Backdoor problems...
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Backdoor problems...

  1. #1
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065

    Backdoor problems...

    Ok, my computer was acting a little strange so I decided to run my spybot. It turned up an error during scan and said this:

    error during check!
    backorifice.d (datei C:\windows\win.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by anoth...
    So I decided to run eveyrthing I got, spybot (which errored again), adaware (which didn't find anything), and avast! AV(which didn't find anything). I started in safe mode and ran it all again, still nothing and spybot came up with the same error. I looked up running process but I don't know what to look for, it all seems pretty normal to me. I also ran msconfig and looked up the startup applications and didn't find anything unusual but then again, I don't know what to look for. I decided to run the software on my other computer(the family computer) and spybot caught this:

    Error during check!
    Cabrotor (datei C:\windows\win.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by anoth...
    I ran norton and spybot on that computer and norton didn't even catch it. all the software I ran on both computers were all updated.

    Now I know that backorifice was bad and I looked up what cabrotor is and it's pretty much the same thing as backorifice... a backdoor.

    Nothing seems to be working!
    Please help me!
    Thanks in advance!
    I am the uber duck!!1
    Proxy Tools

  2. #2
    Make sure EVERYTHING is updated, then go through the process again.

    Then post a hijack this log. I believe win.ini is covered in hijack this.

  3. #3
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Before you post your HJT log, here are a few extra scans to run:

    Download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.

    Also, run this pc through the Panda Scan Online virus scanner.

  4. #4
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Not to worry about that...... Backdoors simlpy add a registry value which help it running and hacking into ur system...... so all u have to do is to remove that Registry value.......

    Now if u r using Win98 n the problem has occured within last 2-3 days than simply boot the system with safe mode command prompt only and type: -

    c:>scanreg /restore

    Now from the menu restore the oldest registry......

    On the other hand do one thing on run button enter regedit.

    Here first export ur registry which will make a backup if anything get wrong here u can restore it frm there.

    Now browse to the following: -
    1.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    2.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    3.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

    4.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    5.
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-

    Check ur backdoor name or anything fishy or if u dont know just get a screen shot or somehow paste the values on right hand and i analyize it for u.

    100% gurantee if its a backdoor, there must a registry entry of it.
    Remove it it wont invoke again and then delete the backdoor.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  5. #5
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Well I downloaded and updated the A^2 software, and though it is a very nice program, it failed to catch anything. So here is my HJT log:


    Logfile of HijackThis v1.98.2
    Scan saved at 12:51:02 AM, on 10/26/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\WINDOWS\system32\TPWRTRAY.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
    C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
    C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\2Wire\Gateway\2PortalMon.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Documents and Settings\*****\Desktop\**** computer defenses\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
    O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
    O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
    O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O19 - User stylesheet: (file missing)
    I am the uber duck!!1
    Proxy Tools

  6. #6
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Well there are three things that looks fishy too me: -

    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    by the way u can upload ur log to this site and analyze.

    http://hijackthis.de/index.php

    Try the method i told u n if u think my method is difficult n u wont able to follow it just download a software Jammer.

    www.agnitum.com

    This software has a section registry which will directly point to those registry that i want u to see. so u can easily check those registry n also the software is good i will protect u next time...... frm all this .
    TRY it.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  7. #7
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Avast4 is my AV :P. I realize the registry key strategy you want me to do, but before I start playing in the registry, i'm going to see if my programs can do something first, i'm going to wait and see what everyone else thinks of my HJT log.

    The http://a1540.g.akamai.net/7/1540/52...meInstaller.exe looks fishy to me...
    I am the uber duck!!1
    Proxy Tools

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Good job The Duck - you caught the only true bad entry! The other one I've included is simply "housecleaning."

    FanacooL, these entries are perfectly legit:
    C:\WINDOWS\system32\TFNF5.exe <<Toshiba Hotkey Utility for Display Devices
    C:\Program Files\ltmoh\Ltmoh.exe << Modem On Hold utility
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe <<Avast AV

    Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O19 - User stylesheet: (file missing)

    As for the errors you're receiving, are you running the most recent verison of Spybot - Spybot Search & Destroy v1.3? Try deleting your copy and downloading a fresh one - perhaps your copy got corrupted somehow. Cabrotor isn't something new and should have been caught by one of the other scans if it exists.

  9. #9
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Thank you meeee, I will fix what you told me to.

    About the errors, what are the chances of both programs on both computers becoming corrupt? Also just so you know, my laptop and my pc share the same internet connection through a router, my laptop is wirelessly connected, I don't know if that info would help at all, I doubt it but you never know...

    P.S.

    Thanks for the compliment
    I am the uber duck!!1
    Proxy Tools

  10. #10
    AFLAAACKKK!!
    Join Date
    Apr 2004
    Posts
    1,065
    Great news!

    I deleted the things that you told me. I restarted my computer and decided to check one more time for spybot search and destroy updates. To my surprise there were 4 updates that I needed to install! Now I know what your thinking, "stupid moron, didn't even update his spybot before asking for help". But that's not true because I checked several times last night for updates, and spybot said I had my program up to date so these 4 updates just came today.

    Well you'll all be glad to know that spybot did not come up with the error this time! Yes, you can all rest well tonight knowing that the duck's computer is safe

    Thanks everyone for the help and especially for your expert HJT advice meeee!
    I am the uber duck!!1
    Proxy Tools

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •