Stopping Trojan BackDoor-BDI

Discussion in 'malware problems & news' started by rg4256, Oct 10, 2004.

Thread Status:
Not open for further replies.
  1. rg4256

    rg4256 Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    2
    I need held destroying the Trojan BackDoor-BDI. My MacAfee program finds it and deletes it but it continues to come back. It will return a few times a day. Sometimes it will even appear while I am running a virus scan.

    The message from McAfee is;
    "The file C:\windows\adacup.exe was infected by the BackDoor-BDI Trojan and has been deleted."

    I have tried running with the "System Restore" off and deleted all internet temp files and cookies. My OS is Win XP Pro – SP2, I am also running AdAware, Adwatch, Spybot, and TDS-3 Professional. Nothing seems to stop the Trojan from coming back.

    Any assistance would be greatly appreciated.
     
    rg4256, Oct 10, 2004
    #1
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Try a scan in Safemode with system Restore off, you might as well run AdAware, Spybot, and TDS-3 Professional while you are in safemode. :)
     
    Don Pelotas, Oct 10, 2004
    #2
  3. rg4256

    rg4256 Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    2
    I have tried running in safe mode as you suggested. But the trojan reappeared with in minutes after I returned to normal operation.

    I ran in safe mode with system restore off. I completed a full McAfee VS, a full system Ad-Aware SE Plus Scan, a TDS-3 Scan, and a Spybot scan.

    My Internet Options security is and has been set to Medium, Unsigned Controls will not be downloaded, and Prompt to Download Signed active X Controls.
     
    rg4256, Oct 10, 2004
    #3
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    164,145
    Location:
    Texas
    McAfee

    According to McAfee:

    The installation vector for this trojan is not known at this time. The most likely scenario is that an ActiveX control on a web site is responsible for installing the trojan executable into the WINDOWS (%WinDir%) directory as goidr.exe .


    When this executable is run, it creates a registry run key to load itself at system startup:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "goidr" = C:\WINDOWS\goidr.exe

    File information is stored in an additional key created by this trojan:

    * HKEY_LOCAL_MACHINE\SOFTWARE\GoIDR

    While running, the trojan attempts to connect to various websites:

    blank

    If I were using IE, I would disable activex after I cleaned all the entries above. I would then run IE awhile and see if it comes back.

    Just a suggestion.
     
    ronjor, Oct 10, 2004
    #4
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    This trojan has many names it seems Secunia , in addition to the what ronjor suggests, try F-Secure's online-scan it uses the Kaspersky engine (+ another one i believe) kaspersky has this listed as"Backdoor.Win32. Agent.co", it's worth a try.

    There are links to F-Secure and a couple of other online-scanners in my signature.

    If this doesn't fix it, then you can try a trial of Ewido or Trojan Hunter. Good luck :)
     
    Don Pelotas, Oct 11, 2004
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...