Annoying Backdoor Trojen

[Gregory Kleverlaan]

My computer seems to be affecterd by some sort of Backdoor Trojen.
I have scanned my computer thoroughly with Nortan Antivirus but can't seem
to detect it.

I have no idea what version of Backdoor Trojan it is but its very annoying
and Nortan Antivirus
real time monitor pops up the following message every time an application is
started.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\System32\logndh.dll
Location: C:\WINDOWS\System32
Computer: SPRINGFI-6OR7AB
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Saturday, 24 July 2004 3:49:17 PM

Can anybody shed some light on this annoying Virus and how to get rid of it?

My System is
Running windows xp
System Restore is Dissabled
"Add-aware" and "Spybot Search and Destry" have both been run and cleaned
out any findings with latest definitions.

I also tried searching for the above mentioned file "logndh.dll" but was
unable to find it.

 

[null]

My computer seems to be affecterd by some sort of Backdoor Trojen.
I have scanned my computer thoroughly with Nortan Antivirus but can't seem
to detect it.

I have no idea what version of Backdoor Trojan it is but its very annoying
and Nortan Antivirus
real time monitor pops up the following message every time an application is
started.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\System32\logndh.dll
Location: C:\WINDOWS\System32
Computer: SPRINGFI-6OR7AB
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Saturday, 24 July 2004 3:49:17 PM

Can anybody shed some light on this annoying Virus and how to get rid of it?

My System is
Running windows xp
System Restore is Dissabled
"Add-aware" and "Spybot Search and Destry" have both been run and cleaned
out any findings with latest definitions.

I also tried searching for the above mentioned file "logndh.dll" but was
unable to find it.

What do other antivirus products have to say when you scan your drive
with them in Safe mode?


Art
http://www.epix.net/~artnpeg

 

[Gregory Kleverlaan]

as you can see by my Hijack this that the last item O20 shows the infected
file (logndh.dll) yet there is nothing I can do
since the file physically doesn't exist. Maybe there are some other entries
I should delete as well?


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Overnet\overnet.exe
C:\Program Files\Outlook Express\msimn.exe
C:\virus clean\Antidote.exe
C:\DOCUME~1\Greg\LOCALS~1\Temp\pftAF~tmp\SuperLite.exe
C:\virus clean\utils\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.msn.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper -
{601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP
Pro\wsbho2K0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program
Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program
Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program
Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program
Files\GetRight\GRbrowse.htm
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\Program Files\ICQ\ICQ.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\logndh.dll

 

[null]

as you can see by my Hijack this that the last item O20 shows the infected
file (logndh.dll) yet there is nothing I can do
since the file physically doesn't exist. Maybe there are some other entries
I should delete as well?

None that I saw. I see you have antidote/SuperLite. Is it up to date?
Doesn't an updated antidote find any malware?


Art
http://www.epix.net/~artnpeg

 

[Gregory Kleverlaan]

it origionally found some trojan stuff. I went through the hard disk and
deleted all the files related to the trojan findings.

I also did a online scan (house call) from Trend Micro and removed three
references to trojans. Now that all references and infected files have been
deleted all scanners and checkers come up negative. But the antivirus
software Nortan still reports the virus every time an application program is
executed

Greg


----- Original Message -----
From: <[email protected]>
Newsgroups: alt.comp.anti-virus
Sent: Sunday, July 25, 2004 10:48 AM
Subject: Re: Annoying Backdoor Trojan

 

[Gregory Kleverlaan]

None that I saw. I see you have antidote/SuperLite. Is it up to date?

Doesn't an updated antidote find any malware?

Just completed a full indepth scan with antidote and found a few files
infected with

TrojanSpy: Win32.Briss.G

though it was just in soime files hiding in my intewrnet cache folder. I
don't know weather that would cause Nortan AV to popup all the time.

 

[Gregory Kleverlaan]

It seems like the only way to get rid of the annoying backdoor computer
virus is to reformat and reload a fresh copy of windows. XP. It shits me off
that virus writers goto to such an extent that there seems no alternative
other than this. Because i've tried for days to get rid of the annoying
virus but nothing seems to work. So I am forced to delete windows and reload
the computer from scratch. I'm just not very happy about this at all.

 

[David W. Hodgins]

It seems like the only way to get rid of the annoying backdoor computer
virus is to reformat and reload a fresh copy of windows. XP. It shits me off

The biggest problem with backdoor trojans, is that they enable the author to
control your computer. With that control, they can install additional malware,
that is not detected by any scanners. For example, they could install a
"customized" version of the kernel, that includes a new, completely hidden
backdoor, that cannot be detected while it's running.

The only safe option once a backdoor trojan has activated, is reformat/install.

Be sure to follow the instructions in
http://www.cablemodemhelp.com/xpsurvivalguide.pdf
BEFORE connecting the newly installed copy of XP to the net.

Regards, Dave Hodgins

 

[solv]

The biggest problem with backdoor trojans, is that they enable the author to
control your computer. With that control, they can install additional malware,
that is not detected by any scanners. For example, they could install a
"customized" version of the kernel, that includes a new, completely hidden
backdoor, that cannot be detected while it's running.

The only safe option once a backdoor trojan has activated, is reformat/install.

Be sure to follow the instructions in
http://www.cablemodemhelp.com/xpsurvivalguide.pdf
BEFORE connecting the newly installed copy of XP to the net.

Regards, Dave Hodgins

the people you should be angry at are microsoft for selling you XP
in the first place