Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Backdoor trojan


  • Please log in to reply

#1
rtguard

rtguard

    Member

  • Member
  • PipPip
  • 13 posts
My computer is screwed up. When I turn it on a Norton window comes up and says that I have a backdoor tojan and norton has no access to the file and cannot repair it. To get rid of the window I have to sometimes click the 'ok' 10 or 15 times and it returns immediately. The computer is slow and I have to constantly change my home page. Why the [bleep] doesn't my antivirus handle this and what can I do to fix it.
Any help would be greatly appreciated.
Thanks, rtguard
  • 0

Advertisements


#2
Hemal

Hemal

    Founding Fart

  • Technician
  • 1,470 posts
Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
rtguard

rtguard

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.98.0
Scan saved at 3:53:16 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\65SXCHGN\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.237.45.18 ad.doubleclick.net
O1 - Hosts: 64.237.45.18 aff.weatherbug.com
O1 - Hosts: 64.237.45.18 www.burstnet.com
O1 - Hosts: 64.237.45.18 oz.valueclick.com
O1 - Hosts: 64.237.45.18 a.tribalfusion.com
O1 - Hosts: 64.237.45.18 servedby.advertising.com
O1 - Hosts: 64.237.45.18 my.search
O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com
O1 - Hosts: 209.87.155.230 date.com
O1 - Hosts: 209.87.155.230 dating.com
O1 - Hosts: 209.87.155.230 freedating.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O2 - BHO: (no name) - {FE1AA0A5-C29D-4381-BC3E-F9DFF4DA67E6} - C:\WINDOWS\System32\dmn.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O5 "LPT1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [v91gix06nv] C:\Program Files\Symantec\6r7vhs8d6n.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_fs2.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{551C4807-3D43-49A2-8FF5-F135B9D23E48}: NameServer = 209.145.84.131 216.12.0.20
O18 - Filter: text/html - {288A3D26-79A1-4682-A737-E6134FA02E2C} - C:\WINDOWS\System32\dmn.dll
O18 - Filter: text/plain - {288A3D26-79A1-4682-A737-E6134FA02E2C} - C:\WINDOWS\System32\dmn.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\comigj.dll
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Mosaic1 has created a bat file that should help us, download it from here.
http://computercops....ownload&id=1183

A few setup items first we need to do, make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.n...1916458,00.html

Next, review this article How to take ownership of a file or folder in Windows XP

Sign Off the Internet and Stay Off Until All Steps Are Finished

Extract the batch file (hiving.bat) and run it. If you have script blocking enabled you will get a warning. Please allow this to run. The script is just producing a message box. Double click on the batch to run it. After a reboot the super hidden nasty file will no longer be loaded and will be visible.

Restart into Safe mode and find this file:
C:\WINDOWS\System32\comigj.dll.dll

Right click on the file and choose properties.
Use the security tab on .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Run CWShredder immediately. Press the 'Fix' button to clean.

Run Ad-Aware
Restart.
Run Spybot
Restart.

Report back if you're successful or not.
  • 0

#5
karabuyu

karabuyu

    New Member

  • Member
  • Pip
  • 3 posts
Hi! I'm a new member of this site, but I'm sure that you can help me...
I'have a Backdoor Prorat problem too, Ad-aware finds the keys, but manually I couldn't see the files mentioned in the net (for ex. fsercives.exe, sservices.exe...)
So, I'm sending you the log file of HiJacktihis...

Logfile of HijackThis v1.98.2
Scan saved at 22:09:06, on 16.06.2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\services.exe
C:\WINDOWS\Anvshell.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\services.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\emre\Desktop\HijackThis 1.97.7\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.38.27:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: KolayBAR PopUp Blocker - {1C4E26EF-A354-45FE-81B0-62931E90889E} - C:\PROGRA~1\KolayBAR\KBBLOC~1.DLL
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &KolayBAR - {04970F9F-F2AB-4D1E-B842-313E1E2A3078} - C:\PROGRA~1\KolayBAR\KolayBAR.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AntiVir\AVGNT.EXE" /min
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] C:\WINDOWS\is-8H591.exe /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm (file missing)
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - http://arcade.icq.co...dyssey_web8.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pDownloader.cab
O16 - DPF: {D4714DAD-82EE-4E98-91CF-D9EED72A3053} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92A8FEB7-021B-476F-9038-E540D1CD99F7}: NameServer = 192.168.1.1

I'm waiting your reply and solutions...
  • 0

#6
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Aughhh!

You just revived an 11 month old thread!

Please go to the malware forum in my signature and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this forum and create your OWN thread
  • 0

#7
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
ps

that is an old version of hijackthis
  • 0

#8
karabuyu

karabuyu

    New Member

  • Member
  • Pip
  • 3 posts
Thank you gerryf, as I said, I'm a new member of this forum, so I couldn't be checked the right topics of the forum:)

I'll do what you advised me, thanks a lot again;)

Edited by karabuyu, 16 June 2005 - 02:44 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP