PLEASE HELP me get rid of Backdoor.Trojan

[Clarence Kor]

I have windows XP and am having problems getting rid of BackDoor.Trojan.

Object Name: C:\Documents and Settings\Clarence Korabek\l....\II22.exe.exe

I tried with norton anti-virus and also with lavasoft-adaware 6. Neither one

will remove it. I have added my log. Please help!!

Thank you

 

[Clarence Kor]

I can't get rid of Backdoor.Trojan. I have tried Norton and Adware but neither can get rid of it.

Object Name: C:\Documents and Settings\Clarence Korabek\l....\II22.exe.exe

I have added my Hijack This Log if it needs to be looked at.

Thank you for any help you can give me in getting rid of this virus!!!!!!!

 

[LDTate]

HJT log from Clarence Kor

Logfile of HijackThis v1.97.7
Scan saved at 9:27:51 AM, on 9/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\OPLIMIT\ocrawr32.exe
C:\WINDOWS\System32\ydjrha.exe
C:\documents and settings\clarence korabek\local settings\temp\lx8.exe
C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
C:\documents and settings\clarence korabek\local settings\temp\crk74GJvu.exe
C:\DOCUME~1\CLAREN~1\LOCALS~1\Temp\II22.exe.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\documents and settings\clarence korabek\local settings\temp\l22g4shTf.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\iexplore32.exe
C:\documents and settings\clarence korabek\local settings\temp\s3VVFPNns.exe
C:\documents and settings\clarence korabek\local settings\temp\fgX.exe
C:\WINDOWS\System32\shmhst3g.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\Common Files\Dpi\dpi.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PopupFree\NoPopupFull.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXIUL.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\shuask.exe
C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXDL.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Clarence Korabek\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchtraffic.com/search.php3?l=protect1&term=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchtraffic.com/search.php3?l=protect1&term=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchtraffic.com/search.php3?l=protect1&term=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchtraffic.com/search.php3?l=protect1&term=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchtraffic.com/search.php3?l=protect1&term=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\CxtPls\CxtPls.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\System32\winhot32.dll
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - C:\Program Files\Open Site\opnste.dll
O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
O2 - BHO: Core Library - {83B3E0C1-DEF1-4df5-A3F5-92D10B7A396A} - C:\WINDOWS\System32\sfg6aec.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Clarence Korabek\Local Settings\Temp\JmvZ6p8.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HotSearchBar.com Bar - {8B224779-3B0E-4FEA-8AE1-B66C20DD840F} - C:\WINDOWS\System32\winhot32.dll
O3 - Toolbar: iSearch Toolbar - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - C:\WINDOWS\System32\toolbar.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~1\NORTON~3\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [evoentb] C:\WINDOWS\System32\ydjrha.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater] regsvr32 /s C:\WINDOWS\System32\kdpupd.dll
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [lx8.exe] C:\documents and settings\clarence korabek\local settings\temp\lx8.exe
O4 - HKLM\..\Run: [JfdMbNN.exe] C:\documents and settings\clarence korabek\local settings\temp\JfdMbNN.exe
O4 - HKLM\..\Run: [crk74GJvu.exe] C:\documents and settings\clarence korabek\local settings\temp\crk74GJvu.exe
O4 - HKLM\..\Run: [Media Services] C:\DOCUME~1\CLAREN~1\LOCALS~1\Temp\II22.exe.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [l22g4shTf.exe] C:\documents and settings\clarence korabek\local settings\temp\l22g4shTf.exe
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg6aec.dll
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\System32\iexplore32.exe
O4 - HKLM\..\Run: [s3VVFPNns.exe] C:\documents and settings\clarence korabek\local settings\temp\s3VVFPNns.exe
O4 - HKLM\..\Run: [fgX.exe] C:\documents and settings\clarence korabek\local settings\temp\fgX.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [w78T3sU] shmhst3g.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [PopupKiller] C:\Program Files\PopupFree\NoPopupFull.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXIUL.EXE
O4 - HKCU\..\Run: [AutoUpdate] C:\WINDOWS\scvhost.exe
O4 - HKCU\..\Run: [hwr3RiYqP] shuask.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Clarence Korabek\HXDL.EXE -from="TCONTENT.CAB" -to="TCONTENT.CAB"
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} (iSearch Toolbar) - http://toolbar.isearch.com/general/drm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/PopSwatterInitialSetup1.0.0.8.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1597f6187eb2ac3b0c03/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} (iiittt Class) - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[FinestRanger]

Run CWShredder.

CWShredder download link

Under "Official Downloads" download "CWShredder".

Unzip the program to a permanent folder of your choosing. Close ALL (except CWShredder )browser windows and click "FIX".

After it's done running click on "How do I prevent re-infection?" and, at a minimum, click on "Go Download the ByteVerifier patch on Microsoft.com"

If you have problems running CWShredder, then get the SmartKiller removal tool on this page:

http://www.spywareinfo.com/~merijn/downloads.html



Download and save these freeware/donationware programs to a permanent folder. Remember to check for updates and run them weekly.

***NOTE***A new version of SpyBot's been released (v1.3...it's no longer in beta). If you have been using 1.2 you can install right over it. If you downloaded and used 1.3 beta it is suggested you remove it and reboot prior to installing.


Ad-aware SE download

Configure Ad-aware:

First in the main window look in the bottom right corner and click on "Check for updates now." then click Connect and download the latest reference files.

From the main window, click Start then under "Select a scan Mode select "Perform full system scan.

Next deselect "Search for negligible risk entries.

Click the "Next" button.

When the scan is finished mark everything for removal and get delete the selections. (Right-click within the window and choose "Select All" from the drop down menu and click Next)

Restart your computer.


SpyBot Search and Destroy download

I also highly recommend you install and update SpywareBlaster


Tutorials:

Ad-aware tutorial link

SpyBot 1.3 tutorial link

SpywareBlaster tutorial linkhttp://www.bleepingcomputer.com/forums/index.php?showtutorial=49


Run Ad-aware and Spybot in Safe Mode.

How to start your computer in Safe Mode



You have an outdated version of HiJackThis. (It's currently at v1.98.2)

To update HiJackThis:

Open the program. click "Config..." --> "Misc. Tools" --> "Check for Update Online".

Or:

Please go to this site and download HiJackThis

***NOTE***Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally.

http://www.spywareinfo.com/~merijn/downloads.html

Under "Official Downloads" HiJackThis. It's the 2nd one down.

Download and unzip to a permanent folder of your own creation.

Open HiJackThis. Click "Scan". Then, in the lower left corner, click "Save Log".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "Edit" then "Select All".

Copy and paste the log back to this thread.

Alternate download links:

http://www.spychecker.com/program/hijackthis.html

http://www.majorgeeks.com/download3155.html


Re-start your computer and post another HJT log in this thread.

 

[cybertech]

Clarence Kor, Welcome to TSG!!

I've merged both of your threads so please continue to post here.