Stopping Trojan BackDoor-BDI

Discussion in 'malware problems & news' started by rg4256, Oct 10, 2004.

Thread Status:
Not open for further replies.
  1. rg4256

    rg4256 Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    2
    I need held destroying the Trojan BackDoor-BDI. My MacAfee program finds it and deletes it but it continues to come back. It will return a few times a day. Sometimes it will even appear while I am running a virus scan.

    The message from McAfee is;
    "The file C:\windows\adacup.exe was infected by the BackDoor-BDI Trojan and has been deleted."

    I have tried running with the "System Restore" off and deleted all internet temp files and cookies. My OS is Win XP Pro – SP2, I am also running AdAware, Adwatch, Spybot, and TDS-3 Professional. Nothing seems to stop the Trojan from coming back.

    Any assistance would be greatly appreciated.
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Try a scan in Safemode with system Restore off, you might as well run AdAware, Spybot, and TDS-3 Professional while you are in safemode. :)
     
  3. rg4256

    rg4256 Registered Member

    Joined:
    Oct 10, 2004
    Posts:
    2
    I have tried running in safe mode as you suggested. But the trojan reappeared with in minutes after I returned to normal operation.

    I ran in safe mode with system restore off. I completed a full McAfee VS, a full system Ad-Aware SE Plus Scan, a TDS-3 Scan, and a Spybot scan.

    My Internet Options security is and has been set to Medium, Unsigned Controls will not be downloaded, and Prompt to Download Signed active X Controls.
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    McAfee

    According to McAfee:

    The installation vector for this trojan is not known at this time. The most likely scenario is that an ActiveX control on a web site is responsible for installing the trojan executable into the WINDOWS (%WinDir%) directory as goidr.exe .


    When this executable is run, it creates a registry run key to load itself at system startup:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "goidr" = C:\WINDOWS\goidr.exe

    File information is stored in an additional key created by this trojan:

    * HKEY_LOCAL_MACHINE\SOFTWARE\GoIDR

    While running, the trojan attempts to connect to various websites:

    blank

    If I were using IE, I would disable activex after I cleaned all the entries above. I would then run IE awhile and see if it comes back.

    Just a suggestion.
     
  5. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    This trojan has many names it seems Secunia , in addition to the what ronjor suggests, try F-Secure's online-scan it uses the Kaspersky engine (+ another one i believe) kaspersky has this listed as"Backdoor.Win32. Agent.co", it's worth a try.

    There are links to F-Secure and a couple of other online-scanners in my signature.

    If this doesn't fix it, then you can try a trial of Ewido or Trojan Hunter. Good luck :)
     
Loading...
Thread Status:
Not open for further replies.