Backdoor?!
Page 1 of 4 123 ... LastLast
Results 1 to 15 of 46

Thread: Backdoor?!

  1. #1
    Join Date
    May 2009
    Posts
    48

    Exclamation Backdoor?!

    Hey, guys

    I'm really sorry to open a new thread, but I just couldn't find any more information on the apparent issue I'm having with my PC.

    Recently, I decided to run AVZ Antiviral Toolkit for one of my usual virus/spyware scans, and I caught something that seems to be a backdoor!

    Indeed, AVZ's open tcp/udp ports viewer shows an entry on port 50000 called 'Backdoor.Starline'!!! What exactly is it and how do I get rid of it?!
    I've always had my OS completely up to date, as well as my antivirus/firewall software (NOD32 Smart Security) and I've always been so careful, I really don't know what might have caused this. Is it serious...?

    Please, I'd really appreciate it if someone could help me solve this problem!


    Cheers

  2. #2
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner3.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://www.trendsecure.com/portal/en...kthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

    Above layout courtesy of Broni

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  3. #3
    Join Date
    May 2009
    Posts
    48
    Hi, fink

    Thank you so much for the quick reply. I'll follow the instructions you've supplied me with, but there's just one problem.

    I checked the applications required just to be safe, and GMER came up with a 'Win32.TrojanHorse' on Virustotal.com scan. Is it a false positive or should I be worried?


    Cheers
    Last edited by The_Wonderer; March 8th, 2010 at 09:43 PM.

  4. #4
    Join Date
    Jul 1998
    Location
    Toronto
    Posts
    25,426
    Is it a false positive or should I be worried?
    I'm not sure I understand.. You were running a virustotal scan while gmer was running?

    VirtualDr email notices are not working.
    Check back regularly for responses.

    _____________________
    cat lovers click here

  5. #5
    Join Date
    May 2009
    Posts
    48
    Here's Malwarebytes' log (didn't detect anything):

    Malwarebytes' Anti-Malware 1.44
    Database version: 3838
    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18882

    09-03-2010 01:53:03
    mbam-log-2010-03-09 (01-53-03).txt

    Scan type: Quick Scan
    Objects scanned: 108868
    Time elapsed: 3 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    I still haven't run GMER because there's a risk of infection I'm not sure I'm willing to take. I wish there was another similar application I could use without endangering my system.

    Anyway, here's HijcakThis' log (I also don't see anything unusual here):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 02:04:11, on 09-03-2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18882)
    Boot mode: Normal

    Running processes:
    C:\Windows\SYSTEM32\WISPTIS.EXE
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\WTablet\Pen_TabletUser.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\conime.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Bruno\Security Bundle\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
    O4 - HKLM\..\Run: [Skytel] Skytel.exe
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://download.autodesk.com/esd/map...G/mgaxctrl.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate1c9a2e2a8610d23) (gupdate1c9a2e2a8610d23) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
    O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe


    Like I said, I'm just afraid I might have a nasty backdoor of some kind, as I don't think that entry on AVZ is supposed to be normal, but I checked my PC several times and, apart from that, I don't seem to find anything that looks suspicious. How do I find what application is using tcp port 50000? I'm really sorry, but I'm kind of lost here...


    Cheers
    Last edited by The_Wonderer; March 8th, 2010 at 10:40 PM.

  6. #6
    Join Date
    May 2009
    Posts
    48
    Quote Originally Posted by fink View Post
    I'm not sure I understand.. You were running a virustotal scan while gmer was running?
    No, www.virustotal.com provides an online scan and I decided to upload gmer and scan it before I did anything with it, obviously. I usually scan everything I download, both with my AV software or scanning it online (on virustotal.com or virusscan.jotti.org), as there's a larger database.

    I'm kind of a security freak, in case you haven't noticed :P


    Cheers
    Last edited by The_Wonderer; March 8th, 2010 at 10:22 PM.

  7. #7
    Join Date
    May 2009
    Posts
    48
    Also, I've run TCPView and found two instances of winint.exe listening on tcp port 50000. I googled it and it appears that winint.exe is actually a harmful process. Well... is it? Should I get rid of it and how?

  8. #8
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Do you think we would ask you to download and run malicious program?
    Little bit ridiculous, don't you think?

    Please, run GMER.

    Mods, please move this thread.

  9. #9
    Join Date
    May 2009
    Posts
    48
    Quote Originally Posted by Broni View Post
    Do you think we would ask you to download and run malicious program?
    Little bit ridiculous, don't you think?

    Please, run GMER.

    Mods, please move this thread.
    Ridiculous? That's a bit harsh, don't you think? It's simply called taking precautions, I didn't say you were knowingly asking people to run malicious programs, did I?

    I'll post the GMER log in a minute.

    EDIT: GMER crashed. The first time I tried running it, it gave me a blue screen; then I tried running it as an admin and it still crashes.
    Last edited by The_Wonderer; March 8th, 2010 at 11:08 PM.

  10. #10
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    I didn't say you were knowingly asking people to run malicious programs, did I?
    You know what? I'm too busy cleaning people's computers to even go into a discussion over it with you.

  11. #11
    Join Date
    May 2009
    Posts
    48
    Quote Originally Posted by Broni View Post
    You know what? I'm too busy cleaning people's computers to even go into a discussion over it with you.
    "I'm too busy cleaning people's computers"? I'm sorry, why are you being so arrogant?! Look, if you thought I was being sarcastic, I apologize, but I really can't see why you're acting like that. I didn't mean to go into a discussion over this with anyone, I made a simple remark (I actually asked if I should be concerned about running that application) and you clearly took it the wrong way.

    I'm still hoping you'll be able to help.


    Cheers
    Last edited by The_Wonderer; March 8th, 2010 at 11:37 PM.

  12. #12
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    No problem. I guess, we just started from the wrong foot

    Please, go ahead and post GMER log whenever you're ready.

  13. #13
    Join Date
    May 2009
    Posts
    48
    Quote Originally Posted by Broni View Post
    No problem. I guess, we just started from the wrong foot

    Please, go ahead and post GMER log whenever you're ready.
    Hi, Broni

    Again, sorry for our initial misunderstanding, I guess we did start from the wrong foot.

    Well, like I said in one of my previous posts, for some reason, GMER fails to complete a scan. It boots up, I click 'scan' and it crashes after a minute or so, either giving me a Blue Screen or simply shutting down. I tried running it in Safe Mode, but to no avail.

    Any clues on what the issue might be? Is it the application itself or something wrong with my OS?


    Cheers

  14. #14
    Join Date
    Dec 2007
    Location
    Daly City, CA
    Posts
    22,550
    Sometimes, it happens with GMER.
    Try to run it one more time with "Devices" UN-checked.

  15. #15
    Join Date
    May 2009
    Posts
    48
    EDIT
    Last edited by The_Wonderer; March 9th, 2010 at 12:54 AM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •