Backdoor.exdis trouble

Discussion in 'adware, spyware & hijack cleaning' started by SynTerro, Jul 13, 2004.

Thread Status:
Not open for further replies.
  1. SynTerro

    SynTerro Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    2
    Could someone help me with this

    I have read the instruksjon on thiss page

    I use spybot: s&d

    When i try to open a exe file (any exe file), norton warns me about this virus and refuses to start the file(i have to disble norton to start progs). The virus is located at the winnt catalog under the name nbgnjp.exe. I have tried to delete this file but have no access to it. I can delete it in safemode but then i can't run any exe files at all afterwards so I had to restore it.

    Here is the log

    Logfile of HijackThis v1.97.7
    Scan saved at 21:22:40, on 13/07/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    F:\PROGRA~1\NORTON~1\navapsvc.exe
    F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    F:\PROGRA~1\Winamp\winampa.exe
    C:\WINNT\System32\Linksts.exe
    F:\PROGRA~1\D-Tools\daemon.exe
    C:\PROGRA~1\ATITEC~1\ATICON~1\atiptaxx.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
    C:\PROGRA~1\MSNMES~1\MsnMsgr.Exe
    F:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\BACKWE~1.EXE
    C:\WINNT\System32\ctfmon.exe
    D:\PROGRA~2\INTERV~1\Common\Bin\WINCIN~1.EXE
    D:\PROGRA~2\Logitech\MOUSEW~1\system\em_exec.exe
    D:\PROGRA~2\SILICO~1\SIISAT~1\SATARaid.exe
    F:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINNT\System32\wuauclt.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\thormod\Desktop\BGII\HIJACK~1.EXE

    R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -on
    O4 - HKLM\..\Run: [WinampAgent] f:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKLM\..\Run: [Windows Update] C:\WINNT\System32\taasqt.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [LDM] f:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WindowBlinds] D:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe auto
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
    O4 - HKCU\..\Run: [Logitech Desktop Messenger] C:\DOCUME~1\thormod\LOCALS~1\Temp\ins2.tmp\SETUP-~1.EXE /NoIntervention
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: SATARaid.lnk = D:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38158.585625
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4DAA442F-B6B5-42D7-A982-E181A9C7630E}: NameServer = 213.142.64.170 213.142.64.171
     
    Last edited: Jul 13, 2004
  2. SynTerro

    SynTerro Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    2
    I just add that the problem is solved.
     
Thread Status:
Not open for further replies.