1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PLEASE HELP me get rid of Backdoor.Trojan

Discussion in 'Virus & Other Malware Removal' started by Clarence Kor, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Clarence Kor

    Clarence Kor Thread Starter

    Joined:
    Aug 1, 2004
    Messages:
    5
    I have windows XP and am having problems getting rid of BackDoor.Trojan.

    Object Name: C:\Documents and Settings\Clarence Korabek\l....\II22.exe.exe

    I tried with norton anti-virus and also with lavasoft-adaware 6. Neither one

    will remove it. I have added my log. Please help!!

    Thank you
     

    Attached Files:

  2. Clarence Kor

    Clarence Kor Thread Starter

    Joined:
    Aug 1, 2004
    Messages:
    5
    I can't get rid of Backdoor.Trojan. I have tried Norton and Adware but neither can get rid of it.

    Object Name: C:\Documents and Settings\Clarence Korabek\l....\II22.exe.exe

    I have added my Hijack This Log if it needs to be looked at.

    Thank you for any help you can give me in getting rid of this virus!!!!!!!
     

    Attached Files:

  3. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    HJT log from Clarence Kor

    Logfile of HijackThis v1.97.7
    Scan saved at 9:27:51 AM, on 9/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ntvdm.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\wfxsnt40.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\OPLIMIT\ocrawr32.exe
    C:\WINDOWS\System32\ydjrha.exe
    C:\documents and settings\clarence korabek\local settings\temp\lx8.exe
    C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
    C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
    C:\documents and settings\clarence korabek\local settings\temp\crk74GJvu.exe
    C:\DOCUME~1\CLAREN~1\LOCALS~1\Temp\II22.exe.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\documents and settings\clarence korabek\local settings\temp\l22g4shTf.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\iexplore32.exe
    C:\documents and settings\clarence korabek\local settings\temp\s3VVFPNns.exe
    C:\documents and settings\clarence korabek\local settings\temp\fgX.exe
    C:\WINDOWS\System32\shmhst3g.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\PopupFree\NoPopupFull.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXIUL.EXE
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\shuask.exe
    C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXDL.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\CxtPls\CxtPls.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Clarence Korabek\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchtraffic.com/search.php3?l=protect1&term=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchtraffic.com/search.php3?l=protect1&term=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchtraffic.com/search.php3?l=protect1&term=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchtraffic.com/search.php3?l=protect1&term=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchtraffic.com/search.php3?l=protect1&term=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
    O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
    O1 - Hosts: comments (such as these) may be inserted on individual
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\System32\winhot32.dll
    O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - C:\Program Files\Open Site\opnste.dll
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: Core Library - {83B3E0C1-DEF1-4df5-A3F5-92D10B7A396A} - C:\WINDOWS\System32\sfg6aec.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Clarence Korabek\Local Settings\Temp\JmvZ6p8.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - C:\WINDOWS\System32\winhot32.dll
    O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [evoentb] C:\WINDOWS\System32\ydjrha.exe
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINDOWS\System32\kdpupd.dll
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [lx8.exe] C:\documents and settings\clarence korabek\local settings\temp\lx8.exe
    O4 - HKLM\..\Run: [JfdMbNN.exe] C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
    O4 - HKLM\..\Run: [crk74GJvu.exe] C:\documents and settings\clarence korabek\local settings\temp\crk74GJvu.exe
    O4 - HKLM\..\Run: [Media Services] C:\DOCUME~1\CLAREN~1\LOCALS~1\Temp\II22.exe.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [l22g4shTf.exe] C:\documents and settings\clarence korabek\local settings\temp\l22g4shTf.exe
    O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg6aec.dll
    O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\System32\iexplore32.exe
    O4 - HKLM\..\Run: [s3VVFPNns.exe] C:\documents and settings\clarence korabek\local settings\temp\s3VVFPNns.exe
    O4 - HKLM\..\Run: [fgX.exe] C:\documents and settings\clarence korabek\local settings\temp\fgX.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [w78T3sU] shmhst3g.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [PopupKiller] C:\Program Files\PopupFree\NoPopupFull.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXIUL.EXE
    O4 - HKCU\..\Run: [AutoUpdate] C:\WINDOWS\scvhost.exe
    O4 - HKCU\..\Run: [hwr3RiYqP] shuask.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXDL.EXE -from="TCONTENT.CAB" -to="TCONTENT.CAB"
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab
    O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} - http://www.armbender.com/UCSearch.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1597f6187eb2ac3b0c03/netzip/RdxIE601.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    Run CWShredder.

    CWShredder download link

    Under "Official Downloads" download "CWShredder".

    Unzip the program to a permanent folder of your choosing. Close ALL (except CWShredder ;) )browser windows and click "FIX".

    After it's done running click on "How do I prevent re-infection?" and, at a minimum, click on "Go Download the ByteVerifier patch on Microsoft.com"

    If you have problems running CWShredder, then get the SmartKiller removal tool on this page:

    http://www.spywareinfo.com/~merijn/downloads.html



    Download and save these freeware/donationware programs to a permanent folder. Remember to check for updates and run them weekly.

    ***NOTE***A new version of SpyBot's been released (v1.3...it's no longer in beta). If you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.


    Ad-aware SE download

    Configure Ad-aware:

    First in the main window look in the bottom right corner and click on "Check for updates now." then click Connect and download the latest reference files.

    From the main window, click Start then under "Select a scan Mode select "Perform full system scan.

    Next deselect "Search for negligible risk entries.

    Click the "Next" button.

    When the scan is finished mark everything for removal and get delete the selections. (Right-click within the window and choose "Select All" from the drop down menu and click Next)

    Restart your computer.


    SpyBot Search and Destroy download

    I also highly recommend you install and update SpywareBlaster


    Tutorials:

    Ad-aware tutorial link

    SpyBot 1.3 tutorial link

    SpywareBlaster tutorial link



    Run Ad-aware and Spybot in Safe Mode.

    How to start your computer in Safe Mode



    You have an outdated version of HiJackThis. (It's currently at v1.98.2)

    To update HiJackThis:

    Open the program. click "Config..." --> "Misc. Tools" --> "Check for Update Online".

    Or:

    Please go to this site and download HiJackThis

    ***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

    http://www.spywareinfo.com/~merijn/downloads.html

    Under "Official Downloads" HiJackThis. It's the 2nd one down.

    Download and unzip to a permanent folder of your own creation.

    Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

    Save it to your permanent HiJackThis folder (or floppy disk if necessary).

    The log will open in Notepad. Click "Edit" then "Select All".

    Copy and paste the log back to this thread.

    Alternate download links:

    http://www.spychecker.com/program/hijackthis.html

    http://www.majorgeeks.com/download3155.html


    Re-start your computer and post another HJT log in this thread.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Clarence Kor, Welcome to TSG!!

    I've merged both of your threads so please continue to post here.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269466

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice