BackDoor Trojan

[Captain Pooka]

I'm currently doing a scan and I know I have about 34,000 backdoor trojans (not exagerating, I did an avg scan) AVG failed me. Can you believe it?

I retreated to Kaspersky which it working alot better than avg at the moment. For you can do multiple things at once..

I know once I get rid of these backdoors it will just come back.. like I saw in this post:

http://forums.spywareinfo.com/lofiversion/index.php/t37433.html

I have my own Hijackthis log for you guys to look at and tell me what's wrong

------------------------------**********--------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:26 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
G:\Program Files\Kaspersky\avp.exe
F:\WINDOWS\system32\svchost.exe
G:\Program Files\Kaspersky\avp.exe
F:\WINDOWS\System32\svchost.exe
F:\PROGRA~1\MICROS~2\rapimgr.exe
F:\Program Files\Microsoft ActiveSync\wcescomm.exe
F:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
F:\Program Files\Lexmark 1200 Series\lxczbmon.exe
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxczjswx.exe
F:\WINDOWS\system32\lxczcoms.exe
F:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38669093-C41B-40BF-924F-D9A7F07283CC} - (no file)
O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: (no name) - {A75E294E-C047-4D29-B07E-37B792881BEF} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Pinnacle WebUpdater] -"F:\Program Files\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DLink Control Panel Silent] rundll32 dlnetcp.cpl,SilentCall
O4 - HKLM\..\Run: [AVP] "G:\Program Files\Kaspersky\avp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] F:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - G:\Program Files\Kaspersky\SCIEPlgn.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://mypoints.worldwinner.com/games/v47/shared/FunGamesLoader.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164905273046
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} -
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinner.com/games/v46/sol/sol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by117fd.bay117.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: eeabaefdebffaa - F:\WINDOWS\system32\eeabaefdebffaa.dll (file missing)
O20 - Winlogon Notify: vtussrs - vtussrs.dll (file missing)
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - G:\Program Files\Kaspersky\avp.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - G:\Pinacle Movies\BlackIce\blackd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - -"F:\Program Files\Bonjour\mDNSResponder.exe" (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - -"F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (file missing)
O23 - Service: iPod Service - Unknown owner - -"F:\Program Files\iPod\bin\iPodService.exe" (file missing)
O23 - Service: lxcz_device - - F:\WINDOWS\system32\lxczcoms.exe
O23 - Service: MioNet Service (MioNet) - Unknown owner - -"F:\Program Files\MioNet\MioNetManager.exe" -s "F:\Program Files\MioNet\wrapper.conf" (file missing)
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - -"F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - -"F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - -"F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Unknown owner - -"F:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe" (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - G:\Pinacle Movies\BlackIce\rapapp.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - -"F:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"F:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -"F:\Program Files\Windows Media Player\WMPNetwk.exe" (file missing)

--
End of file - 8718 bytes

-----------------------------************-----------------------


Btw, no music of any kind works, neither online or offline game music. Just the error noises for windows works.. any Idea what's wrong? I think it's because of this virus.

I am currently at 18,000 backdoors and on Kaspersky you can heal them WHILE your scanning and it goes considerably faster.

I am aware of what a backdoor is, if you don't know, refer here:

http://www.viruslist.com/en/virusesdescribed?chapter=152540521#back

That's why I'm thinking everything that's wrong is because if this
Mr. Jack S. that's messing with me.

Please help me 34k is alot of viruses

 

[Captain Pooka]

Sorry about double post, but the other is to long to edit.

Just thought you might want to know, they are all in my system32 folder... so those processes up there are looking kind of fishy ;D

And I don't care what happenes.. what they get or whatever. It's been on my machine for like 4 days and i've been on the internet.. so it's to late to just get off and fix it

I disabled sys. restore yesterday, it wasn't working anyways and people say things can hide in there.

*edit

I'm at 22.3k now. Man, this backdoor trojan is running all over this place. Is my backdoor broken yet? lol

 

[disturbed13]

wow
im sorry to hear that you had that many backdoor trojans
is the k... program that you are using free?
and if so could you provide a link so i can try it out?
thanks

 

[Captain Pooka]

Eh, no it's not free ..heh.. well....... lol Just google it and get the 30 day trial. It's worth the 30 days iif nothing else.

 

[Fisher]

i would just format and reinstall windows if i had that many. but might have some files that you want to keep. does any one know if the user account control in vista would help protect against this by stopping anything in the background being installed with administrator pilivages?

 

[Captain Pooka]

Um, they are all gone now, I told you I was going to get rid of them. I have windows xp, reformat is not an option. I guess I'll use my best judgement and delete stuff when I get home, in about 2 hours.

 

[Fisher]

fair shout for getting rid of them. i would of just jumped to the reinstall. gives me piece of mind that they are actually gone.

 

[Celegorm]

fair shout for getting rid of them. i would of just jumped to the reinstall. gives me piece of mind that they are actually gone.

Me too. But I would aslo go through with a second AV (like NOD's online scanner, or even better, it's 30-day trial) just to make sure yours isn't missing anything. Run all scans in normal and safe mode.

 

[Captain Pooka]

ok about that, what about the hijack this log.. lol

 

[borat_sagdiyev]

ok about that, what about the hijack this log.. lol

well nobody can just read one of those to diagnose it...

just go to this site and paste it in and it analyzes it

www.hijackthis.de