Generic Backdoor!zr Trojan found

[boleyngirl]

I had a back door trojan on my PC in August (the first I've ever had) which I managed to clear with the help of this site.

Since then I have only used my PC once - to download my emails via Outlook Express and to download and install the free antivirus/antispyware programs using the links recommended by the analyst on this site. Despite this, when my McAfee scan next ran it picked up and quarantined the above trojan (McAfee also referred to its file name as
C:\IQON\INTERNET CONNECTION SETUP\IOLFREE\INSTALL_FREE.EXE).

As I've used the PC so little I can't work out how it got infected by the trojan (none of my emails seemed suspect).

The required logs are pasted below and attached as requested.

I'd be very grateful for advice on cleaning up my machine.

Look forward to hearing from you.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Rachel at 21:16:10.42 on 05/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.155 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\BelkinWCUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Rachel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
uInternet Settings,ProxyServer = http=hxxp://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\windows\system32\WSBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [VTTimer] VTTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTrayp] VTtrayp.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [TalkTalk] "c:\program files\talktalk\bin\sprtcmd.exe" /P TalkTalk
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Power2GoExpress] "c:\program files\cyberlink\power2go\Power2GoExpress.exe"
StartupFolder: c:\docume~1\rachel\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\BelkinWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Search with Wanadoo - c:\windows\system32\WSBar.dll/VSearch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-2 28544]
R0 viaide1;viaide1;c:\windows\system32\drivers\viaidexp.sys [2005-8-23 6144]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214024]
R2 AWISp50;AWISp50 NDIS Protocol Driver;c:\windows\system32\drivers\AWISp50.sys [2006-3-15 17664]
R2 FastPara;FastPara;c:\windows\system32\drivers\fastpara.sys [2006-3-19 37836]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-8 210216]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-12-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-12-8 144704]
R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
R3 AEXPAM;Philips SmartManage Service;c:\windows\system32\drivers\aexpamdrv.sys [2004-9-1 21824]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-12-8 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-12-8 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-12-8 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-12-8 40552]
S2 0260041251834593mcinstcleanup;McAfee Application Installer Cleanup (0260041251834593);c:\windows\temp\026004~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\026004~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 PV8630;bPackard Bell Device Driver;c:\windows\system32\drivers\pv8630.sys [2006-3-19 20232]
S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\john\locals~1\temp\fadpu16e.sys --> c:\docume~1\john\locals~1\temp\Fadpu16E.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-12-8 34248]
S3 NdisWDM;Belkin Wireless G Plus USB Network Adapter Service;c:\windows\system32\drivers\ndiswdm.sys --> c:\windows\system32\drivers\ndiswdm.sys [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]

=============== Created Last 30 ================

2009-09-18 19:21 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-06 18:08 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-06 16:52 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-06 16:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-06 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2009-09-04 00:31 26,366 a------- c:\docume~1\rachel\applic~1\wklnhst.dat
2009-08-23 03:09 229,376 a------- c:\windows\PEV.exe
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2008-10-18 14:41 88 a------- c:\documents and settings\rachel\PATCHINFO.BIN
2008-10-05 17:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 21:17:21.95 ===============

[tetonbob]

Hi -

I think that may have been a false positive find by McAfee. I see no sign of active infection in those logs.

To followup, run an online scan with Kaspersky

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[boleyngirl]

Thanks for your reply.

I've performed the Kaspersky online scan - results are posted below.

What should I do next please?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 9, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 09, 2009 19:14:35
Records in database: 2942671
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
F:\

Scan statistics:
Objects scanned: 55353
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:47:41


File name / Threat / Threats count
C:\iQon\Internet Connection Setup\Anytime\Install_Anytime.exe Infected: Backdoor.Win32.Hupigon.huva 1

Selected area has been scanned.

[tetonbob]

Interesting, Kaspersky sees this as a threat also.

Please tell me, what is this iQon folder from?

I'd like a look at the file, can you upload it for me, please?

• Please visit this site:
  
  http://www.bleepingcomputer.com/subm...php?channel=28
  
  
• In the Link to topic where this file was requested: area, copy and paste this
  
  http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/420446-generic-backdoor-zr-trojan-found.html#post2382706
  
  
• In the Browse to the file you want to submit: area, copy and paste this
  
  
  C:\iQon\Internet Connection Setup\Anytime\Install_Anytime.exe
  
• Then click Send File.
  
• Once it shows:
  

  Quote:

  Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

• Close the site and let me know.

[boleyngirl]

Thanks for the reply. I've uploaded the file as you requested.

As for the iQon folder, iQon is the make of the PC so I've always presumed it contains set-up information installed on the PC before it was sold. The folder also contains a Smartlink modem folder and PixAlert folder (amongst other things).

Look forward to hearing from you.

[tetonbob]

Thanks. I scanned the file

http://www.virustotal.com/analisis/2...441-1255374782


I'm not sure exactly why so many vendors see it as a potential threat, it could be because of it's packers, or due to the fact that it's a dialer program, which by it's very nature will have security programs raising their eyebrows and defenses.

This is where it originates, they customize it for OEMs and others.

http://www.ispwizard.com/

I also took a look at it. It seems to be designed to set up a new internet dial-up connection for Ireland Online Anytime

Quote:

This dialler (software) will allow you to connect to the Internet to
register for IOL Anytime.

This connection will be charged at local call rates.

Until you are registered and your account is fully set-up with IOL Anytime,
calls will continue to be charged at these rates.

If you don't need this, or use it, you could at the least, rename it to a .vir or .old extension so it cannot run. If any legit application you use requires it, that application would throw an error message; you could then rename it back.

In this day of broadband, I don't know how useful it is, but I realize there are many folks across the globe still using dial-up connections.

[boleyngirl]

Thanks for checking this file out for me.

I have just gone into the folder containing this file to rename it as you suggested when my McAfee detected it and identified it as a trojan with the detection name Artemis!CECAAE99409D. It has repaired (removed) the file from the system so I am left with an empty sub-folder entitled 'Anytime'.

As I'm on broadband and therefore have no need for dial-up software, I guess I don't need to do anything more with this now. Could you just confirm that's correct please?

[tetonbob]

That should be fine. If you're concerned with the loss of the file, you could restore it from McAfee quarantine (if it quarantined it, rather than out right deleted it), and then have McAfee ignore it, but I don't think it's a huge loss for the machine.

[boleyngirl]

Just thought I 'd make one last post to say thanks very much for all your help.

[tetonbob]

You're quite welcome

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.