Backdoor trojan

Posted 12/11/2004 11:45 PM
User avatar

Roco Member

Date Joined Nov 2016
Total Posts: 2
I have a program that keeps trying to access and/or run on my computer. I did a search and found that it is a Back Door Trojan also known as "Backdoor.Death.25, Backdoor.Death.26". BullGuard identified but could not remove. <br/> <br/> <br/>Firewall is blocking but I do not want to take chances and need help in removing this virus. <br/> <br/> <br/> <br/>Any help is greatly appreciated <br/> <br/> <br/> <br/>Here is my HijackThis Log <br/> <br/> <br/> <br/>Logfile of HijackThis v1.98.2 <br/>Scan saved at 6:45:17 PM, on 12/11/2004 <br/>Platform: Windows XP SP2 (WinNT 5.01.2600) <br/>MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) <br/> <br/>Running processes: <br/>C:\WINDOWS\System32\smss.exe <br/>C:\WINDOWS\system32\winlogon.exe <br/>C:\WINDOWS\system32\services.exe <br/>C:\WINDOWS\system32\lsass.exe <br/>C:\WINDOWS\system32\svchost.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\Program Files\Ahead\InCD\InCDsrv.exe <br/>C:\WINDOWS\system32\spoolsv.exe <br/>C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe <br/>C:\WINDOWS\System32\drivers\CDAC11BA.EXE <br/>C:\WINDOWS\system32\cisvc.exe <br/>C:\Program Files\Executive Software\Diskeeper\DkService.exe <br/>C:\WINDOWS\System32\inetsrv\inetinfo.exe <br/>C:\WINDOWS\System32\nvsvc32.exe <br/>C:\WINDOWS\System32\tcpsvcs.exe <br/>C:\WINDOWS\System32\snmp.exe <br/>C:\WINDOWS\System32\svchost.exe <br/>C:\WINDOWS\system32\ZoneLabs\vsmon.exe <br/>C:\WINDOWS\Explorer.EXE <br/>C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe <br/>C:\Program Files\ResChanger XP\ResChangerXP.exe <br/>C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe <br/>C:\Program Files\QuickTime\qttask.exe <br/>C:\Program Files\iTunes\iTunesHelper.exe <br/>C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe <br/>C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe <br/>C:\Program Files\iPod\bin\iPodService.exe <br/>C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe <br/>C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe <br/>C:\WINDOWS\system32\hpoipm07.exe <br/>C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe <br/>C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe <br/>C:\Program Files\BullGuard Software\BullGuard 5.0\BgNewsUI.exe <br/>C:\WINDOWS\system32\cidaemon.exe <br/>C:\WINDOWS\system32\cidaemon.exe <br/>C:\Program Files\Crazy Browser\Crazy Browser.exe <br/>C:\Documents and Settings\Ronald\Desktop\File Cabinet\Program Depository\AI Robo\Crack\patch_files\st\update\start.exe <br/>C:\Documents and Settings\Ronald\Desktop\File Cabinet\Program Depository\AI Robo\Crack\patch_files\st\update\WinUpdate.exe <br/>C:\Documents and Settings\Ronald\Desktop\System Protection\HijackThis.exe <br/> <br/>R1 - HKCU\Software\Microsoft\Internet Explorer,Search = <br/>R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = <br/>R1 - HKLM\Software\Microsoft\Internet Explorer,Search = <br/>R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = <br/>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = <br/>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = <br/>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\TurboTax\Deluxe 2003\32bit\local\dlg\blank.htm <br/>O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll <br/>O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll <br/>O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll <br/>O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL <br/>O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll <br/>O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll <br/>O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\INSTAN~1.DLL <br/>O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe <br/>O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" <br/>O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe <br/>O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup <br/>O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" <br/>O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <br/>O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe <br/>O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot <br/>O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" <br/>O4 - HKCU\..\Run: [update] C:\WINDOWS\update\ess.bat <br/>O4 - Global Startup: HPAiODevice(hp officejet k series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet k series\Bin\hpoorn07.exe <br/>O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm <br/>O8 - Extra context menu item: Customize Menu &4 - <br/>O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - <br/>O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - <br/>O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - <br/>O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - <br/>O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - <br/>O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - <br/>O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - <br/>O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - <br/>O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - <br/>O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - <br/>O17 - HKLM\System\CCS\Services\Tcpip\..\{B8133113-088D-4CE5-95DF-76D73766C78D}: NameServer = <br/> <br/> <br/> <br/>Roco :freaked:
Posted 12/12/2004 1:49 AM
User avatar

pesko Advanced member

Date Joined Nov 2016
Total Posts: 350
Hi Roco, <br/>this is a bit difficult one you got. Symantec has posted a manual remove instruction <br/> <br/>Please take at <br/> <br/>and let me know if you are able to remove the backdoor from this instruction. <br/> <br/>Your browser has also been hijacked but I shall fix that when the backdoor is gone.
-Pesko ;)
Better safe than sorry.

Please scan you pc for spyware before before you post you hjt log.
Free antispyware programs: Ad-aware, spybot and more, x-cleaner, MS antispy beta only for windows 2000 and XP
Free antispyware trials: Spysweeper 30 trial, Ewido
Offline antivirus scanner: mwav.exe
Tools: CWShredder, CClean, killbox, sysclean sysclean definionfile,

Help: How to disable/enable system restore, boot in to Safemode , How to Show System Files

[blue]Do not post you log in to another thread, don't send me your hijackthislog as PM[blue]
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, December 10, 2016, 3:50 PM (GMT +1)
There are a total of 61,164 posts in 13,450 threads.
In the last 3 days there were 1 new threads and 4 reply posts.

Who's online

This forum has 37,970 registered members. Please welcome our newest member, MJD.
There are currently no users on-line.