Backdoor Trojan Virus

This is my first trip to this forum because I have had my first viral infection and don't know anything about what to do. I tried to install a different printer on my home computer using the HP installationCD. I eventually got a message " Infected file name: C:\program files\hewlett_pa...Virus name Win95/Coke.22231" I then got an "error starting program" message that a required .DLL file, giving me the name of the file,was not found. I am running windows 98. A ran a Norton 2002 anti-virus program which reported that it was unable to repair the file C:Windows\gefm.exe which was still infected with the Backdoor Trojan virus. I decided to quarantine the file as suggested and the file was sucessfully quarantined. Unfortunately, when I rebooted and on every subequent reboot, I now get the message that the file C:Windows\gefm.exe is missing and the computer freezes and unfreezes on about a ten second cycle which makes me want to throw it out the window as my wife and daughter scream at me to fix it. Shouldn't there be a warning that quarantining a file may ***** up your system? I don't know anything beyond very basic computer issues and dealing with tech support over the phone always leads to migraines. Is there a way out of this mess that I can try or do I need to seek professional help?

 

I had to read your post several times and it appears you actually have two separate problems here. Correct me if I'm wrong.

You attempt to install a new printer. You get a infection notice. You stop the install.
You then run a full system scan. (I'm guessing you havent done before)
It tells you that file gefm.exe is infected with a backdoor trojan.
I believe the Win95/coke is a false positive.

Lots of smart guys here if I'm wrong.

How to fix?
Reboot the computer, pressing F8 key. You then should be given a choice, select boot in safemode.

If successful, do a find for gefm.exe and see where it is located and what its properties are(right click, select properties) You then should be able to find the program that installed this file.

If you can identify the program, then go to control panel, add/remove programs and look for it on the list. Select add/remove, and remove it.
Then click start, run, type msconfig.
Select the startup tab. See if gefm.exe is there. If so, deselect it.
Reboot and see if that works. If successful, I would go to HP site, and download the latest install for whatever printer you are trying to install. Post back good or bad...

 

I have a few comments on your reply. I don't know if they matter. I did not stop the install. I believe the infection notice came up after the installation was completed because a printer icon is on the desktop and clicking on it gives you the program starting error message. I assume by a full system scan you mean the anti-virus program? I believe thats correct. I will try your solution tonight and see what happens. Thanks.

 

I also read your post more than once. Confusing problem.

You had the bad luck to get hit by a virus that doesn't have a lot of information out on the net. This happens with some older viri.

Also, and again bad luck, I can't find any references to the gefm.exe file you think is infected. And the thing aleekat suggested about finding where it is located to figure out what it is/does is possible. The location you posted of c:\windows is strange because that is mostly windows files and I really don't think this one is.

I agree that this may well have been a false alarm and that you did not really have an infection. Or that you did but the gefm.exe was not really infected but was reported as being.

My best suggestion if you are sure where the file was originally is to put it back there and then run a couple of the on-line scans to get verification of infection. There is a pretty good list of them Here. If none of them pick up the "infection" it probably doesn't exist.

Also you can stop whatever is trying to call that file and make your error go away while you are working on this issue. It is probably being called from your startup folder, a "run" line in win.ini or system.ini, or a run line from your registry.

As to the "professional help ", you will probably do better here with this particular sort of issue than at a normal computer shop. Lots more expertise available and as I said in the beginning, this isn't a simple problem due to the almost complete lack of information on the internet.

 

Newt, I gave the false positive because of this.

Polymorphic Viruses Polymorphic viruses encrypt their code and generate a random decryptor for each file. Some antivirus programs still use methods that are susceptible to false alarms. If only a single file is reported to be infected or the file reported to be infected is a data file, then it's likely a false alarm. Some polymorphic viruses that sometimes create false alarms are MtE.Encrypted, Virogen.Asexual, Mnemonix, TPE.Bosnia, and Win95/Coke.22231.

Also, the best I could get of gefm was www.gefm.net. A chinese site. With a daughter(guessing teenage?). Maybe something from a music site download. etc..

 

As far as I recall, Coke (AKA Cocaine and Vecna) was a "proof of concept" virus which never appeared in the wild. I'm, therefore, inclined to agree that the first alert was almost certainly a false-positive.

Of more concern is the second alert regarding the "Backdoor Trojan" infection (which may or may not be linked to the initial false-positive). ID'ing Trojans is not a Norton strong point and many are simply categorized as "Backdoor Trojan ". Download and scan with an AT such as The Cleaner or Tauscan and see what it turns up.

 

I'm running AVG & leave my W2KPro system on 7/24. This morning I had 2 messages

TRojan Horse IRC/Backdoor.flood infested

C:\WINNT\SYSTEM32\RUN32.EXE

and

Trojan Horse HideWindow infected


C:\WINNT\SYSTEM32\SYSCFG32.EXE

I followed the recommended action (similar to quarentine) I think.

I read the information at
www.kylelai.com/mIRC_Virus_Analysis.htm
which I found referenced at
http://www.computing.net/security/wwwboard/forum/2585.html

I followed the instructions to remove & found only 2 of the dastartdly files referenced MDM.exe and psexec.exe both in the system32 folder in WINNT (my windows folder)

I succesfully deleted MDM.exe & created a backupmdm.exe on another drive. I also created a backup of psexec.exe but get a sharing volation when trying to delete the original. I did not find the Register key referenced. I have not yet changed Admin password. I ran step 5 & restored the database. In step 6 I am missing the A) and G) user. Does this amtter?

There are no events in the security log.

I have run the Cleaner & find no trojans

Are there any other recommendations?

 

PilotGal,
Is this a new issue? If so, recommend you repost this in a new topic. Less confusing that way...

 

Yes, I reposted