Jump to content


Need help removing backdoor.trojan virus

  • Please log in to reply
3 replies to this topic

#1 liptonnr



  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 10:14 PM

tell me what to delete in this log plese

Logfile of HijackThis v1.97.7
Scan saved at 11:12:12 PM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Weather Watcher\ww.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psecu.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Owner\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MoneyAgent] ""c:\Program Files\Microsoft Money\System\Money Express.exe""
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Weather Watcher.lnk = C:\Program Files\Weather Watcher\ww.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.micr...b?1090460565031
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8007.8213425926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

please help!

#2 liptonnr



  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 10:18 PM

Can anyone help me get rid of this stuff

#3 liptonnr



  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 10:21 PM

Scan type: Realtime Protection Scan
This is the antovirus message i am getting every minute and norton can not fix it

Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\System32\hlpebha.dll
Location: C:\WINDOWS\System32
Computer: JENNIFER
User: Owner
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Jul 21 23:20:16 2004

#4 lcrawls



  • New Member
  • Pip
  • 1 posts

Posted 25 July 2004 - 01:44 PM

It sounds like you have the same trojan I did. I use Norton Antivirus which detected but could not remove or quarantine the file because access was denied. It was called backdoor.trojan. I finally got rid of the it after hours of research and combining several methods. I'm running Windows NT professional. The virus was in c:windows/system32 and was named winkhaj.dll, according to the Norton Antivirus popup that kept detecting it. According to my web research, it goes under many names, but usually with the extension .dll. I believe another symptom was that it hijacked my internet homepage to about:blank.
You can't see this virus by looking at the list of files in Explorer. You can see it through the command prompt. But even there, you can't delete it or rename it; access denied. Here's how I got rid of it.
Disable System Restore by right-clicking My Computer on the desktop and checking the box to turn off system restore.

Open your browser and delete all old files (Internet Explorer, go to tools, internet options, and delete files.)

Turn the computer off and wait 30 seconds.

Restart in safe mode by hitting the F8 button at start up and selecting safe mode. Log on as administrator.
Click Start, Run, and type regedit.
In registry editor, navigate to Hkey_local machine\software\microsoft\windowsnt\currentversion\windows and look for a listing that is your trojan file location. Mine said c:\windows\system32\winkhaj.dll. If you don't see the file there, keep looking in the registry editor. It's there somewhere. When you find it, delete it. Note: Symantec suggests backing up your registry before making changes, though I didn't.

Open Windows Explorer by clicking start, explorer. Then, navigate to windows/system32 and look for your trojan file. It should show up this time. Right click on it. Go to properties and try to change something. The computer will tell you that you don't have the right to make changes, but you can take ownership. Do so. When you get ownership, you can delete the file and then empty it from your recycle bin.

Reboot for good measure and then turn on system restore again if you want to use it.

It took me two days to piece this solution together from different info on various websites. Hope it helps.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!