cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Posisble Backdoor or Trojan Can't Figure Out

Good evening. I contracted a nasty trojan or backdoor the other day and have not been able to find any information regarding it. Every time my system reboots I'm getting a firewall warning from a file that is in windows\system32 and the filename always changes, it appears to be a randomly generated garbled name. Example:

C:\windows\system32\xhvvrb.exe
or
C:\windows\system32\kumlxf.exe

If I immediately check in the windows\system32 directory, the file does not exist. Yet they do show up in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thetemporary file name.

I keep selecting to Keep Blocking this file. I have not been able to find any information on what is causing this or how to remove it, however.

Yesterday my girlfriend was on my system and apparently clicked to Unblock and some problems started happening. Randomly launching programs, and when in an IRC channel someone was spaming things through my name while I was connected. Obviously someone has a backdoor or something that I think came in through this file.

McAfee Security Center does not detect any viruses, and I've run several spyware removers (Ad-Aware, SuperAntiSpyWare) with no success. Another peculiarity is if I try to download several of the removal tools (such as stinger) McAfee pops up detecting the installed programs as a Malware.bm Virus (though they are links that I found at the site here).

Anyone have any ideas on how to remove this?
7 Replies
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

Go to VirusTotal and upload those files,see if any vendor detects anything,post back the results

VirusTotal: http://www.virustotal.com/

Click on the browse button,locate

C:\windows\system32\xhvvrb.exe

then click on send file.copy/paste the report into your next reply.

Do the same with C:\windows\system32\kumlxf.exe
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

Thanks for help. I had already rebooted and this time it called the file txbeyx.exe. I went to Virustotal.com and uploaded that file and it uploaded a 992k file. The report
----------------------------------------

AhnLab-V3 2007.8.29.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 -
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.29 Win32:Vanbot-DH
AVG 7.5.0.484 2007.08.29 -
BitDefender 7.2 2007.08.30 -
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.30 -
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.30 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 -
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 -
Ikarus T3.1.1.12 2007.08.30 Backdoor.Win32.Rbot.cqk
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5108 2007.08.29 -
Microsoft 1.2803 2007.08.30 -
NOD32v2 2491 2007.08.30 -
Norman 5.80.02 2007.08.30 -
Panda 9.0.0.4 2007.08.29 W32/Gaobot.PXQ.worm
Prevx1 V2 2007.08.30 -
Rising 19.38.32.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.30 -
TheHacker 6.1.9.175 2007.08.30 -
VBA32 3.12.2.3 2007.08.30 -
VirusBuster 4.3.26:9 2007.08.30 -
Webwasher-Gateway 6.0.1 2007.08.30 Packer.Armadillo

-------------------

I then uploaded: C:\windows\system32\kumlxf.exe and got the same results.
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

Send those files to the lab.
http://vil.nai.com/vil/submit-sample.aspx
Or
https://www.webimmune.net/default.asp

Install this programme >>Here<< update its definitions then boot into safe mode.

How to boot into safe mode.
http://forums.mcafeehelp.com/viewtopic.php?t=601

Run a complete system scan,if AVG finds anything remember to Apply all actions.

The reboot back into normal mode.

Run a online scan Here follow the prompts,do not sign up for the newsletter.
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

Files sent to lab.

Neither AVG or McAfee found anything in safe mode. I couldn't use Panda's online scan as it doesn't work on Vista.
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

RE: Posisble Backdoor or Trojan Can't Figure Out

W32/Gaobot.PXQ.worm

Virus Info but no removal instructions as it tells you to use their software to remove and you cant use it with vista.

http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst=vi...

They do have 2 gaobot fixers @
http://www.pandasecurity.com/homeusers/downloads/repair-utilities/?sitepanda=particulares
But they are not for your variant, Use at own risk
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

Best bet since your a Vista user would be the hijackthis route.

Register at this Forum then follow these Steps post the required logs in that forum,not here.

Please follow all stages set out above,as its in your best interest.

Since you have Vista,a lot of tools that could normally be used with say XP will not work with Vista at this time,as the tools authors do not have a Vista machine,please be patient as they are extremely busy.
Highlighted

RE: Posisble Backdoor or Trojan Can't Figure Out

As this user has not replied since August,this thread is closed.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community