Options
Need help with Backdoor-BDD
Hello, I'm running WinXP with SP2 and I've apparently got the dreaded Backdoor-BDD Trojan. I tried running the HS remove app that you suggest in the beginning of the guide, but it didn't work. I'm now in step 4 of the guide and I can't find any of the processes mentioned. I tried the steps in the subpage but hit a deadend there too. Below I've pasted the output from the get active services script. Any help you could give would be appriciated.
In addition, I've also noted that I don't seem to recognize any of the 04 HKLM or RunOnce entries that I should be seeing in the Hijack This scan. Should I be concerned about this or does that just happen sometimes?
Thanks again.
Lee Murphy
"These are the Current Active Services:
Application Layer Gateway Service: ALG
C:\WINDOWS\System32\alg.exe
Ati HotKey Poller: Ati HotKey Poller
C:\WINDOWS\system32\Ati2evxx.exe
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Security Center: wscsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
DCOM Server Process Launcher: DcomLaunch
C:\WINDOWS\system32\svchost -k DcomLaunch
Terminal Services: TermService
C:\WINDOWS\System32\svchost -k DComLaunch
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
McAfee Framework Service: McAfeeFramework
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
Network Associates McShield: McShield
"C:\Program Files\Network Associates\VirusScan\mcshield.exe"
Network Associates Task Manager: McTaskManager
"C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe"
In addition, I've also noted that I don't seem to recognize any of the 04 HKLM or RunOnce entries that I should be seeing in the Hijack This scan. Should I be concerned about this or does that just happen sometimes?
Thanks again.
Lee Murphy
"These are the Current Active Services:
Application Layer Gateway Service: ALG
C:\WINDOWS\System32\alg.exe
Ati HotKey Poller: Ati HotKey Poller
C:\WINDOWS\system32\Ati2evxx.exe
Windows Audio: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Computer Browser: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs
Cryptographic Services: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
DHCP Client: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs
Logical Disk Manager: dmserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Error Reporting Service: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
COM+ Event System: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs
Help and Support: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Server: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs
Workstation: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Connections: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs
Network Location Awareness (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs
Remote Access Connection Manager: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs
Task Scheduler: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs
Secondary Logon: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs
System Event Notification: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs
Shell Hardware Detection: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs
Telephony: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs
Themes: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs
Distributed Link Tracking Client: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs
Windows Time: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs
Windows Management Instrumentation: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs
Security Center: wscsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs
Automatic Updates: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs
Wireless Zero Configuration: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs
DCOM Server Process Launcher: DcomLaunch
C:\WINDOWS\system32\svchost -k DcomLaunch
Terminal Services: TermService
C:\WINDOWS\System32\svchost -k DComLaunch
DNS Client: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService
Event Log: Eventlog
C:\WINDOWS\system32\services.exe
Plug and Play: PlugPlay
C:\WINDOWS\system32\services.exe
TCP/IP NetBIOS Helper: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService
Remote Registry: RemoteRegistry
C:\WINDOWS\system32\svchost.exe -k LocalService
SSDP Discovery Service: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService
WebClient: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService
McAfee Framework Service: McAfeeFramework
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart
Network Associates McShield: McShield
"C:\Program Files\Network Associates\VirusScan\mcshield.exe"
Network Associates Task Manager: McTaskManager
"C:\Program Files\Network Associates\VirusScan\vstskmgr.exe"
IPSEC Services: PolicyAgent
C:\WINDOWS\System32\lsass.exe
Protected Storage: ProtectedStorage
C:\WINDOWS\system32\lsass.exe
Security Accounts Manager: SamSs
C:\WINDOWS\system32\lsass.exe
Remote Procedure Call (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss
Print Spooler: Spooler
C:\WINDOWS\system32\spoolsv.exe"
0