Backdoor

Discussion in 'adware, spyware & hijack cleaning' started by Esmee, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Esmee

    Esmee Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    3
    Location:
    The Netherlands
    Dear Peter,

    Norman Anti Virus informs me that I have a backdoor in my system.
    File: Winnt\systems32\hgvwxc.exe
    Backdoor: W32/Rank.K

    If ran Spybot S&D and after that HijackThis. I herewith send you the HijackThis file.

    Logfile of HijackThis v1.97.7
    Scan saved at 21:04:25, on 10-3-2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\SYSTEM32\DNTUS26.EXE
    C:\WINNT\SYSTEM32\DWRCS.EXE
    C:\WINNT\System32\svchost.exe
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\winnt\system32\system32bak\temp\FireDaemon.EXE
    C:\winnt\system32\system32bak\temp\G6FTPSrv.exe
    C:\winnt\system32\system32bak\temp\ssvchost.exe
    C:\Program Files\Norman\NPF\NPFSVICE.EXE
    C:\Norman\Nvc\BIN\Zanda.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\Mixer.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\system32\stisvc.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\ICfsn.exe
    C:\WINNT\SYSTEM32\fqexc.exe
    C:\WINNT\system32\gt.exe
    C:\WINNT\SYSTEM32\hgvwc.exe
    C:\WINNT\SYSTEM32\fdxkeq.exe
    C:\WINNT\system32\mez.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\internat.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Norman\NPF\NPFMSG.EXE
    C:\NORMAN\Nvc\BIN\nvcoas.exe
    C:\Palm\HOTSYNC.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\Program Files\United Devices\UD.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\United Devices\ud_1396140.exe
    C:\Program Files\United Devices\ud_1396140_0.dir\ud_ligfit_Release.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [anvshell] anvshell.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ICeon] ICfsn.exe
    O4 - HKLM\..\Run: [kkk] C:\WINNT\SYSTEM32\fqexc.exe
    O4 - HKLM\..\Run: [Microsoft Windows WKS Service] gt.exe
    O4 - HKLM\..\Run: [kkask] C:\WINNT\SYSTEM32\hgvwc.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fdxkeq.exe
    O4 - HKLM\..\Run: [ffgeewn] mez.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows WKS Service] gt.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NPF Messenger.lnk = C:\Program Files\Norman\NPF\NPFMSG.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37414.4596990741
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2E91EA01-BECD-42CA-BECC-B12372063911}: NameServer = 194.109.104.104 194.109.6.66

    Please inform me what to do next.

    Best regards,
    Esmee
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi Esmee,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:
    O4 - HKLM\..\Run: [ICeon] ICfsn.exe
    O4 - HKLM\..\Run: [kkk] C:\WINNT\SYSTEM32\fqexc.exe
    O4 - HKLM\..\Run: [Microsoft Windows WKS Service] gt.exe
    O4 - HKLM\..\Run: [kkask] C:\WINNT\SYSTEM32\hgvwc.exe
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\SYSTEM32\fdxkeq.exe
    O4 - HKLM\..\Run: [ffgeewn] mez.exe
    O4 - HKLM\..\RunServices: [Microsoft Internet] spolws.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows WKS Service] gt.exe

    Then reboot into safe mode and put all these files in a zip or rar folder:
    C:\winnt\system32\system32bak <= entire folder
    C:\winnt\system32\spolws.exe
    C:\WINNT\system32\ICfsn.exe
    C:\WINNT\SYSTEM32\fqexc.exe
    C:\WINNT\system32\gt.exe
    C:\WINNT\SYSTEM32\hgvwc.exe
    C:\WINNT\SYSTEM32\fdxkeq.exe
    C:\WINNT\system32\mez.exe

    and send them to the addy in my profile.
    Do not leave the originals in those folders. Something might trigger them again.
    This looks like a amateur rootkit to me.
    I'd like to forward it to the specialists to make sure.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.