-
October 27th, 2004, 04:23 AM
#1
Backdoor problems...
Ok, my computer was acting a little strange so I decided to run my spybot. It turned up an error during scan and said this:
error during check!
backorifice.d (datei C:\windows\win.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by anoth...
So I decided to run eveyrthing I got, spybot (which errored again), adaware (which didn't find anything), and avast! AV(which didn't find anything). I started in safe mode and ran it all again, still nothing and spybot came up with the same error. I looked up running process but I don't know what to look for, it all seems pretty normal to me. I also ran msconfig and looked up the startup applications and didn't find anything unusual but then again, I don't know what to look for. I decided to run the software on my other computer(the family computer) and spybot caught this:
Error during check!
Cabrotor (datei C:\windows\win.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by anoth...
I ran norton and spybot on that computer and norton didn't even catch it. all the software I ran on both computers were all updated.
Now I know that backorifice was bad and I looked up what cabrotor is and it's pretty much the same thing as backorifice... a backdoor.
Nothing seems to be working!
Please help me!
Thanks in advance!
-
October 27th, 2004, 04:29 AM
#2
Make sure EVERYTHING is updated, then go through the process again.
Then post a hijack this log. I believe win.ini is covered in hijack this.
-
October 27th, 2004, 04:41 AM
#3
Before you post your HJT log, here are a few extra scans to run:
Download, update and run the A2 (A squared) anti-trojan. You can download it free at http://www.emsisoft.com/en/software/free/ . Let it fix whatever it wants to.
Also, run this pc through the Panda Scan Online virus scanner.
-
October 27th, 2004, 05:13 AM
#4
Not to worry about that...... Backdoors simlpy add a registry value which help it running and hacking into ur system...... so all u have to do is to remove that Registry value.......
Now if u r using Win98 n the problem has occured within last 2-3 days than simply boot the system with safe mode command prompt only and type: -
c:>scanreg /restore
Now from the menu restore the oldest registry......
On the other hand do one thing on run button enter regedit.
Here first export ur registry which will make a backup if anything get wrong here u can restore it frm there.
Now browse to the following: -
1.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
2.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
3.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-
4.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
5.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-
Check ur backdoor name or anything fishy or if u dont know just get a screen shot or somehow paste the values on right hand and i analyize it for u.
100% gurantee if its a backdoor, there must a registry entry of it.
Remove it it wont invoke again and then delete the backdoor.
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
October 27th, 2004, 06:38 AM
#5
Well I downloaded and updated the A^2 software, and though it is a very nice program, it failed to catch anything. So here is my HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 12:51:02 AM, on 10/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\*****\Desktop\**** computer defenses\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8100
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 28
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_41.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://www.ea.com/downloads/rtpatch/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O19 - User stylesheet: (file missing)
-
October 27th, 2004, 06:52 AM
#6
Well there are three things that looks fishy too me: -
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
by the way u can upload ur log to this site and analyze.
http://hijackthis.de/index.php
Try the method i told u n if u think my method is difficult n u wont able to follow it just download a software Jammer.
www.agnitum.com
This software has a section registry which will directly point to those registry that i want u to see. so u can easily check those registry n also the software is good i will protect u next time...... frm all this .
TRY it.
One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!
-
October 27th, 2004, 07:05 AM
#7
Avast4 is my AV :P. I realize the registry key strategy you want me to do, but before I start playing in the registry, i'm going to see if my programs can do something first, i'm going to wait and see what everyone else thinks of my HJT log.
The http://a1540.g.akamai.net/7/1540/52...meInstaller.exe looks fishy to me...
-
October 27th, 2004, 07:56 AM
#8
Good job The Duck - you caught the only true bad entry! The other one I've included is simply "housecleaning."
FanacooL, these entries are perfectly legit:
C:\WINDOWS\system32\TFNF5.exe <<Toshiba Hotkey Utility for Display Devices
C:\Program Files\ltmoh\Ltmoh.exe << Modem On Hold utility
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe <<Avast AV
Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O19 - User stylesheet: (file missing)
As for the errors you're receiving, are you running the most recent verison of Spybot - Spybot Search & Destroy v1.3? Try deleting your copy and downloading a fresh one - perhaps your copy got corrupted somehow. Cabrotor isn't something new and should have been caught by one of the other scans if it exists.
-
October 28th, 2004, 12:22 AM
#9
Thank you meeee, I will fix what you told me to.
About the errors, what are the chances of both programs on both computers becoming corrupt? Also just so you know, my laptop and my pc share the same internet connection through a router, my laptop is wirelessly connected, I don't know if that info would help at all, I doubt it but you never know...
P.S.
Thanks for the compliment
-
October 28th, 2004, 12:42 AM
#10
Great news!
I deleted the things that you told me. I restarted my computer and decided to check one more time for spybot search and destroy updates. To my surprise there were 4 updates that I needed to install! Now I know what your thinking, "stupid moron, didn't even update his spybot before asking for help". But that's not true because I checked several times last night for updates, and spybot said I had my program up to date so these 4 updates just came today.
Well you'll all be glad to know that spybot did not come up with the error this time! Yes, you can all rest well tonight knowing that the duck's computer is safe
Thanks everyone for the help and especially for your expert HJT advice meeee!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|