HELP with TROJAN Backdoor-bac.dll, please?

[Kazaps]

Hello,
Please, could someone help me?
My McAfee VirusScan in telling me that I have a trojan. I am told that C:\WINDOWS\system32\e012d.dll is infected by the BackDoor-BAC.dll trojan and cannot be deleted.
I have the windows XP home edition.
I have tried manually deleting the file e012d.dll, but with no joy.
I would appreciate any help.
Thank you.

[Acrobaze]

Hi,

Could you run this online antivirus scan.
At the end, it generates a report. Copy/paste it in this thread.

Download HijackThis from:
http://www.cybertechhelp.com/html/do...load.php/id/40

Create a new folder only for HijackThis (Example : C:\HJT).
Unzip it to this folder.
Click "Scan", after click "Save Log".
Save the log, and copy/paste it into your response to this thread.
Dont check or fix anything yet.

Cheers.

[Kazaps]

Evening,

Thank you for the reply.

I ran noadware, pcdoctor and spybot several times, and then I visited the online anti-virus, after which I download and ran the HijackThis programme. The reports are below.



Report of the online anti-virus;



Scan started at 22/12/2004 15:03:40



Scanning memory...

Scanning boot sectors...

Scanning files...

C:\Documents and Settings\Owner\Local Settings\Temp\tempchngr.exe - Backdoor:Win32/Small.AQ -> Suspicious

C:\Program Files\WindUpdates\Comm.dll - TrojanDownloader:Win32/Winupdt.A -> Infected

C:\Program Files\WindUpdates\WinKA.exe - Trojan:Win32/KeepAlive.A -> Infected

C:\WINDOWS\Downloaded Program Files\BridgeX.dll - TrojanDownloader:Win32/Briss.A -> Infected

C:\WINDOWS\Downloaded Program Files\iEBINST2.dll - Backdoor:Win32/Delf.QF -> Infected

C:\WINDOWS\system32\TFTP1992 - Win32/HLLW.Nachi.A.dam#2 -> Infected



Scanned

============================

Objects: 130039

Directories: 8297

Archives: 19257

Size(Kb): 490289

Infected files: 5



Found

============================

Viruses found: 5

Suspicious files: 1

Disinfected files: 0

Mail files: 1341





Report of HijackThis;



Logfile of HijackThis v1.98.2

Scan saved at 16:45:03, on 22/12/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\STOPzilla!\szntsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\WINDOWS\system32\gsicon.exe

C:\WINDOWS\system32\dslagent.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\STOPzilla!\Stopzilla.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\AOL 8.0b\aoltray.exe

C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe

C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/NA/newreg/0/4.../00000809/3/1/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden

O4 - HKLM\..\Run: [Upsfctl] C:\DOCUME~1\Owner\LOCALS~1\Temp\gpginst.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0b\aoltray.exe

O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe

O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab

O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.173.198.178/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab





Once again, thank you for all your help. I really appreciate it.



Take Care,

Karen

[Acrobaze]

Ok. Then, reboot in safe mode and make sure that you can see the hidden files and folders.
Delete:
C:\Program Files\WindUpdates<-the folder
C:\WINDOWS\system32\TFTP1992

Empty this folder:
C:\Documents and Settings\Owner\Local Settings\Temp\
(Don't delete the folder itself, but all the files it contents)/

Empty the recycle bin.

-------

Reboot in normal mode.
Download : PocketKillBox
In "Paste full path of file..", copy/paste : C:\WINDOWS\Downloaded Program Files\BridgeX.dll
Then, click "Delete file" (the white cross).

Do it again with : C:\WINDOWS\Downloaded Program Files\iEBINST2.dll

---------

Run HijackThis and check:

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [Upsfctl] C:\DOCUME~1\Owner\LOCALS~1\Temp\gpginst.exe

click "Fix checked".

Reboot.

Verify on RAV if the computer is clean and post a new HijackThis log, please, Karen.

[Kazaps]

Good Morning,

Thank you for the reply.

I did as instructed, but ran into a hiccup. After several attempts, I discovered that HiJack This could not delete the following;



O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)



Everything else was downloaded and appears to have worked wonderfully. Thank you. The reports are below.



Report of Hijack This;



Logfile of HijackThis v1.98.2

Scan saved at 09:18:31, on 23/12/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\STOPzilla!\szntsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\gsicon.exe

C:\WINDOWS\system32\dslagent.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

c:\progra~1\mcafee.com\vso\mcvsescn.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\STOPzilla!\Stopzilla.exe

C:\WINDOWS\ALCXMNTR.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\spydoctor.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\AOL 8.0b\aoltray.exe

C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe

C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe

c:\progra~1\mcafee.com\vso\mcvsftsn.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/NA/newreg/0/4.../00000809/3/1/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"

O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0b\aoltray.exe

O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe

O4 - Global Startup: FotoStation Easy AutoLaunch.lnk = C:\Program Files\FotoStation Easy\FotoStation Easy AutoLaunch.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab

O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://flipview.com/fvlite/fvliteY.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://195.173.198.178/activex/AxisCamControl.cab

O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.zillabar.com/toolbar/bin/dwnldr.cab





Report of the online anti-virus;



Scan started at 23/12/2004 14:24:24



Scanning memory...

Scanning boot sectors...

Scanning files...



Scanned

============================

Objects: 102360

Directories: 8647

Archives: 19239

Size(Kb): -161654

Infected files: 0



Found

============================

Viruses found: 0

Suspicious files: 0

Disinfected files: 0

Mail files: 1298







I look forward to your advice and, as ever, thank you for all your help. I really appreciate it.



Take Care,

Karen

[Acrobaze]

Ok! Good job, Karen.

This O2 line is an old entry of Stopzilla, then it's not a true problem.
But you can try to fix it with the new version of HijackThis (1.99):
http://www.spywareinfo.com/~merijn/downloads.html

Does McAfee VirusScan still find something?

[Kazaps]

Good Evening

Everything's working great. McAfee found no infections, and my PC is no longer flashing warning signs at me.

Thank you sooooo much for all your help.

Take care and have a great Christmas and New Year.

Karen