-
March 8th, 2010, 09:09 PM
#1
Backdoor?!
Hey, guys
I'm really sorry to open a new thread, but I just couldn't find any more information on the apparent issue I'm having with my PC.
Recently, I decided to run AVZ Antiviral Toolkit for one of my usual virus/spyware scans, and I caught something that seems to be a backdoor!
Indeed, AVZ's open tcp/udp ports viewer shows an entry on port 50000 called 'Backdoor.Starline'!!! What exactly is it and how do I get rid of it?!
I've always had my OS completely up to date, as well as my antivirus/firewall software (NOD32 Smart Security) and I've always been so careful, I really don't know what might have caused this. Is it serious...?
Please, I'd really appreciate it if someone could help me solve this problem!
Cheers
-
March 8th, 2010, 09:21 PM
#2
Print these instructions out.
NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner3.exe
***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***
STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.
RESTART COMPUTER
STEP 3. Download HijackThis:
http://www.trendsecure.com/portal/en...kthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!
DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Above layout courtesy of Broni
VirtualDr email notices are not working.
Check back regularly for responses.
_____________________
cat lovers click here
-
March 8th, 2010, 09:38 PM
#3
Hi, fink
Thank you so much for the quick reply. I'll follow the instructions you've supplied me with, but there's just one problem.
I checked the applications required just to be safe, and GMER came up with a 'Win32.TrojanHorse' on Virustotal.com scan. Is it a false positive or should I be worried?
Cheers
Last edited by The_Wonderer; March 8th, 2010 at 09:43 PM.
-
March 8th, 2010, 10:13 PM
#4
Is it a false positive or should I be worried?
I'm not sure I understand.. You were running a virustotal scan while gmer was running?
VirtualDr email notices are not working.
Check back regularly for responses.
_____________________
cat lovers click here
-
March 8th, 2010, 10:15 PM
#5
Here's Malwarebytes' log (didn't detect anything):
Malwarebytes' Anti-Malware 1.44
Database version: 3838
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
09-03-2010 01:53:03
mbam-log-2010-03-09 (01-53-03).txt
Scan type: Quick Scan
Objects scanned: 108868
Time elapsed: 3 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I still haven't run GMER because there's a risk of infection I'm not sure I'm willing to take. I wish there was another similar application I could use without endangering my system.
Anyway, here's HijcakThis' log (I also don't see anything unusual here):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:04:11, on 09-03-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\taskeng.exe
C:\Users\Bruno\Security Bundle\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://download.autodesk.com/esd/map...G/mgaxctrl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9a2e2a8610d23) (gupdate1c9a2e2a8610d23) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
Like I said, I'm just afraid I might have a nasty backdoor of some kind, as I don't think that entry on AVZ is supposed to be normal, but I checked my PC several times and, apart from that, I don't seem to find anything that looks suspicious. How do I find what application is using tcp port 50000? I'm really sorry, but I'm kind of lost here...
Cheers
Last edited by The_Wonderer; March 8th, 2010 at 10:40 PM.
-
March 8th, 2010, 10:20 PM
#6
Originally Posted by fink
I'm not sure I understand.. You were running a virustotal scan while gmer was running?
No, www.virustotal.com provides an online scan and I decided to upload gmer and scan it before I did anything with it, obviously. I usually scan everything I download, both with my AV software or scanning it online (on virustotal.com or virusscan.jotti.org), as there's a larger database.
I'm kind of a security freak, in case you haven't noticed :P
Cheers
Last edited by The_Wonderer; March 8th, 2010 at 10:22 PM.
-
March 8th, 2010, 10:50 PM
#7
Also, I've run TCPView and found two instances of winint.exe listening on tcp port 50000. I googled it and it appears that winint.exe is actually a harmful process. Well... is it? Should I get rid of it and how?
-
March 8th, 2010, 10:50 PM
#8
Do you think we would ask you to download and run malicious program?
Little bit ridiculous, don't you think?
Please, run GMER.
Mods, please move this thread.
-
March 8th, 2010, 10:56 PM
#9
Originally Posted by Broni
Do you think we would ask you to download and run malicious program?
Little bit ridiculous, don't you think?
Please, run GMER.
Mods, please move this thread.
Ridiculous? That's a bit harsh, don't you think? It's simply called taking precautions, I didn't say you were knowingly asking people to run malicious programs, did I?
I'll post the GMER log in a minute.
EDIT: GMER crashed. The first time I tried running it, it gave me a blue screen; then I tried running it as an admin and it still crashes.
Last edited by The_Wonderer; March 8th, 2010 at 11:08 PM.
-
March 8th, 2010, 11:08 PM
#10
I didn't say you were knowingly asking people to run malicious programs, did I?
You know what? I'm too busy cleaning people's computers to even go into a discussion over it with you.
-
March 8th, 2010, 11:23 PM
#11
Originally Posted by Broni
You know what? I'm too busy cleaning people's computers to even go into a discussion over it with you.
"I'm too busy cleaning people's computers"? I'm sorry, why are you being so arrogant?! Look, if you thought I was being sarcastic, I apologize, but I really can't see why you're acting like that. I didn't mean to go into a discussion over this with anyone, I made a simple remark (I actually asked if I should be concerned about running that application) and you clearly took it the wrong way.
I'm still hoping you'll be able to help.
Cheers
Last edited by The_Wonderer; March 8th, 2010 at 11:37 PM.
-
March 8th, 2010, 11:42 PM
#12
No problem. I guess, we just started from the wrong foot
Please, go ahead and post GMER log whenever you're ready.
-
March 8th, 2010, 11:49 PM
#13
Originally Posted by Broni
No problem. I guess, we just started from the wrong foot
Please, go ahead and post GMER log whenever you're ready.
Hi, Broni
Again, sorry for our initial misunderstanding, I guess we did start from the wrong foot.
Well, like I said in one of my previous posts, for some reason, GMER fails to complete a scan. It boots up, I click 'scan' and it crashes after a minute or so, either giving me a Blue Screen or simply shutting down. I tried running it in Safe Mode, but to no avail.
Any clues on what the issue might be? Is it the application itself or something wrong with my OS?
Cheers
-
March 8th, 2010, 11:55 PM
#14
Sometimes, it happens with GMER.
Try to run it one more time with "Devices" UN-checked.
-
March 9th, 2010, 12:40 AM
#15
Last edited by The_Wonderer; March 9th, 2010 at 12:54 AM.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|