Win32.BackDoor-DNM

Recently, Win32.BackDoor-DNM keeps on appearing on computers as a threat detected on a Security Center Alert that will popup from a Windows taskbar. Users will be warned about the risk of having this trojan that can record keystrokes and take screenshots of computer. With these scenario, be informed that Win32.BackDoor-DNM is not the one infecting your computer but a rogue program that is waiting to be downloaded after enabling a protection from this popup messages.

image of Win32-BackDoor-DNM

Win32.BackDoor-DNM is a definition for malware with remote access capability. This particular version can allow a remote attacker to gain control of the infected computer through backdoor. The Trojan frequently communicates to a remote server to download other malware that it can drop and execute on victim's machine.

When executed, Win32.BackDoor-DNM will directly hit Windows registry. It will include certain values in order to disable warning messages that Windows prompts each time an illegal activity occurs on the system. The same actions will carry out by the Trojan that will reduce the security settings on Internet Explorer as well as operating system. With this action, user may be prone to any virus attack during the presence of Win32.BackDoor-DNM.

Like most Trojan, Win32.BackDoor-DNM will create a registry entry to run itself on Windows start-up. It may also inject harmful code into valid processes typically running on Windows operating system.

Then, the Trojan tries to contact a command and control (C&C) server through HTTP request using a configured Port. During analysis, it was discovered that most of C&C servers will provide remote command for this threat, giving an attacker full control on the compromised PC.

Characteristics:

Win32.BackDoor-DNM allows a remote attacker to control the infected computer. It was also made to gather sensitive data like user name, password, and other vital software and hardware information. This Trojan is also capable of upgrading itself by contacting a remote server to download file updates.

Symptoms:

Backdoor Trojan are known for their capabilities taking control over an infected PC. Normally, this threat chews system resources more than any other threat. Thus, user may see sudden reduction on system performance as well as slow Internet connection.

How to Remove Win32.BackDoor-DNM

1. Download Malwarebytes' Anti-Malware from this link and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as default only.

4. Before the installation completes, check on the following prompts:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware

5. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the Show Results button.
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.

Note: Some malware may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.

66 Comments

  1. Joe

    I did exactly what it said to do to try and remove Win32.BACKDOOR-DNM and reset but when i do i still get the virus or trojen pop up thing and it still boots me off of the internet expllorer and it gives me more litle problems im not sure what but it says like runtime error and stuff like that im not to good with virus removeing stuff if someone could help me out of this mess asap please its very anoying.

  2. Andriy

    Have the same problem with win32. BackDoor-DNM.

    Iexplore and Skype does’t work, lucky – had Opera downloaded.
    I delete cfhd.dll (not sure about name know) from system32.

  3. Jeff

    I just got this about 2 hours ago. I found some answers on “yahoo answers” and I tried what someone said to do. So far so good on my computer. From what I understand it is not a trojan, it is a fake alert generated by adware. Your antivirus programs may not detect it. It will take you to a site: “http://www.perfectdreview.com/?a=112&b=…” DO NOT CLICK ON ANYTHING and close it right away. Like I said wthe directions I followed seemed to have worked so you may want to try it! Here are the directions I found to manually delete it:

    ———————————————————————–

    – boot to safe mode. you can do this by restarting your computer and tapping F8 on the loading window. Scroll to safe mode. (windows XP is what I have)

    – run msconfig and look for anything in the startup tab that looks like “wcwdu16814728.exe” and disable it from startup

    – now go to the C:Document and SettingsusernameApplication DataGoogle and delete that wcwdu16814728.exe

    -remember to backup your registry first. Go to the start tab, run (type in regedit), Click on file in the top right, select “export registry file”, and save under a name you will recognize. Location… I put it on my desktop.

