Jump to content


Photo

Backdoor.trojan


  • Please log in to reply
1 reply to this topic

#1 nfiner

nfiner

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 July 2004 - 06:58 PM

Can't remove backdoor.trojan. Norton AV pops up red warning but can't fix. Have tried a variety of other AV's inc AdAware, TZ-spyware, Spybot but no joy. Tried to follow your reply to jumpy23. FindandFix identifies kbdn.dll file but also won't remove even in safe mode.

HJT file attached:

Logfile of HijackThis v1.98.0
Scan saved at 00:57:15, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
D:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\program files\LapLink Secure VNC\VNC Server\winvnc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\program files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\carpserv.exe
C:\Palm\STPTRemote.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
D:\UTILIT~1\POP-UP~1\PopUpStopperProfessional.exe
D:\Utilities\Internet Download Manager\IDMan.exe
D:\Utilities\Tweak-XP Pro 3\transtask.exe
D:\Utilities\Tweak-XP Pro 3\AdBlocker.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LapLink Everywhere\LaplinkEverywhere.exe
C:\program files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
C:\program files\Roxio\GoBack\GBTray.exe
C:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
D:\Utilities\WinZip\WZQKPICK.EXE
C:\program files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\LapLink Everywhere\Desktop Agent\spserver.exe
C:\Program Files\LapLink Everywhere\wsc.exe
C:\Program Files\LapLink Everywhere\LLServerMain2.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\LapLink Everywhere\ILLSecurity.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\LapLink Everywhere\LLSQLFORM.exe
C:\Program Files\LapLink Everywhere\LLEventLog.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LapLink Everywhere\LLOpenDB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LapLink Everywhere\ServerProxy.exe
C:\Program Files\LapLink Everywhere\ServerProxy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Nick Finer\Desktop\HijackThis_2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Captain Spalding
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Utilities\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\program files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PAPIRUS SYSTRAY RESIDENT] "C:\Palm\STPTRemote.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\program files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [WinVNC] "C:\program files\LapLink Secure VNC\VNC Server\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [WOPR XP/2002 Auto-Updater] D:\Utilities\WOPR XP\Updater.exe /c
O4 - HKCU\..\Run: [PopUpStopperProfessional] "D:\UTILIT~1\POP-UP~1\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [IDMan] D:\Utilities\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tweak-XP Pro] "D:\Utilities\Tweak-XP Pro 3\autostart.exe"
O4 - HKCU\..\Run: [TransTask] "D:\Utilities\Tweak-XP Pro 3\transtask.exe"
O4 - HKCU\..\Run: [BlockAds] "D:\Utilities\Tweak-XP Pro 3\AdBlocker.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Laplink Web Server] C:\Program Files\LapLink Everywhere\LaplinkEverywhere.exe
O4 - Startup: Hewlett-Packard Recorder.lnk = C:\program files\Hewlett-Packard\AiO\hp officejet d series\FRU\Remind32.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\program files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
O4 - Global Startup: GoBack.lnk = C:\program files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\program files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Utilities\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert for CLIÉ - C:\program files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: Download All Links with IDM - D:\Utilities\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - D:\Utilities\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O16 - DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} (LLX Control) - http://www.mylaplink.../client/llx.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://diagnostics.s...ield/isetup.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?316
O17 - HKLM\System\CCS\Services\Tcpip\..\{78309E8A-6150-4953-B11E-CDA70750A238}: NameServer = 213.208.106.212 213.208.106.213
O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdn.dll



Many thanks for any help

#2 Mish

Mish

    “I am evil Homer…”

  • Full Member
  • Pip
  • 9 posts

Posted 21 July 2004 - 08:07 PM

Same suggestion as for others with this problem. Check out the post here for suggestion. You'll need to complete those steps as the evil dll (kbdn.dll in your case) in the Backdoor.Trojan virus will dissapear if you boot to safe mode and won't let you delete/modify/rename it if you [are able to] find it in normal mode.

Your problem is most likely the HijackThis log: O20 - AppInit_DLLs: C:\WINDOWS\System32\kbdn.dll

for suggested fix try,

http://forums.spywar...showtopic=16790

good luck,
Mish




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button