Jump to content


Photo

Need "Backdoor.Trojan" help please


  • Please log in to reply
6 replies to this topic

#1 RDL

RDL

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 July 2004 - 09:29 AM

Hello everyone ... This is my first post

I am running Windows XP with IE 6.0 (with most current updates)

I have a virus:
Virus Name: Backdoor.Trojan
Object Name: C:\WINDOWS\System32\resc.dll

I continue to get the Norton Virus Alert notification in the center of my screen. I will need to click it's OK buttom many many times to remove the Alert notification. Then it just re-appears as soon as I start any other program.

1. A Norton anti-virus scan will not detect any virus on my computer (with the most current update)

2. I edited HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT \CurrentVersion\Windows\AppInit_DLLs in the registry. The file C:\WINDOWS\System32\resc.dll was deleted by myself. The file has not returned in the registry, but it did not fix the problem. There are no other .dll files in this section of the registry.

3. AdAware 6.0, SpyBot, SpywareBlaster, and CWShredder shows nothing wrong, and has not fixed this problem.

What can I do now short of reformatting the C drive?

Thanks for any help,
RDL


_________________________________________________________

Edited by RDL, 22 July 2004 - 09:47 PM.


#2 RDL

RDL

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 July 2004 - 09:45 PM

Jeeeze ... This post has already gone to page 8 in only 12 hours! :eek:

Anyway, I figured I would not get much help until I posted a HijackThis log to my problem .... Well, here it is: (don't seem as big as some of the logs posted here)
_________________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 7:35:56 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {30CC8E0F-8758-4C21-BAB7-E3F5E4DC669D} - (no file)
O2 - BHO: (no name) - {45E71D93-DD56-44F6-AB37-64B4FC6D2268} - (no file)
O2 - BHO: (no name) - {7FB4FA3D-E16D-4348-B017-C4BA51E2B9CD} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DED5B6E9-4BD9-482A-A975-832951495CB0} - (no file)
O2 - BHO: (no name) - {E2C76EE6-125B-4867-8FFD-CBB5042AF923} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.6527777778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#3 needenalife

needenalife

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 22 July 2004 - 10:33 PM

Start your computer in safe mood (press F5 or F8 when lights flash durning boot)

Then look for
C:\WINDOWS\System32\resc.dll

Delete that file

Go to HJT and fix these:

O2 - BHO: (no name) - {30CC8E0F-8758-4C21-BAB7-E3F5E4DC669D} - (no file)
O2 - BHO: (no name) - {45E71D93-DD56-44F6-AB37-64B4FC6D2268} - (no file)
O2 - BHO: (no name) - {7FB4FA3D-E16D-4348-B017-C4BA51E2B9CD} - (no file)
O2 - BHO: (no name) - {DED5B6E9-4BD9-482A-A975-832951495CB0} - (no file)
O2 - BHO: (no name) - {E2C76EE6-125B-4867-8FFD-CBB5042AF923} - (no file)
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

reboot and send us a new log please :)

Don't mind the new member thing just joined this forum

I suggest you go here and try this free online scan

http://www.pandasoft...cts/activescan/

#4 needenalife

needenalife

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 22 July 2004 - 10:43 PM

Sorry I forgot to add you need to unlock your hidden files

here is a link to show you how to do that Here

then do the whole safe thing yada yada yada

#5 RDL

RDL

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 July 2004 - 11:31 PM

needenalife ....

You, my friend are a GENIUS!

I did exactly what you said ... I am not getting the red Norton Virus Alert on the center of my screen anymore ...... GOODBYE BACKDOOR TROJAN !

Well, I just hope it don't re-appear, but I think we are in luck. It usually comes back almost instantly as soon as I open up a new program to even include MS Word .... Anyway, I will keep my figers crossed.

Last question: Everything seems to be working OK. When I deleted those files you told me to do on the HJT scan, it put a Backup Copy of them (all 7 of them) in my Program Files. Can I just delete them now?

Thanks again,
RDL

Oh Ya, here is my new scan:
________________________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 9:22:33 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.6527777778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


_________________________________________________________

Edited by RDL, 22 July 2004 - 11:35 PM.


#6 needenalife

needenalife

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 23 July 2004 - 12:19 AM

Thanks for the Thank you

That made my day.

Hold on let me go over your new log before I send you on your way.

:D

#7 needenalife

needenalife

    Member

  • Full Member
  • Pip
  • 42 posts

Posted 23 July 2004 - 12:31 AM

My friend you look clean, you can delete them now if you choose :)

May I suggest a couple free programs to help you stop Adware?

SpywareBlaster

and

SpywareGuard

Download those and hit update

good job! Happy Trails :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button