    – next, open regedit and start at the top of the hive (make sure you highlight at the very top on my computer). goto edit/find and do a search through the entire registry for whatever the name of your wvwdu….exe file was. I searched for “wcwdu16814728”. It will come up 2 times in the registry. (I myself deleted wcwdu16814728 & win32.backdoor-dnm only). Delete those two items from the registry. (Other files popped up for me but I didn’t delete them)

    – close registry

    – now do a windows search for that file wcwdu16814728. It will show up in the c:windowsprefetch folder or something close to that. Delete the file from there

    – empty your trash

    – reboot machine

    – enjoy your computer and stay off explicit sites.
    Source(s):
    Web answers

  4. Clive

    Exactly the same problem here. Wife was using facebook and refreshed her page before it suddenly started appearing. The kids had been using her laptop to access some site called small worlds prior to the infection but may have also been doing a bit of random googling prior to that. Didn’t have any luck with malware bytes but as this seems to have screwed up the laptops ability to connect to the net (i.e and firefox dont work and connection problems are being reported in general – although there is a good link to the router) no upgrade was possible – i downloaded on this pc and installed via mem stick.

    Did removing that dll actually work? Where did you find that information?

  5. Rob

    Have tried to contact Trend Micro for additional info. Even after updating, Scans come back negative , yet popup screen requesting access for this progam still comes up.

    Has anyone found a solution? My Son had been able to isolate and delete the Install.Dat portion of the file. Hopefully this will render it useless until a fix is dicovered.

  6. Reece

    – boot to safe mode

    – run msconfig and look for anything in the startup tab that looks like “wcwdu16814728.exe” and disable it from startup (write this down so you remember it – the name may be slightly different depending on the version you’re infected by)

    – now go to the C:Document and SettingsusernameApplication DataGoogle and delete that wcwdu16814728.exe (or whatever similar name you found in the previous step)

    – open regedit (click start, then run, and type “regedit”)

    -remember to backup your registry before changing ANYTHING. Click on “file” on the upper left, click on “export registry file”, save it under something you recognize, Save- for a location I just put it on my desktop

    – start at the top of the tree (make sure you highlight at the very top on “my computer”). goto edit/find and do a search through the entire registry for whatever the name of your wcwdu….exe file was. I searched for “wcwdu16814728”. It will come up usually at least 2 times in the registry. When it finds something with the exact name, delete it and then go to search->find next, and repeat for all occurrences
    (I myself deleted win32.backdoor-DNM and wcwdu16814728.exe which seemed to work)

    – close registry

    – now do a windows search for that file wcwdu16814728 (click start->search). It will show up in the c:windowsprefetch folder or something close to that. Delete the file from there

    – empty your trash

    – reboot machine

    – enjoy your computer
    Source(s):
    Yahoo answers and google search

  7. Matthew

    Thanks, Reece!

  8. Mike

    Hi Every one,

    Has anybody found a good solution? I got this virus yesterday, I am right now testing to remove it with Malwarebytes, but it doesn’t seem to find any contamination…

    Please HELP!!!!

  9. Paul

    I tried Reece’s solution but “wcwdu16814728? keeps coming back into my msconfig Startup tab even after it has been deleted!

  10. Ariel

    Reece answer (#6) worked for me, microtrend was no help.

  11. Francis

    4 hours, 3 spyware program installs, and reeces solution finally was the result that worked – THANK YOU

  12. Andrew

    reece if you was here i would kiss you. i followed your intructions to the letter, it came up as sqean9524272 for me. thanks to your advice its gone. your the man my friend bless you.

  13. Guest

    Thank you so much Reece. Where McAfee and Spybot were useless, your solution worked splendidly. It also came up as sqean9524272 for me.

  14. Calvin

    Reece I join the other guys in thanking you for your solution. It worked for me too! (mine came up as sqean9524272 also).

    To others, do NOT bother installing Spyware doctor or XoftSpySE as although these two programs will detect the virus, they both want you to PAY and buy them in order to remove the infection (and I just don’t have a spare £30 lying around to buy Spyware doctor).

    Follow Reece’s solution above, god bless the good man

  15. JoJo

    Norton can’t even pick up the trojan. Thanks Reece. Followed your instruction and it works great!! Mine is squean9524272.

