Backdoor trojan

Posted 12/11/2004 11:45 PM
#6524
User avatar

Roco Member

Date Joined Nov 2016
Total Posts: 2
I have a program that keeps trying to access and/or run on my computer. I did a search and found that it is a Back Door Trojan also known as "Backdoor.Death.25, Backdoor.Death.26". BullGuard identified but could not remove.


Firewall is blocking but I do not want to take chances and need help in removing this virus.



Any help is greatly appreciated



Here is my HijackThis Log



Logfile of HijackThis v1.98.2
Scan saved at 6:45:17 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\ResChanger XP\ResChangerXP.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BgNewsUI.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Documents and Settings\Ronald\Desktop\File Cabinet\Program Depository\AI Robo\Crack\patch_files\st\update\start.exe
C:\Documents and Settings\Ronald\Desktop\File Cabinet\Program Depository\AI Robo\Crack\patch_files\st\update\WinUpdate.exe
C:\Documents and Settings\Ronald\Desktop\System Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/168/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/168/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.search-control.com/srh/168/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-control.com/srh/168/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/index2.psp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.search-control.com/srh/168/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=5.1.5&bm=ho_home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\TurboTax\Deluxe 2003\32bit\local\dlg\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [update] C:\WINDOWS\update\ess.bat
O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Customize Menu &4 - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdq/downloads/sysinfo.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdq/downloads/msxml4.cab
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/commerce/account/downloads/executables/ie/IDA.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.nielsennetpanel.com/netmeter4_6/nminstall_en_4.62.33.0_MEGAPANEL_USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8133113-088D-4CE5-95DF-76D73766C78D}: NameServer = 199.45.32.43 199.45.32.38



Roco :freaked:
Posted 12/12/2004 1:49 AM
#6527
User avatar

pesko Advanced member

Date Joined Nov 2016
Total Posts: 350
Hi Roco,
this is a bit difficult one you got. Symantec has posted a manual remove instruction

Please take at http://securityresponse.symantec.com/avcenter/venc/data/backdoor.death.html

and let me know if you are able to remove the backdoor from this instruction.

Your browser has also been hijacked but I shall fix that when the backdoor is gone.
-Pesko ;)
Better safe than sorry.

Please scan you pc for spyware before before you post you hjt log.
Free antispyware programs: Ad-aware, spybot and more, x-cleaner, MS antispy beta only for windows 2000 and XP
Free antispyware trials: Spysweeper 30 trial, Ewido
Offline antivirus scanner: mwav.exe
Tools: CWShredder, CClean, killbox, sysclean sysclean definionfile,

Help: How to disable/enable system restore, boot in to Safemode , How to Show System Files

[blue]Do not post you log in to another thread, don't send me your hijackthislog as PM[blue]
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Thursday, April 27, 2017, 11:03 AM (GMT +2)
There are a total of 61,193 posts in 13,463 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,024 registered members. Please welcome our newest member, kevint89.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.