# Solved: strange noise from computer was Unknown Backdoor Trojan -



## Holly3278 (Jan 29, 2003)

Hi everyone. I seem to have gotten an "Unknown Backdoor Trojan" on my computer detected by an online Pest Patrol scan at http://www.pestpatrol.com/. None of my spyware scanners have detected this but the online scan did. It says that it goes by these aliases:

Backdoor.Lixy.h [Kaspersky]
Trojan.BAT.DeltreeY.bs [Kaspersky]
Trojan.Win32.Fynben.b [Kaspersky]
Trojan.Win32.TalkStocks.a [Kaspersky]

I had detected this trojan on my computer yesterday after doing a scan and then had to format my computer and reinstall everything to get rid of it. I updated everything and installed two firewalls plus Windows firewall and two anti-viruses (Norton and AVG) and I still have the trojan! Last night I scanned with Pest Patrol after the format and it wasn't there. Then my computer started acting up this morning and I scanned again and the trojan was back. I have now idea how I am getting this trojan! I use Webroot Spysweeper, Spybot Search and Destroy, Adaware (Spybot and Adaware are not yet downloaded and installed again), and Spyware Blaster. How on earth am I getting this thing?!  What can I do to prevent it from coming back? I have 1 year of computer networking training and as far as I know I am not doing anything risky that would make me get this. Please help!

Here's a link to the page that Pest Patrol gave me about all this:

http://pestpatrol.com/pestinfo/U/Unknown_Trojan.asp#Detection and Removal


----------



## dvk01 (Dec 14, 2002)

It is some sort of spyware application that has piggybacked on a supposedly good one and you have obviously re-installed it along with something else

go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'. 
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe. 
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. 
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.


----------



## dvk01 (Dec 14, 2002)

But Pest patrol is known for false positives and the online scanner is NOT the most reliable of scanners


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> But Pest patrol is known for false positives and the online scanner is NOT the most reliable of scanners


I kind of thought that. But this still worries me. Is there any way to confirm whether or not I have a trojan?


----------



## dvk01 (Dec 14, 2002)

I just did the PP online scan to check my "CLEAN" system

it finds an unknown BHO that should be removed according to it

The unknown BHO is M$ money viewer which I use daily 

Never do a format & install or delete anything on the advice of one online scanner always ask for advice first 

I am 99% sure that it is one of the usual PP false positives


----------



## dvk01 (Dec 14, 2002)

Holly3278 said:


> I kind of thought that. But this still worries me. Is there any way to confirm whether or not I have a trojan?


Post your hijackthis log and we'll check

all the aliases you quoted are totally different beasts and there is no way that ONE suspct is known by all those names especially from one Antivirus company Kapersky


----------



## Holly3278 (Jan 29, 2003)

Logfile of HijackThis v1.98.2
Scan saved at 7:19:56 AM, on 11/4/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Program Files\Juno6\qs\exec.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.juno.com/z4/resetpassword_redirect.html
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Trillian.lnk = ?
O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\Juno6\qsacc\appres.dll/228"
O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\Juno6\qsacc\appres.dll/227"
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3913E765-0708-488D-A140-D18EA27A0EAC}: NameServer = 64.136.20.121 64.136.28.121
O17 - HKLM\System\CS1\Services\Tcpip\..\{3913E765-0708-488D-A140-D18EA27A0EAC}: NameServer = 64.136.20.121 64.136.28.121


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> I just did the PP online scan to check my "CLEAN" system
> 
> it finds an unknown BHO that should be removed according to it
> 
> ...


Oh well the format and reinstall was no big deal for me. I do one approximately every 3 months. Besides, my computer had a couple of issues that I wanted to fix and simply felt like formatting it instead of spending many more hours fixing. Basically it was some kind of problem with SP2 or Internet Explorer. I don't have much stuff to have to backup so it was no big deal. In fact, I didn't back up anything because it had only been about 2 weeks since my last format which was because of something else that skips my mind at this point.


----------



## dvk01 (Dec 14, 2002)

I can see absolutely nothing wrong there

I would assume that PP is giving a FP on the juno search entries which is quite a common occurrence with several so called malware removal programs


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> I can see absolutely nothing wrong there
> 
> I would assume that PP is giving a FP on the juno search entries which is quite a common occurrence with several so called malware removal programs


Hmm, glad to hear that. Is there anything else I should do? Also, a trojan wouldn't cause my computer's system speaker or something to click when I type would it? My computer makes this clicking noise when I type and sometimes when I'm just at the computer. I think what's happening is the desk is moving a little or something and something is rattling. I am wondering if it might be my case fan cause it's pretty dirty. I took an air can to it a few weeks ago but it didn't help much. Thing is, the clicking just started this past weekend. Either that or I just started noticing it then. I hope this isn't a dumb question.


----------



## dvk01 (Dec 14, 2002)

have you got a microphone or headset laying on the desk that might be switched on


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> have you got a microphone or headset laying on the desk that might be switched on


No, the only microphone I have is built into my webcam. However, I know that I only started noticing the problem after I installed new speakers for my computer. One of the old ones went dead.