  16. Paul

    Ditto Reece (well, not about the kissing part). I was fortunate to stumble across this site after I contracted the trojan. Your solution worked perfectly.

  17. StevenGlansburg

    Reece,

    You rock. Worked perfectly… any chance you know how one gets this virus? I just wanna make sure I don’t make the same mistake twice…

  18. Stuart

    Used Reece method but my file was named

    sqean9524272.exe

    didnt realize thiswas it until I went into the c:documentandsettimgs username application datagoogle and saw it there, method worked, found the sqean952472 in all steps listed by reece, thanks for the help

  19. Jazooz

    Reece – you are the man!!!

    Thanks for your help in fixing this!!!

    God Bless!!

  20. Krystal

    I’m assuming Reece’s instructions were for XP (or not Vista LOL) b/c some of the routes to which I found the file were a bit different (ie: no C:Documents&Settings)… anyway, I give great thanks either way! I wouldn’t have had any idea where to go. Thank you thank you thank you (and my husband thanks you b/c this is his computer). Also, mine was listed as winsclock, under a Realtek folder, it appeared to me to be part of one of my updates so at first I though it was legit. It showed up in my list of add-ons for internet explorer (if that will help anyone else locate the file, it was my first attempt to solve the problem). Many thanks, and I wish everyone else the best of luck.

  21. Deborah

    I was following Reese’s instructions but on step 3 I found the sqean9524272.exe(etc) file in the C:windowsprefetch folder as mentioned in a later step, but not in an application folder

  22. Deborah

    My bad . . . hadn’t unhidden the system files properly. Back on track with Reese’s instructions after finding the file in the Documents folder I mentioned above.

  23. Emily

    fml. my msconfig wouldnt even run. it would literally shut down… im so stressed out!!

  24. Aaron

    Can anyone help with instructions of how to get rid of this thing in windows Vista?

  25. Vinnie

    Ive got the same situation. Anyone know where this virus is coming from? Just happened last night.

  26. Calvin

    Emily, the virus disables msconfig and will prevent you from running it, therefore stopping you restarting in safe mode from the desktop.

    The solution is to turn off your computer and restart it, then when you are on the initial black loading screens continuously tap F8 on the keyboard and this will bring up the system menu. Just select `Safe Mode` from the menu and off you go!

    hope this helps

  27. Rich

    @Aaron

    On Windows Vista it is the same procedure that Reece explained… however the file you are looking for is something like

    mwinclock.exe

    which will be held in

    C:Users”username”AppdataRoamingGoogle (well… thats where mine was)

    To recap

    Reboot into safe mode (hit F8 when windows is loading)
    Run MSCONFIG
    Goto the startup tab and make a note of the location of the mwinclock.exe
    Disable the line (take cross out of box)
    Browse to the location of the file (making sure that Show Hiden Files is enabled in the Folder Options)
    Delete the file
    Run REGEDIT and then do a search for that file
    Delete all instances of it
    Reboot

    This worked a charm for me…. hope that helps

  28. Ryan

    Thanks Reese, After 4 hours of extreame rage & frustration…. then 15min of cool calm collected direction from Reese I have been disinfected.

    Thanks Reese.

  29. Aaron

    Rich,
    but I cannot re-boot in safe mode – even using the f8 option, it starts to reboot, then shuts down and restarts in normal mode.
    Then, when I try to run msconfigsys it shuts down and reboots again!
    help please!

  30. Laurie

    Reece, I followed your instructions and it worked perfectly. Thank you! Thank you!

  31. Smirks

    Thanks Reese!!! Worked perfectly

  32. buck

    thanks alot reece… remember for step 3, to make sure you specify that it is showing all HIDDEN files and folders in your search under C:Documents and Settings. it would not show up until i did so.

    mine showed up as “squean” as well

  33. justin

    reece, you da man. mine also was squean9524272.exe

  34. mike

    I cam across this virus on one of my client sites today. In addition to the steps above – I also had to reset Internet Explorer to default settings (tool – internet options – advanced – reset) because this virus cause a fake warning page to come up every time my client tried to go to http://www.google.com or http://www.msn.com.

  35. Tony

    My mother just got this virus aswell, and she stated that she got it from browsing FACEBOOK, how did everyone else come across this error so we can find where it is coming from?

  36. Eric

    Thank you Reece. Mine was also sqean9524272.exe Appreciate the assistance.

    It seems that this process would work for any virus/worm/trojan/spyware that is noticeably affecting your computer. Have had to follow a similar process to remove a worm a few years ago.

    This is a dangerous one because it seems to be using Google as its host. Not had many problems before and don’t visit any websites with questionable security.

  37. colin morton

    Thanks Reece

  38. Ali

    Emily I’m having the same problem! My computer just shuts down even though I am in safe mode :/ did u figure it out?!?

  39. Neil

    THANK YOU!!! to reece and jeff and those who also had “squean952…” being one not too computer savvy, I never would have figured that out on my own. Thanks again! =)

  40. Andrian.73

    I think this program also installs the *.dll mcscrlp32.dll.
    This dll is not a part of service pack 3, and has no online info regarding it’s function. It will install in the same location as the sqean9524727.exe, but can be deleted through safe mode. I would advise checking techsupportforum and other good forums for additional updates and legit tools.

  41. Tony

    Thanks. I was trying to get my kid’s Sims 2 Deluxe to run by downloading a no-cd hack. The game still doesn’t work, but the virus definitely did work. It was called winsclock and the removal instructions were spot on. I also deleted this above mentioned *.dll file too. I should bill EA for the time I spent.

  42. Aaron

    check out the Malware trial program, it removed it from mine in just a few minutes

  43. Simon

    I’ve tried Reece’s suggestion, but like Emily I can’t even get the computer into safe mode through F8. Upon selecting safe mode from the menu it just displays a load of jargon in MS-DOS type format then will not allow you to do anything, had to ctrl-alt-del!

  44. John

    Yo Reece… I’d rate your resolve at 90%… Good catch for the “sqean* file”….however WebRoot, and Malwarebytes both have the SvcHost file targeted for an infection, though I suspect that since the “sqean” file is gone its no longer going out a server/service to pull in or “alert” for the infection. Opening ANY webpage in any browser is painfully slow.

  45. Steve

    i have windows vista and did basically the same thing i couldn’t open msconfig as it kept closing down but i found when i tried to open it a few times really quickly i got it to load and managed to get rid of file by closing all lines i didn’t know and anything in the startup and in services that didn’t im not sure what the file name was but couldn’t find sqean9524727.exe,*.dll mcscrlp32.dll.
    ,wcwdu16814728? but the problem seemed to be solved when i stopped all the unknown files. basically you can terminate any virus or Trojan by msconfig good idea to keep checking it and stop any files you don’t know.

    hope this helps let me know if anyone finds the actual source of this virus other than facebook and adult sites because it effects google and a few other apps.

  46. Jongwon

    Following the steps shown by Reece(#7), I successfully removed all the problems. Mine was sqean9524272.exe. It works! Thanks!!!

  47. Jez

    Thanx for the tip on Anti-Malware !

    I had the same problem. Fake security alert, not able to use IE or Firefox without fake error. Also, I’m sure the browser closed itself everytime I searched for Malware or virus removal :-(

    So if the same goes for you, here is a link to download.com

    hxxp://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.htm

    Virus found at:
    C:Documents and Settings…..Application DataGooglesqean9524272.exe
    and
    C:Documents and Settings…..Application DataGooglewcwdu16814728.exe

    Trojan.Fake.Alert

  48. Jez

    Also.. the site it takes you to, or rather the people behind it have managed to get very high listings in Google. So please be very careful what you read!

    Some tips even suggest you delete files that you do need or to install the same bad software as the virus!

