C:\Program Files\Simply\CBWUser.exe
C:\winnt\temp\9z.exe
C:\PROGRA~1\Simply\FSWINSvc.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\winnt\temp\9z.exe
C:\WINNT\system32\wnsintit.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Tng1jlA.exe
C:\WINNT\system32\Tng1jlA.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\CSCHAU~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SFPrnmon] C:\PROGRA~1\Simply\Cheymon.exe
O4 - HKLM\..\Run: [SimplyFSWINSvc] C:\PROGRA~1\Simply\CBWExec.exe /Run C:\PROGRA~1\Simply\FSWINSvc.exe -run
O4 - HKLM\..\Run: [CBWUser] "C:\Program Files\Simply\CBWUser.exe"
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKLM\..\Run: [9z] C:\winnt\temp\9z.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [AutoLoaderowtz1WSUJILJ] "C:\WINNT\system32\dinte.exe" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [9z.exe] C:\winnt\temp\9z.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [29JGRS94@8EEJ4] C:\WINNT\system32\Lwhu0Uz.exe
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe
O4 - Startup: Microsoft Outlook.lnk = C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frit.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frit.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = frit.com
 
Sort by date Sort by votes
Particle Physiscist? Nice

For starters right off the top this line is malware:

C:\WINNT\system32\wnsintit.exe
and
C:\WINNT\system32\wnsintit.exe which is described as:
"Task which is dropped onto your PC when you run the free “hidden pornography” scanner from PuritySCAN.com. At the time of writing, 9-May-2004, PuritySCAN.com purports to scan your PC for hidden pornography and help you remove it. But it is a front to adware"




Unix IS user friendly... It's just selective about who its friends are.
 
Upvote 0 Downvote
O4 - HKLM\..\Run: [29JGRS94@8EEJ4] C:\WINNT\system32\Lwhu0Uz.exe
This one is peper trojan, you can get removal tool here.


There's other stuff, take a bit to go through the log.

It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Sorry had to go....back again,
I would also get rid of these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
The only toolbar I trust is googletoolbar...
good luck!



Unix IS user friendly... It's just selective about who its friends are.
 
Upvote 0 Downvote
Here's what I come up with.

MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Way out of date on explorer.

C:\winnt\temp\9z.exe
would be good to empty the entire temp folder.

C:\WINNT\system32\wnsintit.exe
comments about purity scan.

C:\DOCUME~1\CSCHAU~1\LOCALS~1\Temp\HijackThis.exe
Best installed in its own folder such as c:\hjt in order to keep backups.


After the peper removal:
Close browser windows, start hijackthis, tick to fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [9z] C:\winnt\temp\9z.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [9z.exe] C:\winnt\temp\9z.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\system32\dp-him.exe
O4 - HKLM\..\Run: [29JGRS94@8EEJ4] C:\WINNT\system32\Lwhu0Uz.exe
O4 - HKCU\..\Run: [WNSC] C:\WINNT\system32\wnsintit.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) -

If this is not a valid domain for you/your company's operation it should be fixed too.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = frit.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = frit.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = frit.com

Reboot to safe mode
delete
C:\winnt\temp\9z.exe <--- at least this file, preferably contents of folder if you're not saving anything there.
C:\Program Files\Common files\WinTools <---- folder
C:\WINNT\system32\dp-him.exe <---- file
C:\WINNT\system32\Lwhu0Uz.exe <--- file
C:\WINNT\system32\wnsintit.exe <---- file


This group of stuff seems odd-I cant get much search info on it.
If you dont reconize any of this:
The conservative approach would be to fix these items and rename the files.
The aggressive approach would be to fix these items and delete the simply folder and the tng1jla file.
O4 - HKLM\..\Run: [SFPrnmon] C:\PROGRA~1\Simply\Cheymon.exe
O4 - HKLM\..\Run: [SimplyFSWINSvc] C:\PROGRA~1\Simply\CBWExec.exe /Run C:\PROGRA~1\Simply\FSWINSvc.exe -run
O4 - HKLM\..\Run: [CBWUser] "C:\Program Files\Simply\CBWUser.exe"
O4 - HKLM\..\Run: [AutoLoaderowtz1WSUJILJ] "C:\WINNT\system32\dinte.exe" /PC="AM.WILD" /HideUninstall

C:\PROGRA~1\Simply\CBWHost.exe
C:\PROGRA~1\Simply\Cheymon.exe
C:\Program Files\Simply\CBWUser.exe
C:\PROGRA~1\Simply\CBWExec.exe
C:\PROGRA~1\Simply\FSWINSvc.exe
C:\WINNT\system32\Tng1jlA.exe



It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Correct me if I'm wrong but I believe that the below applies to Fax and modem software.

O4 - HKLM\..\Run: [SFPrnmon] C:\PROGRA~1\Simply\Cheymon.exe
O4 - HKLM\..\Run: [SimplyFSWINSvc] C:\PROGRA~1\Simply\CBWExec.exe /Run C:\PROGRA~1\Simply\FSWINSvc.exe -run
O4 - HKLM\..\Run: [CBWUser] "C:\ProgramFiles\Simply\CBWUser.exe"
and:
O4 - HKLM\..\Run: [9z.exe] C:\winnt\temp\9z.exe

is a manual for some particle physics program. But still clear out all of your Temp Internet files!

And I agree with the rest of diogenes10 analyses. Good luck!












Unix IS user friendly... It's just selective about who its friends are.
 
Upvote 0 Downvote
yes, zebratech you are correct, the simply is fax and modem software but we don't use it anymore. and i don't know where the particle physics program came from. they're gone...

ok, all you guys...i've deleted, cleaned, sacanned, started, restarted, removed, upgraded--ie 6.0--so i'm now in a wait and see mode. it takes about an hour after the pc is booted to see if the backdoor.b jumps back up. the only thing i had trouble with was the websearch lines in regedit. i deleted them a kazillion times and they keep coming back. tks for all your help. i'll keep you posted.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

iambob
  • Locked
  • Question
Avast Anti-Virus is.. a virus?! 3
Replies
5
Views
295
Oorde
Oorde
ChrisOfOz
  • Locked
  • Question
Lenovo startup problem please any ideas? 2
Replies
10
Views
773
Yoko Littner
Yoko Littner
shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
265
2ffat
2ffat
2ffat
  • Locked
  • News
Audacity is Spyware?
Replies
2
Views
241
2ffat
2ffat
CDIV
  • Locked
  • Question
port 8080 monitoring -Trend micro deep security agent
Replies
0
Views
211
CDIV
CDIV

Part and Inventory Search

Sponsor

Back
Top