----------



## dvk01 (Dec 14, 2002)

Holly3278 said:


> No, the only microphone I have is built into my webcam. However, I know that I only started noticing the problem after I installed new speakers for my computer. One of the old ones went dead.


Is that turned on ?

Possibly the new speakers are more sensitive than the old ones and picking up the webcam input at a lower volume


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> Is that turned on ?
> 
> Possibly the new speakers are more sensitive than the old ones and picking up the webcam input at a lower volume


Hmmm, as far as I know it's not turned on. It's plugged into the USB port though. Let's see here. I unplugged the cam and it's still making that noise so I don't think it's the mic in the cam.


----------



## dvk01 (Dec 14, 2002)

Pass

I'll move this to hardware now where someone else might have a better idea


----------



## Holly3278 (Jan 29, 2003)

dvk01 said:


> Pass
> 
> I'll move this to hardware now where someone else might have a better idea


Ok. Thank you for all the help you gave me dvk01. Now, to wait for someone to reply about the noise issue.


----------



## Holly3278 (Jan 29, 2003)

*bump*


----------



## Dick1038 (Jun 14, 2005)

If you are paranoid, like me, about these pests getting in, I recommend adding a local-address-translating (LAT) router between your modem and computer. I'm assuming you have a high-speed internet service with an external modem. They are less than $100. This will hide your true internet address. It helps keep the hackers who sequentially try every address to find a vulnerable computer. If they happen to find your router, it won't respond to Windows commands.

These trojans can attach themselves to one of your valid files, like your Internet Explorer.


----------



## fa58055 (Jul 8, 2005)

Holly3278 said:


> Hi everyone. I seem to have gotten an "Unknown Backdoor Trojan" on my computer detected by an online Pest Patrol scan at None of my spyware scanners have detected this but the online scan did. It says that it goes by these aliases:
> 
> Backdoor.Lixy.h [Kaspersky]
> Trojan.BAT.DeltreeY.bs [Kaspersky]
> ...


----------



## Dick1038 (Jun 14, 2005)

I read in PC Magazine a while back that these trojans can attach themselves to other valid executable files. Your software that comes on CD's are OK. Try to check out any software that you downloaded. Also do a Google on the names of the trojan. Maybe someone has a fix.

Multiple software firewalls are a waste, from what I read. One good one is all that you need. Assuming you have a high-speed internet connection, I strongly recommend the hardware firewall using LAT router. I use a 4-port, Linksys Etherfast DSL/Cable Router. If you have multiple computers in your house, you can share your internet connection with all of them.


----------



## Holly3278 (Jan 29, 2003)

Dick1038 said:


> I read in PC Magazine a while back that these trojans can attach themselves to other valid executable files. Your software that comes on CD's are OK. Try to check out any software that you downloaded. Also do a Google on the names of the trojan. Maybe someone has a fix.
> 
> Multiple software firewalls are a waste, from what I read. One good one is all that you need. Assuming you have a high-speed internet connection, I strongly recommend the hardware firewall using LAT router. I use a 4-port, Linksys Etherfast DSL/Cable Router. If you have multiple computers in your house, you can share your internet connection with all of them.


Thank you very much for this help.  :up:


----------



## Drahcir (Jun 29, 2005)

I also believe you may want to zero your drive rather than just reformat. Because a formatting of the hard drive just inserts a slash infront of the binary that says this is ok to write over however it does not delete it until it needs that space. Some free one pass zeroing software can be downloaded from cnet. I use 'Disk Kill' myself at the library I work at when a problem results in a reinstall. Seems to work pretty good for free.


----------



## qldit (Mar 18, 2005)

Good Morning All, gee Holly what an exciting exercise!
Basically these kinds of problems can be difficult to address.
I also feel that low level formatting a drive before reloading is a good idea, but these problems spread worse than "wet silver paint".

This is the kind of circumstance that originally motivated me to begin exploring Linux systems.
Do you have any real need to have to use MS windows?

Sometimes using a dual booting kind of system can be very useful, it certainly breaks these kinds of cycles.
qldit.


----------



## Holly3278 (Jan 29, 2003)

qldit said:


> Good Morning All, gee Holly what an exciting exercise!
> Basically these kinds of problems can be difficult to address.
> I also feel that low level formatting a drive before reloading is a good idea, but these problems spread worse than "wet silver paint".
> 
> ...


Yes, I need Windows XP because I am a big gamer and as far as I know, most of my games are not compatible with Linux or any other operating system except for maybe Macintosh and well, I never was a fan of Macintosh.


----------



## Holly3278 (Jan 29, 2003)

OH yeah. Just thought I'd let you all know that I no longer have the problem.


----------



## qldit (Mar 18, 2005)

Good Evening Holly3278, well done!
I do feel the viral thing will become much worse so you will need to keep an eye on protection. At least MS have released the Defender so that is one step in the right direction.
Cheers qldit.


----------