  49. Andrian.73

    You may get an additional file error, or 16 bit ms-dos subsystem error, NTVDM CPU has encountered an illegal instruction. Gives the option to close or terminate the app. The virus might be posing as other files, showing false positives, and running as svchost.exe, which is a windows essential file, and is bad news. I’m thinking this one’s trickier than just deleting exe’s, dll’s and reg keys. My system is NOT showing signs of infection, no slowness or used resource, but AV software is picking it up. Its still there.

  50. JCW762

    Reece’s solution worked like a charm. YOU ROCK!!!
    Still verry curious to know…
    1) How I got this stupid thing on my system.
    2) Why my supposedly working and updated antivirus app (AVG v.8 – thanks for nothing) didn’t even hiccup when this happened.

    I was Googling and researching various software at unfamiliar sites, but downloaded nor installed anything.
    My system was running XP Pro SP2 at the time and had all OS and MS App patches that were available. I literally ran Windows Updates, and rebooted 4 hours before this happened.

    Also, to those that can’t figure out how to get their computer into safe mode, try this.

    Shut down Windows (not restart)
    If you have a USB wireless keyboard, your keyboard may not be fully operational until the OS is up drivers are loaded, etc…etc…
    If you system is a desktop, try a wired keyboard
    If it is a laptop, use the laptops keyboard (not the wireless)

    From a powered off state, turn on computer, and keep pressing F8 until you get the Windows black screen with all the boot options on it. Safe Mode is usually at the top. Use your arrow keys to select it.
    Hope that helps.

  51. JCW762

    Oh, one additional note,
    I should mention that I was surfing with a local windows account with full administrator access.
    (Generally not recommened in the Windows world, but I’m lazy.)

    As I am sufficiently paranoid now, I think I will create a standard user account on the system which I will use for checking email, surfing, posting to forums, etc….
    From what I’ve researched and what I’ve seen in the corporate IT world, this is the security standard.

  52. Georgie Girl

    Hi everyone…I followed the instructions and found the Sqean file in msconfig and in the registry edit but did not find it in a windows search anywhere….I deleted all files I could find (following Reece’s instructions exactly) but now my computer will still only start in safe mode…any suggestions?

  53. Clifford from Atlanta

    I downloaded PC Tools Spyware Doctor in February before my PC was infected by this virus. I ran the program several times without success. However, when I added the antivirus engine upgrade, it found the file squean9524272.exe and quarantined it quickly. Now my PC is working once again!! In order to get the upgrade, I had to install it first on my laptop with the license and then get the smart update on the PC.

  54. samehere

    John, post 47 – I had the same experience. I have a completely updated XP SP3 with a brand new install of McAfee. I got two pop ups from my AV stating that 2 programs had been ALLOWED without any interaction! (McAfee has been subsequently replaced with OneCare)

    The first was an infected occurence of svchost.exe located in C:windowssystem32drivers (the REAL svchost.exe should be located ONLY in “C:windowssystem32” on a standard xp install) … the second was immediately after, and turned out to be squean9524272.exe…

    I followed the manual removal instructions here and they worked fine, but I also had to go in and delete the “fake” svchost.exe file (in safe mode).

    Then I cleared out my internet & temp files with CCleaner. I ran a HijackThis scan to verify that my system was clean and to erase corrupted entries.

    Since then, I’ve set my firewall to ASK me whenever a program wants internet access. I’ve also installed NoScript for Firefox and disabled unnecessary add-ons in IE7. Anyone else have advice on prevention?

  55. amanda

    thank you so much for your help, but i have one problem…..i accidently deleted my recycle bin instead of emptying it. how do i recover it????? any help is much appreciated.

  56. HilB...:-)

    Thanks, found it and got rid of it. I have Vista and the file I found was mwinclock.exe. Couldn’t see anything unusual in my startup tab, but a search for mwinclock (based on Rich’s note above) found it in C:Users”username”AppdataLocalTempLowGoogle. I have deleted it and everything seems ok now.

  57. pinks..

    spot on mate…!! thanks for posting the solution…followed the steps and its all hunky dory now.

