Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.graybird


  • Please log in to reply
1 reply to this topic

#1 MyJimmy

MyJimmy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 11 December 2005 - 11:15 PM

NAV has found Backdoor.graybird in the file c:\winnt\Systems_HOOk.dll . I able to delete the files in Window Safe Mode only but it will restore/appear again when Window switch back to normal mode.

I try Ewido to perform full scan, and it show me as below:
1) C:\WINNT\Systems_HOOk.DLL - Backdoor.Hupigon.ji : Error during cleaning
2) C:\WINNT\Systems.DLL - Backdoor.Hupigon.jn : Cleaned with backup


Logfile of HijackThis v1.99.1
Scan saved at 10:47:08 AM, on 12/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\msdtc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\cmd.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1128684866375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128684856718
O17 - HKLM\System\CCS\Services\Tcpip\..\{A46F8B2B-3640-4321-9567-5CC8DED9D6A6}: NameServer = 202.9.103.180,202.9.108.180
O17 - HKLM\System\CS1\Services\Tcpip\..\{A46F8B2B-3640-4321-9567-5CC8DED9D6A6}: NameServer = 202.9.103.180,202.9.108.180
O17 - HKLM\System\CS2\Services\Tcpip\..\{A46F8B2B-3640-4321-9567-5CC8DED9D6A6}: NameServer = 202.9.103.180,202.9.108.180
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Print Spooles - Unknown owner - C:\WINNT\Systems.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Edited by MyJimmy, 11 December 2005 - 11:17 PM.


BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,502 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:11 PM

Posted 14 December 2005 - 04:57 PM

Hi there :thumbsup: I want to apologize for not getting to your log sooner, but there is quite a backlog. If you are still having problems please follow the directions found in this topic:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

When done with those steps, please post a new HJT log as a reply to this topic and I will help you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users