Backdoor

Discussion in 'adware, spyware & hijack cleaning' started by Esmee, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Esmee

    Esmee Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    3
    Location:
    The Netherlands
    Dear Peter,

    Norman Anti Virus informs me that I have a backdoor in my system.
    File: Winnt\systems32\hgvwxc.exe
    Backdoor: W32/Rank.K

    If ran Spybot S&D and after that HijackThis. I herewith send you the HijackThis file.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:04:25, on 10-3-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\WINNT\System32\svchost.exe
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\winnt\system32\system32bak\temp\G6FTPSrv.exe
    C:\winnt\system32\system32bak\temp\ssvchost.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\Mixer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\system32\stisvc.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\ICfsn.exe
    C:\WINNT\SYSTEM32\fqexc.exe
    C:\WINNT\system32\gt.exe
    C:\WINNT\SYSTEM32\hgvwc.exe
    C:\WINNT\SYSTEM32\fdxkeq.exe
    C:\WINNT\system32\mez.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\Palm\HOTSYNC.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\Program Files\United Devices\UD.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ICeon] ICfsn.exe
    O4 - HKLM\..\Run: [kkk] C:\WINNT\SYSTEM32\fqexc.exe
    O4 - HKLM\..\Run: [Microsoft Windows WKS Service] gt.exe
    O4 - HKLM\..\Run: [kkask] C:\WINNT\SYSTEM32\hgvwc.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fdxkeq.exe
    O4 - HKLM\..\Run: [ffgeewn] mez.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows WKS Service] gt.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NPF Messenger.lnk = C:\Program Files\Norman\NPF\NPFMSG.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66

    Please inform me what to do next.

    Best regards,
    Esmee
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Esmee,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [ICeon] ICfsn.exe
    O4 - HKLM\..\Run: [kkk] C:\WINNT\SYSTEM32\fqexc.exe
    O4 - HKLM\..\Run: [Microsoft Windows WKS Service] gt.exe
    O4 - HKLM\..\Run: [kkask] C:\WINNT\SYSTEM32\hgvwc.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fdxkeq.exe
    O4 - HKLM\..\Run: [ffgeewn] mez.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows WKS Service] gt.exe

    Then reboot into safe mode and put all these files in a zip or rar folder:
    C:\winnt\system32\system32bak <= entire folder
    C:\winnt\system32\spolws.exe
    C:\WINNT\system32\ICfsn.exe
    C:\WINNT\SYSTEM32\fqexc.exe
    C:\WINNT\system32\gt.exe
    C:\WINNT\SYSTEM32\hgvwc.exe
    C:\WINNT\SYSTEM32\fdxkeq.exe
    C:\WINNT\system32\mez.exe

    and send them to the addy in my profile.
    Do not leave the originals in those folders. Something might trigger them again.
    This looks like a amateur rootkit to me.
    I'd like to forward it to the specialists to make sure.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.