  58. Herba

    Hi!

    I not taking any chances with that thing, so I did a full windows vista system restore

    1. reboot and press F8 to get to boot menu
    2. Choose Repair your computer
    3. You may need to choose a languare and keyboad setting
    4. You will have a login screen (I had username admin with no passwork)
    5. At the system recovery menu, choose system restore
    6. Pick a restore point prior to the infection.
    7. Do the system restore
    8 Search for the files mention in the posts to make sure they are gone

    btw you can get rid of about anything with system restore has long has you cango back prior to the infection

  59. Deirdre

    Worked for me but now my “My Documents” folder seems to have become a hidden folder. I can “show hidden files and folders” and see it but any idea how I can restore it to its fomer state?

  60. Mich

    Posters 52 (“Andrian.73”) and 57 (“samehere”) make important points. Like samehere, since getting this virus, apparently on 2 March, and in spite of immediately implementing “Reece’s Solution” (which I got from another site, Yahoo Answers I think), I still repeatedly got the NTVDM ERROR mentioned by Andrian.73. Today, following samehere, I discovered I indeed had a SECOND SVCHOST.EXE FILE, located in C:windowssystem32drivers and dated March 2, 2009. I booted in Safe Mode and deleted it. I have yet to determine if, in conjunction with “Reece’s Solution,” this will suffice to stop all problems.

    Note: my primary problem file was wcwdu[etc.] not sqean[etc.].

    Additional Important Note: Even after using “Reece’s Solution” (deleting files in Registry, etc.) back on March 2, I have repeatedly found that Windows Security Center (the real one) keeps popping and telling me that my firewall is disabled upon restarting or returning from Windows Hibernation mode. I re-enable the firewall, and it seems to remain in place for a period of time; but if I reboot, or bring my computer back from Hibernate mode, I often receive the same warning, and have to re-enable the Windows firewall again. I do not yet know if removal of the FAKE SVCHOST.EXE FILE has remedied this problem. Any help/insight on this matter would be appreciated.

    THANKS Andrian.73 and samehere.

  61. Brenda

    Finally! I had the same sqean and I wish I had found these instructions BEFORE I spent the money on the Spyware Doctor! I am tickled to death and that annoying pop up box is no longer driving me insane. Thanks for the instructions for removal. You totally rock Reece!!!

  62. Jerry

    In Vista mine was called winsclock hiding under {user}/appdata/roaming/google. Rename the virus, do the msconfig thing under F8 safe mode. Under startup tab check the line referring to it. OK then reboot. All crashes (inc Outlook, IE, Windows Explorer) etc cured (for now).

    Come on Microsoft!!! This one was discovered and cured after many many hours of sweat and experimentation by a few brave and desperate amateurs (well done everyone!!). What are you all doing in Redmond?? Surely there’s someone there who isn’t counting money or fighting law suits who could have fixed this for us.

  63. Bounder

    I encountered this virus from fastpasstv.com on Mar 9th. In Vista mine was also called winsclock. Like the other post I thought it was legit. Thanks for all the post it wasn’t until I read through most of the post that I found the Vista solution. Intelinet, McAfee, AVG, and Anti-Virus are all good programs but did not help in this situation.

  64. Ian

    Thanks Reese, I had the “wcwdu16814728.exe” version of the file

    All clean now

    i did use malewarebytes before i found this site, and it partially removed it so if you have done the same and can only find one of the files don’t worry lol

    thanks again

    Igot this virus from downloading a codec for a movie that i had downloaded the codec was for windows media so if anyone else has this happen do not open the movie and delete it right away

  65. Eden

    Thanks Reese worked a treat – been trying to get rid of this for months. i had the same as yours. but wasn’t in start up. In Registry and prefetch folder. Many thanks

  66. Derek L.

    Hi, I had the exact same problem. I downloaded spyware doctor and it completely deleted all viruses and problems, except for the fact that my internet explorer will not open…at all. Can anyone help me out with this?
    I appreciate it.

Comments are closed.